Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1532549
MD5:08aba4235f18775205a1705d89676705
SHA1:d25fc234125ed0cb49608309a842043b7acc2e86
SHA256:f8c59bf2647bc5ad0b69428864ac9b02cf4695a20130a6b171701285195c3c9f
Infos:

Detection

Score:7
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 08ABA4235F18775205A1705D89676705)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\PatchInstaller.LogJump to behavior
Source: Setup.exeStatic PE information: certificate valid
Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\AzAgent\_work\13\s\Install\Fuse2\SupportFiles\Setup\Aventa_Release\Setup.pdb source: Setup.exe
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E12D30 GetModuleFileNameW,GetLongPathNameW,GetFileAttributesW,wsprintfW,wsprintfW,wsprintfW,GetFileAttributesW,wsprintfW,wsprintfW,FindFirstFileW,FindClose,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,wsprintfW,wsprintfW,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,0_2_00E12D30
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E1A560 wsprintfW,FindFirstFileW,FindClose,wsprintfW,Sleep,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,SetFileAttributesW,CopyFileW,wsprintfW,GetLastError,FormatMessageW,0_2_00E1A560
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E15DD0 wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,SetFileAttributesW,CopyFileW,wsprintfW,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,GetLastError,FormatMessageW,FindClose,0_2_00E15DD0
Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: Setup.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E121A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00E121A0
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E150F00_2_00E150F0
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E2A2590_2_00E2A259
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E264EF0_2_00E264EF
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E3A6990_2_00E3A699
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E2A6710_2_00E2A671
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E3884F0_2_00E3884F
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E2D9F80_2_00E2D9F8
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E2AAA60_2_00E2AAA6
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E29CB00_2_00E29CB0
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E2DC270_2_00E2DC27
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E29D5D0_2_00E29D5D
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E2AEDB0_2_00E2AEDB
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E31F400_2_00E31F40
Source: C:\Users\user\Desktop\Setup.exeCode function: String function: 00E15020 appears 103 times
Source: C:\Users\user\Desktop\Setup.exeCode function: String function: 00E27620 appears 48 times
Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean7.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E12D30 GetModuleFileNameW,GetLongPathNameW,GetFileAttributesW,wsprintfW,wsprintfW,wsprintfW,GetFileAttributesW,wsprintfW,wsprintfW,FindFirstFileW,FindClose,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,wsprintfW,wsprintfW,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,0_2_00E12D30
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E121A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00E121A0
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E114B0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,0_2_00E114B0
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E1A9B0 VariantClear,SysAllocString,CoCreateInstance,MessageBoxW,VariantClear,0_2_00E1A9B0
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E23070 LoadResource,LockResource,SizeofResource,0_2_00E23070
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\PatchInstaller.LogJump to behavior
Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Setup.exeString found in binary or memory: /install /passive /norestart
Source: Setup.exeString found in binary or memory: appSettings/add[@key='DevOpsEventId']
Source: Setup.exeString found in binary or memory: /install /quiet /norestart
Source: Setup.exeString found in binary or memory: appSettings/add[@key='DevOpsUpdatedProductVersion']
Source: Setup.exeString found in binary or memory: appSettings/add[@key='Market']
Source: Setup.exeString found in binary or memory: appSettings/add[@key='AllowRemoteServices']
Source: Setup.exeString found in binary or memory: SeShutdownPrivilegePatchInstaller.LogC:\PatchInstaller.logSetupCould not create log file.FilesPatchesm_szSrcDir: %sm_szPatchDir: %sMarkets\Markets.xmlInformation : Patch Folder ExistsXml Used as %s*.mspInformation : No patch ExistsInvoking Full Install..._isstub.exe COUNTRY /v"COUNTRY=%s"STANDALONEVA /v"STANDALONE=Yes" /v"REBOOT=Force"WEB /v"MEDIATYPE=%s" /v"/qr"01 /v"ALLOWREMOTESERVICES=%s" /v"UNCHECKREMOTESERVICES=%s" -LInstallShield exe Launch call succeeded.InstallShield exe Launch call failed.InstallShield Invoke ExitCode: %luUser cancelled operation.Not all GNWeb params have a value to invoke GNWeb. Check log.SOFTWARE\ReSound\Aventa3MarketBrand registry key not found or could not open: 'HKLM\%s'. dwRes=%luVersionMajorVersionMinorVersionVersionStringVerMajor=%s, VerMinor=%s, Version=%s, VersionString=%sCaching config values...ReSound.Fuse2.Config.dll.configConfig file: '%s'appSettings/add[@key='DevOpsEventId']valuevalue attribute missing for DevOps EventIDappSettings/add[@key='Market']value attribute missing for MarketappSettings/add[@key='DevOpsUpdatedProductVersion']value attribute missing for DevOps Product VersionappSettings/add[@key='AllowRemoteServices']value attribute missing for AllowRemoteServicesFailed to get xml document element...Failed to load config file...EventId: '%s' Market: '%s' ApiProductVersion: '%s' AllowRemoteServices: '%s'Invoking GNWeb...%luError: Exception while setting DevOpsErrorMessage
Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InProcServer32Jump to behavior
Source: Setup.exeStatic PE information: certificate valid
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\AzAgent\_work\13\s\Install\Fuse2\SupportFiles\Setup\Aventa_Release\Setup.pdb source: Setup.exe
Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E27169 push ecx; ret 0_2_00E2717C
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E27666 push ecx; ret 0_2_00E27679
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E3F8CF push dword ptr [esp+ecx-75h]; iretd 0_2_00E3F8D3
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E1CA80 GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,0_2_00E1CA80
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\PatchInstaller.LogJump to behavior
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E264EF GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E264EF
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23562
Source: C:\Users\user\Desktop\Setup.exeAPI coverage: 7.6 %
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E12D30 GetModuleFileNameW,GetLongPathNameW,GetFileAttributesW,wsprintfW,wsprintfW,wsprintfW,GetFileAttributesW,wsprintfW,wsprintfW,FindFirstFileW,FindClose,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,wsprintfW,wsprintfW,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,0_2_00E12D30
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E1A560 wsprintfW,FindFirstFileW,FindClose,wsprintfW,Sleep,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,SetFileAttributesW,CopyFileW,wsprintfW,GetLastError,FormatMessageW,0_2_00E1A560
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E15DD0 wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,SetFileAttributesW,CopyFileW,wsprintfW,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,GetLastError,FormatMessageW,FindClose,0_2_00E15DD0
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E273D6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E273D6
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E1D1A0 CreateMutexW,GetLastError,#113,#113,OutputDebugStringW,OutputDebugStringW,MsgWaitForMultipleObjects,MsgWaitForMultipleObjects,PeekMessageW,PeekMessageW,MsgWaitForMultipleObjects,CloseHandle,OutputDebugStringW,OutputDebugStringW,#113,0_2_00E1D1A0
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E331F9 mov eax, dword ptr fs:[00000030h]0_2_00E331F9
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E3A256 GetProcessHeap,0_2_00E3A256
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E273D6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E273D6
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E27568 SetUnhandledExceptionFilter,0_2_00E27568
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E2767B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00E2767B
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E2BEA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E2BEA1
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E278E7 cpuid 0_2_00E278E7
Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoW,0_2_00E380C7
Source: C:\Users\user\Desktop\Setup.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00E3E1B7
Source: C:\Users\user\Desktop\Setup.exeCode function: EnumSystemLocalesW,0_2_00E3E47A
Source: C:\Users\user\Desktop\Setup.exeCode function: EnumSystemLocalesW,0_2_00E3E42F
Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00E3E5A2
Source: C:\Users\user\Desktop\Setup.exeCode function: EnumSystemLocalesW,0_2_00E3E515
Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoW,0_2_00E3E7F2
Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00E3E91B
Source: C:\Users\user\Desktop\Setup.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00E3EAEF
Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoW,0_2_00E3EA22
Source: C:\Users\user\Desktop\Setup.exeCode function: EnumSystemLocalesW,0_2_00E37CD4
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E15020 wsprintfW,GetLocalTime,0_2_00E15020
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00E11070 GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,GetVersionExW,GetTokenInformation,GetTokenInformation,GetTokenInformation,DuplicateToken,CreateWellKnownSid,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,CloseHandle,0_2_00E11070

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory3
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets23
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Setup.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532549
Start date and time:2024-10-13 16:58:04 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Setup.exe
Detection:CLEAN
Classification:clean7.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 20
  • Number of non-executed functions: 126
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\PatchInstaller.Log

Download File
Process:C:\Users\user\Desktop\Setup.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):261
Entropy (8bit):4.872585858230478
Encrypted:false
SSDEEP:6:MKUlC6ME1wvovLMC4EXfewvOqC4KMKZblOCqUGwvoBMmJ1tCk8b:MP867mwvL14EXfZ2PDZNtwT1kk8b
MD5:DDCED15736A29A1599C11AEC1F345114
SHA1:21DF854FDD78301A6C3DD9CC71F4944EE3429AA7
SHA-256:786FB978A9768D7ACCB591EFFF0D13AD4397ABB7DAF55C1CB1F944D2F51A779A
SHA-512:5A694F16CF6DCE0678BCD443F06DA5485FA521A01F6FAE9CFB0689EC8D32FE4B5452DBC7DBE2051C8A7388D147853CAFD85B9A9BB1CF545ED2BC9F06782BB398
Malicious:false
Reputation:low
Preview:10/13 10:59:1 m_szSrcDir: C:\Users\user\Desktop\..10/13 10:59:1 m_szPatchDir: C:\Users\user\Desktop\Patches..10/13 10:59:1 Information : No patch Exists..10/13 10:59:1 Xml Used as C:\Users\user\Desktop\Markets\Markets.xml..10/13 10:59:1 C:\ProgramData..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.4358614247609465
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Setup.exe
File size:391'376 bytes
MD5:08aba4235f18775205a1705d89676705
SHA1:d25fc234125ed0cb49608309a842043b7acc2e86
SHA256:f8c59bf2647bc5ad0b69428864ac9b02cf4695a20130a6b171701285195c3c9f
SHA512:005f8c085a1104fe3eaaf63880ca97b74b32dbb64d89aa08924ae74cb3c2f246ffa9c3272f3a14f63a57c72df76bf8da6c9504c9f35f06660beebc5fea0f0dd8
SSDEEP:6144:i8kiSrhTFpBoiB6VTquOmQ7YpAOMJjwvDW70PFn0wccccccccYwP+Tr:GiYTF5B6Veum6WnrTr
TLSH:48843901B7D58031F6B22B32A97946B5487DBC719F35C2DFA3A4686DAD306D0DA70B23
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i....q...q...q.3.....q.3.....q.3.....q..Vr...q..Vt...q..Vu...q.bQt...q.Z.....q...p.".q..Vx...q..V....q.......q..Vs...q.Rich..q

File Icon

Icon Hash:55497933cc61714d

Static PE Info

General

Entrypoint:0x416c38
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66BA3562 [Mon Aug 12 16:16:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:1dbae0c3c95050b4a391eeaafa9311b1

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 21/01/2022 00:00:00 30/01/2025 23:59:59
Subject Chain
  • CN=GN Hearing A/S, O=GN Hearing A/S, L=Ballerup, C=DK
Version:3
Thumbprint MD5:5CD08805D25FB6438745FAF795BDCD74
Thumbprint SHA-1:94100BECB61B9CE55DA61EBF558365F79304D63B
Thumbprint SHA-256:C9CF516456D66888F13B6B7E530BBC0E5F3D4FC4F1F2F989FEBB25D263C83E6F
Serial:046D1D272BD29C149AA5FC5DE3445D21

Entrypoint Preview

Instruction
call 00007FBCCCDE0220h
jmp 00007FBCCCDDFA23h
jmp 00007FBCCCDE5211h
cmp ecx, dword ptr [0044D070h]
jne 00007FBCCCDDFB95h
ret
jmp 00007FBCCCDE05E1h
push ebp
mov ebp, esp
jmp 00007FBCCCDDFBB1h
push dword ptr [ebp+08h]
call 00007FBCCCDED563h
pop ecx
test eax, eax
jne 00007FBCCCDDFBA4h
cmp dword ptr [ebp+08h], FFFFFFFFh
jne 00007FBCCCDDFB99h
call 00007FBCCCDE07EAh
jmp 00007FBCCCDDFB97h
call 00007FBCCCDE07C6h
push dword ptr [ebp+08h]
call 00007FBCCCDEA92Fh
pop ecx
test eax, eax
je 00007FBCCCDDFB66h
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 0043955Ch
je 00007FBCCCDDFB9Ch
push 0000000Ch
push esi
call 00007FBCCCDDFB9Eh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FBCCCDDFB1Eh
pop ecx
pop ebp
ret
push ebx
push esi
push edi
push 00000000h
push 00000FA0h
push 0044E238h
call 00007FBCCCDE4757h
add esp, 0Ch
push 0043710Ch
call dword ptr [0043611Ch]
mov esi, eax
test esi, esi
je 00007FBCCCDDFC22h
push 0043734Ch
push esi
call dword ptr [00436120h]
push 0043739Ch
push esi
mov ebx, eax
call dword ptr [00006120h]

Rich Headers

Programming Language:
  • [RES] VS2015 UPD3 build 24213
  • [LNK] VS2015 UPD3.1 build 24215

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x4bcd00xb4.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x510000xd780.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x5d2000x26d0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x5f0000x2f04.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x48dc00x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x48e8c0x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x48e300x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x360000x268.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x3438d0x34400ce9b91c9a67d6809c20dc6da4403d236False0.5168632251794258data6.57276571453631IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x360000x16a280x16c0017a2a2d3ae57ab6703e8be65818a1b85False0.40117402129120877data5.044403567227042IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x4d0000x1ed40x10007ad70cb1b86d6b94f9a985aeb2828fa3False0.216796875Matlab v4 mat-file (little endian) right (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED., text, rows 4294967295, columns 103.515306646918696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids0x4f0000x25c0x400ea9b19e5a77b700844a31d0535a500b6False0.3388671875data2.5771337581014975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls0x500000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x510000xd7800xd800885861a6f551d1a22a28c97b41026bd7False0.29799623842592593data5.654578773646797IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x5f0000x2f040x30003401a59f241799dcc18270fc98e8353aFalse0.7254231770833334data6.587576910047788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x514500x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.21341463414634146
RT_ICON0x51ab80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.34139784946236557
RT_ICON0x51da00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.5202702702702703
RT_ICON0x51ec80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.47334754797441364
RT_ICON0x52d700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.6101083032490975
RT_ICON0x536180x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.596820809248555
RT_ICON0x53b800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.2932572614107884
RT_ICON0x561280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.4343339587242026
RT_ICON0x571d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.7198581560283688
RT_STRING0x579900xc90dataEnglishUnited States0.2689676616915423
RT_STRING0x586200xba0dataEnglishUnited States0.4307795698924731
RT_STRING0x591c00x176dataEnglishUnited States0.6951871657754011
RT_STRING0x593380xe26dataEnglishUnited States0.25317504141358366
RT_STRING0x5a1600xcc2OpenPGP Public KeyEnglishUnited States0.3312921004286589
RT_STRING0x5ae280x1202big endian ispell hash file (?), and 26880 string charactersEnglishUnited States0.2872017353579176
RT_STRING0x5c0300x11f2dataEnglishUnited States0.2627340008707009
RT_STRING0x5d2280xf08dataEnglishUnited States0.28586278586278585
RT_GROUP_ICON0x576380x84dataEnglishUnited States0.6363636363636364
RT_VERSION0x576c00x2d0dataEnglishUnited States0.47638888888888886
RT_MANIFEST0x5e1300x64bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1551), with CRLF line terminatorsEnglishUnited States0.3116076970825574

Imports

DLLImport
msi.dll
KERNEL32.dllOpenProcess, CreateMutexW, OutputDebugStringW, GetSystemDefaultLCID, GetExitCodeProcess, TerminateProcess, CreateFileW, CreateProcessW, VerSetConditionMask, VerifyVersionInfoW, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, LocalFree, WideCharToMultiByte, FormatMessageW, GetProcessHeap, GetLocaleInfoW, GetFileAttributesW, GetTempPathW, CreateDirectoryW, GetModuleFileNameW, GetLongPathNameW, FindFirstFileW, FindClose, GetLocalTime, Process32NextW, CopyFileW, GetCommandLineW, GetPrivateProfileStringW, Sleep, DeleteFileW, LoadLibraryW, FreeLibrary, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, InitializeCriticalSectionEx, RaiseException, DecodePointer, DeleteCriticalSection, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileW, Process32FirstW, CreateToolhelp32Snapshot, GetModuleHandleW, GetProcAddress, GetVersionExW, GetCurrentProcess, GetCurrentThread, CloseHandle, GetLastError, SetStdHandle, WriteConsoleW, ReadConsoleW, SetEndOfFile, SetFileAttributesW, FindFirstFileExW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, SetFilePointerEx, ReadFile, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetACP, GetModuleHandleExW, MultiByteToWideChar, GetStringTypeW, EncodePointer, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, LCMapStringW, GetCPInfo, SetEvent, ResetEvent, WaitForSingleObjectEx, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, RtlUnwind, LoadLibraryExW, GetStdHandle, WriteFile, ExitProcess
USER32.dllLoadStringW, PeekMessageW, ExitWindowsEx, MessageBoxW, MsgWaitForMultipleObjects, wsprintfW
ADVAPI32.dllRegSetValueExW, RegCreateKeyExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegEnumValueW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, GetTokenInformation, OpenProcessToken, OpenThreadToken, CheckTokenMembership, CreateWellKnownSid, DuplicateToken
ole32.dllCoUninitialize, CoCreateInstance, CoInitialize
SHELL32.dllCommandLineToArgvW, SHGetFolderPathW
OLEAUT32.dllVariantInit, VariantCopy, SysAllocString, VariantClear, SysFreeString
SHLWAPI.dllPathRemoveFileSpecW, PathFileExistsW, PathQuoteSpacesW

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:10:59:00
Start date:13/10/2024
Path:C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\Setup.exe"
Imagebase:0xe10000
File size:391'376 bytes
MD5 hash:08ABA4235F18775205A1705D89676705
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:10.6%
    Total number of Nodes:1045
    Total number of Limit Nodes:10
    execution_graph 22716 e1de40 22717 e1de49 22716->22717 22719 e1de65 22716->22719 22717->22719 22720 e2f73e 22717->22720 22721 e2f74a ___DestructExceptionObject 22720->22721 22722 e2f751 22721->22722 22723 e2f75a 22721->22723 22742 e2f666 63 API calls 2 library calls 22722->22742 22731 e30996 EnterCriticalSection 22723->22731 22726 e2f764 22732 e2f616 22726->22732 22729 e2f757 ___DestructExceptionObject 22729->22719 22731->22726 22733 e2f623 22732->22733 22734 e2f62c 22732->22734 22750 e2f666 63 API calls 2 library calls 22733->22750 22744 e2f5b0 22734->22744 22739 e2f64c 22756 e364cf 24 API calls 2 library calls 22739->22756 22741 e2f629 22743 e2f78f LeaveCriticalSection 22741->22743 22742->22729 22743->22729 22745 e2f5c8 22744->22745 22749 e2f5c4 22744->22749 22746 e35ffd 20 API calls 22745->22746 22745->22749 22747 e2f5e8 22746->22747 22757 e36ace 22747->22757 22749->22741 22751 e35ffd 22749->22751 22750->22741 22752 e36009 22751->22752 22753 e3601e 22751->22753 22914 e2c341 20 API calls __dosmaperr 22752->22914 22753->22739 22755 e3600e __cftoe 22755->22739 22756->22741 22758 e36ada ___DestructExceptionObject 22757->22758 22759 e36ae2 22758->22759 22763 e36afa 22758->22763 22830 e2c32e 20 API calls __dosmaperr 22759->22830 22761 e36b98 22835 e2c32e 20 API calls __dosmaperr 22761->22835 22762 e36ae7 22831 e2c341 20 API calls __dosmaperr 22762->22831 22763->22761 22766 e36b2f 22763->22766 22780 e3c8a1 EnterCriticalSection 22766->22780 22767 e36b9d 22836 e2c341 20 API calls __dosmaperr 22767->22836 22770 e36b35 22771 e36b51 22770->22771 22772 e36b66 22770->22772 22832 e2c341 20 API calls __dosmaperr 22771->22832 22781 e36bb9 22772->22781 22775 e36b56 22833 e2c32e 20 API calls __dosmaperr 22775->22833 22776 e36aef ___DestructExceptionObject __cftoe 22776->22749 22777 e36b61 22834 e36b90 LeaveCriticalSection __wsopen_s 22777->22834 22780->22770 22782 e36be7 22781->22782 22814 e36be0 __cftoe 22781->22814 22783 e36beb 22782->22783 22784 e36c0a 22782->22784 22850 e2c32e 20 API calls __dosmaperr 22783->22850 22787 e36c5b 22784->22787 22788 e36c3e 22784->22788 22792 e36c71 22787->22792 22854 e374e7 22 API calls __wsopen_s 22787->22854 22852 e2c32e 20 API calls __dosmaperr 22788->22852 22789 e36dc1 22789->22777 22790 e36bf0 22851 e2c341 20 API calls __dosmaperr 22790->22851 22837 e3675e 22792->22837 22795 e36c43 22853 e2c341 20 API calls __dosmaperr 22795->22853 22799 e36cb8 22803 e36d12 WriteFile 22799->22803 22804 e36ccc 22799->22804 22800 e36c7f 22801 e36c83 22800->22801 22802 e36ca5 22800->22802 22805 e36d79 22801->22805 22855 e366f1 GetLastError WriteConsoleW CreateFileW __wsopen_s 22801->22855 22856 e3653e 42 API calls 3 library calls 22802->22856 22807 e36d35 GetLastError 22803->22807 22820 e36cf0 22803->22820 22808 e36d02 22804->22808 22809 e36cd4 22804->22809 22805->22814 22862 e2c341 20 API calls __dosmaperr 22805->22862 22807->22820 22843 e367d4 22808->22843 22810 e36cf2 22809->22810 22811 e36cd9 22809->22811 22858 e369a1 8 API calls 2 library calls 22810->22858 22811->22805 22815 e36ce2 22811->22815 22864 e26c47 22814->22864 22857 e368b3 7 API calls 2 library calls 22815->22857 22818 e36c9b 22818->22805 22818->22814 22822 e36d55 22818->22822 22820->22818 22821 e36d9e 22863 e2c32e 20 API calls __dosmaperr 22821->22863 22823 e36d70 22822->22823 22824 e36d5c 22822->22824 22861 e2c30b 20 API calls 2 library calls 22823->22861 22859 e2c341 20 API calls __dosmaperr 22824->22859 22828 e36d61 22860 e2c32e 20 API calls __dosmaperr 22828->22860 22830->22762 22831->22776 22832->22775 22833->22777 22834->22776 22835->22767 22836->22776 22838 e3676e 22837->22838 22839 e36773 22838->22839 22871 e3502f GetLastError 22838->22871 22839->22799 22839->22800 22841 e36796 22841->22839 22842 e367b4 GetConsoleMode 22841->22842 22842->22839 22848 e367e3 __wsopen_s 22843->22848 22844 e36896 22845 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 22844->22845 22847 e368af 22845->22847 22846 e36855 WriteFile 22846->22848 22849 e36898 GetLastError 22846->22849 22847->22818 22848->22844 22848->22846 22849->22844 22850->22790 22851->22814 22852->22795 22853->22814 22854->22792 22855->22818 22856->22818 22857->22820 22858->22820 22859->22828 22860->22814 22861->22814 22862->22821 22863->22814 22865 e26c52 IsProcessorFeaturePresent 22864->22865 22866 e26c50 22864->22866 22868 e276b7 22865->22868 22866->22789 22913 e2767b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22868->22913 22870 e2779a 22870->22789 22872 e3504b 22871->22872 22873 e35045 22871->22873 22876 e3509a SetLastError 22872->22876 22892 e31cd5 22872->22892 22891 e38018 11 API calls 2 library calls 22873->22891 22876->22841 22878 e35065 22901 e32695 22878->22901 22881 e3507a 22881->22878 22883 e35081 22881->22883 22882 e3506b 22884 e350a6 SetLastError 22882->22884 22908 e34ea1 20 API calls __Getctype 22883->22908 22909 e31e1e 35 API calls _Atexit 22884->22909 22887 e3508c 22889 e32695 _free 20 API calls 22887->22889 22890 e35093 22889->22890 22890->22876 22890->22884 22891->22872 22893 e31ce2 22892->22893 22894 e31d22 22893->22894 22895 e31d0d HeapAlloc 22893->22895 22899 e31cf6 __Getctype 22893->22899 22911 e2c341 20 API calls __dosmaperr 22894->22911 22896 e31d20 22895->22896 22895->22899 22898 e31d27 22896->22898 22898->22878 22907 e3806e 11 API calls 2 library calls 22898->22907 22899->22894 22899->22895 22910 e34633 7 API calls 2 library calls 22899->22910 22902 e326a0 HeapFree 22901->22902 22903 e326c9 _free 22901->22903 22902->22903 22904 e326b5 22902->22904 22903->22882 22912 e2c341 20 API calls __dosmaperr 22904->22912 22906 e326bb GetLastError 22906->22903 22907->22881 22908->22887 22910->22899 22911->22898 22912->22906 22913->22870 22914->22755 22915 e26ad0 22916 e26adc ___DestructExceptionObject 22915->22916 22939 e26f71 22916->22939 22918 e26ae3 22920 e26b0c 22918->22920 22974 e273d6 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 22918->22974 22924 e26b4b ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 22920->22924 22950 e33069 22920->22950 22926 e26bab 22924->22926 22976 e332e7 35 API calls 4 library calls 22924->22976 22925 e26b2b ___DestructExceptionObject 22954 e274f1 22926->22954 22928 e26bb1 22958 e1d130 22928->22958 22934 e26bd7 22936 e26be0 22934->22936 22977 e332c2 28 API calls _Atexit 22934->22977 22978 e270eb 13 API calls 2 library calls 22936->22978 22940 e26f7a 22939->22940 22979 e278e7 IsProcessorFeaturePresent 22940->22979 22942 e26f86 22980 e2b944 10 API calls 4 library calls 22942->22980 22944 e26f8b 22945 e26f8f 22944->22945 22981 e34ba4 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22944->22981 22945->22918 22947 e26f98 22948 e26fa6 22947->22948 22982 e2b96d 8 API calls 3 library calls 22947->22982 22948->22918 22953 e33080 22950->22953 22951 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 22952 e26b25 22951->22952 22952->22925 22975 e3300d 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 22952->22975 22953->22951 22983 e29190 22954->22983 22957 e27517 22957->22928 22985 e27a90 22958->22985 22966 e1d175 CoUninitialize 22967 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 22966->22967 22968 e1d18c 22967->22968 22969 e27524 GetModuleHandleW 22968->22969 22970 e26bcd 22969->22970 22970->22934 22971 e3331f 22970->22971 23880 e330e0 22971->23880 22974->22918 22975->22924 22976->22926 22977->22936 22978->22925 22979->22942 22980->22944 22981->22947 22982->22945 22984 e27504 GetStartupInfoW 22983->22984 22984->22957 22986 e1d140 CoInitialize 22985->22986 22987 e125d0 22986->22987 23222 e1dd60 22987->23222 22990 e18ea0 22991 e18ebb __wsopen_s 22990->22991 23446 e12d30 22991->23446 22996 e18f06 22999 e18f19 22996->22999 23000 e18f0f 22996->23000 22997 e18efc 23558 e19c60 132 API calls 2 library calls 22997->23558 23003 e18f22 22999->23003 23004 e18f2c 22999->23004 23559 e19d60 113 API calls 5 library calls 23000->23559 23001 e18f01 23007 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23001->23007 23527 e1a470 23003->23527 23545 e1a9b0 VariantClear 23004->23545 23009 e19c53 23007->23009 23008 e18f31 23008->23001 23560 e150f0 125 API calls 6 library calls 23008->23560 23214 e12670 23009->23214 23011 e190ac 23012 e19125 23011->23012 23013 e19c29 23011->23013 23598 e18a80 135 API calls 3 library calls 23012->23598 23017 e15020 87 API calls 23013->23017 23014 e18f44 23014->23011 23561 e188e0 21 API calls 3 library calls 23014->23561 23017->23001 23018 e18f8c ___scrt_get_show_window_mode 23019 e18f9f wsprintfW 23018->23019 23562 e15020 GetLocalTime 23019->23562 23021 e1912e 23021->23013 23599 e18a80 135 API calls 3 library calls 23021->23599 23024 e18fe7 ___scrt_get_show_window_mode 23027 e18ff9 wsprintfW 23024->23027 23025 e190bf ___scrt_get_show_window_mode 23028 e190e1 wsprintfW 23025->23028 23031 e190b1 23025->23031 23026 e1915f 23026->23013 23029 e19170 23026->23029 23030 e1917e 23026->23030 23032 e15020 87 API calls 23027->23032 23028->23031 23600 e14ed0 100 API calls 5 library calls 23029->23600 23601 e1adf0 141 API calls 2 library calls 23030->23601 23035 e15020 87 API calls 23031->23035 23043 e1901f 23032->23043 23035->23011 23036 e19185 23037 e15020 87 API calls 23036->23037 23213 e18f14 23036->23213 23041 e1919f 23037->23041 23038 e191e1 23602 e11200 #113 23038->23602 23040 e191ef 23053 e191f3 23040->23053 23604 e11200 #113 23040->23604 23041->23038 23042 e191d5 23041->23042 23045 e1923d 23041->23045 23046 e1920c 23041->23046 23052 e15020 87 API calls 23042->23052 23043->23031 23044 e19093 23043->23044 23048 e15020 87 API calls 23044->23048 23045->23042 23051 e1924d 23045->23051 23049 e19215 23046->23049 23050 e19229 23046->23050 23054 e1909d 23048->23054 23056 e15020 87 API calls 23049->23056 23057 e15020 87 API calls 23050->23057 23603 e1b6f0 98 API calls 3 library calls 23051->23603 23052->23038 23055 e15020 87 API calls 23053->23055 23059 e19277 23053->23059 23591 e30efe 23054->23591 23055->23059 23056->23213 23057->23213 23061 e19401 #70 23059->23061 23063 e19291 23059->23063 23064 e193f9 23059->23064 23614 e189b0 23061->23614 23066 e19299 23063->23066 23069 e192b4 23063->23069 23064->23061 23065 e194ee #70 23064->23065 23071 e19559 23065->23071 23077 e194bc ___scrt_get_show_window_mode 23065->23077 23067 e15020 87 API calls 23066->23067 23193 e192a5 23067->23193 23070 e1930a 23069->23070 23605 e11200 #113 23069->23605 23608 e1dc10 40 API calls 23070->23608 23078 e15020 87 API calls 23071->23078 23085 e19598 23071->23085 23073 e19482 #70 23073->23071 23073->23077 23074 e1946f 23623 e1aaf0 92 API calls 4 library calls 23074->23623 23076 e192d8 23076->23070 23606 e14ed0 100 API calls 5 library calls 23076->23606 23086 e15020 87 API calls 23077->23086 23081 e1957d SHGetFolderPathW 23078->23081 23079 e1931a 23609 e1dc10 40 API calls 23079->23609 23084 e19590 23081->23084 23081->23085 23089 e15020 87 API calls 23084->23089 23209 e1973d 23085->23209 23624 e12790 20 API calls std::_Locinfo::_Locinfo_dtor 23085->23624 23086->23071 23087 e19331 23610 e1dc10 40 API calls 23087->23610 23088 e192e5 23088->23070 23607 e11200 #113 23088->23607 23089->23085 23093 e19345 23611 e1dc10 40 API calls 23093->23611 23094 e19763 23098 e19b3a 23094->23098 23103 e1977d 23094->23103 23095 e195bb 23625 e1dc10 40 API calls 23095->23625 23101 e15020 87 API calls 23098->23101 23100 e19359 23612 e1dc10 40 API calls 23100->23612 23106 e19b46 23101->23106 23102 e192f0 23102->23070 23107 e192f4 23102->23107 23108 e19786 23103->23108 23122 e197e8 ___scrt_get_show_window_mode 23103->23122 23104 e195c7 23626 e1d5d0 29 API calls 23104->23626 23110 e19b51 23106->23110 23111 e19b6e 23106->23111 23112 e15020 87 API calls 23107->23112 23113 e15020 87 API calls 23108->23113 23109 e1936d 23613 e13260 131 API calls 6 library calls 23109->23613 23655 e14910 241 API calls 5 library calls 23110->23655 23656 e18c70 22 API calls 3 library calls 23111->23656 23112->23213 23118 e19792 23113->23118 23640 e1bb70 165 API calls 5 library calls 23118->23640 23119 e195ee 23627 e1d5d0 29 API calls 23119->23627 23120 e19b56 23125 e19b5a 23120->23125 23128 e19b9c 23120->23128 23658 e16e30 145 API calls 23120->23658 23121 e19b73 23121->23120 23126 e19b77 23121->23126 23127 e30efe __Getctype 20 API calls 23122->23127 23124 e19799 23129 e197cf 23124->23129 23130 e1979f 23124->23130 23135 e15020 87 API calls 23125->23135 23657 e1aaf0 92 API calls 4 library calls 23126->23657 23132 e19826 23127->23132 23137 e19bb7 23128->23137 23660 e17430 149 API calls 5 library calls 23128->23660 23138 e15020 87 API calls 23129->23138 23134 e15020 87 API calls 23130->23134 23641 e1dc10 40 API calls 23132->23641 23143 e197a9 23134->23143 23139 e19b80 23135->23139 23137->23139 23151 e19bef 23137->23151 23153 e19bd7 MessageBoxW 23137->23153 23138->23193 23661 e1b6f0 98 API calls 3 library calls 23139->23661 23141 e19839 23642 e1dcd0 30 API calls 23141->23642 23142 e19b95 23659 e17130 145 API calls 23142->23659 23143->23013 23147 e197b6 MessageBoxW 23143->23147 23144 e19612 23628 e1db80 21 API calls 23144->23628 23147->23013 23151->23125 23154 e19bfe MessageBoxW 23151->23154 23152 e1984b 23643 e1dcd0 30 API calls 23152->23643 23153->23139 23154->23139 23156 e19856 23644 e1dcd0 30 API calls 23156->23644 23158 e1964b 23162 e30efe __Getctype 20 API calls 23158->23162 23159 e19622 23159->23158 23629 e1fb40 20 API calls 23159->23629 23160 e19861 23645 e1dcd0 30 API calls 23160->23645 23164 e19663 23162->23164 23630 e12790 20 API calls std::_Locinfo::_Locinfo_dtor 23164->23630 23166 e1966c 23631 e2eb05 23166->23631 23167 e19a33 23652 e14ed0 100 API calls 5 library calls 23167->23652 23170 e1967c 23173 e30efe __Getctype 20 API calls 23170->23173 23171 e1986c ___scrt_get_show_window_mode 23171->23167 23176 e198ab #70 23171->23176 23172 e19a42 23172->23193 23653 e11200 #113 23172->23653 23175 e19697 23173->23175 23178 e30efe __Getctype 20 API calls 23175->23178 23179 e198db ___scrt_get_show_window_mode 23176->23179 23180 e1991a 23176->23180 23177 e19a55 23181 e19aa6 23177->23181 23182 e19a59 23177->23182 23184 e196b1 23178->23184 23185 e198ee wsprintfW 23179->23185 23646 e1dc10 40 API calls 23180->23646 23654 e13260 131 API calls 6 library calls 23181->23654 23186 e15020 87 API calls 23182->23186 23188 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23184->23188 23189 e15020 87 API calls 23185->23189 23186->23213 23187 e1992c 23211 e1997f ___scrt_get_show_window_mode 23187->23211 23647 e1d640 29 API calls 23187->23647 23190 e196c4 23188->23190 23204 e19915 23189->23204 23192 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23190->23192 23195 e196d7 ___scrt_get_show_window_mode 23192->23195 23193->23013 23202 e196ed wsprintfW 23195->23202 23196 e199cf wsprintfW 23200 e15020 87 API calls 23196->23200 23197 e19957 23648 e1d5d0 29 API calls 23197->23648 23200->23204 23206 e15020 87 API calls 23202->23206 23203 e199c9 23203->23196 23651 e13b70 107 API calls 5 library calls 23204->23651 23205 e1996f 23649 e1db80 21 API calls 23205->23649 23208 e19723 GetFileAttributesW 23206->23208 23208->23209 23210 e1972f 23208->23210 23639 e17e30 129 API calls 5 library calls 23209->23639 23210->23209 23638 e17b90 103 API calls 5 library calls 23210->23638 23211->23196 23650 e1fb40 20 API calls 23211->23650 23213->23001 23215 e126c9 23214->23215 23216 e1269c 23214->23216 23874 e1e7a0 23215->23874 23878 e1ff70 69 API calls 23216->23878 23218 e126a4 23218->23215 23219 e24060 50 API calls 23218->23219 23219->23215 23221 e12742 std::ios_base::_Ios_base_dtor 23221->22966 23227 e211e0 23222->23227 23237 e230e0 23227->23237 23229 e2120e 23244 e22070 23229->23244 23231 e1ddd7 23234 e20160 23231->23234 23441 e21120 23234->23441 23238 e24060 50 API calls 23237->23238 23239 e23155 23238->23239 23282 e26c58 23239->23282 23243 e2316f 23243->23229 23245 e261d7 std::_Lockit::_Lockit 2 API calls 23244->23245 23246 e220a2 23245->23246 23247 e261d7 std::_Lockit::_Lockit 2 API calls 23246->23247 23253 e220e5 23246->23253 23248 e220c5 23247->23248 23252 e2622f std::_Lockit::~_Lockit 2 API calls 23248->23252 23249 e22122 23250 e2622f std::_Lockit::~_Lockit 2 API calls 23249->23250 23251 e21233 23250->23251 23251->23231 23259 e24060 23251->23259 23252->23253 23253->23249 23320 e22aa0 23253->23320 23256 e2215e 23333 e25f54 8 API calls new 23256->23333 23260 e24079 23259->23260 23261 e2408f 23259->23261 23262 e2407f 23260->23262 23431 e292ea RaiseException 23260->23431 23261->23231 23264 e24084 23262->23264 23432 e23e50 28 API calls 2 library calls 23262->23432 23266 e2408d 23264->23266 23435 e23e50 28 API calls 2 library calls 23264->23435 23438 e23e50 28 API calls 2 library calls 23266->23438 23267 e240a7 23433 e239d0 42 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 23267->23433 23270 e240ca 23436 e239d0 42 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 23270->23436 23272 e240ed 23439 e239d0 42 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 23272->23439 23273 e240b6 23434 e292ea RaiseException 23273->23434 23277 e240d9 23437 e292ea RaiseException 23277->23437 23278 e240fc 23440 e292ea RaiseException 23278->23440 23281 e2410b 23281->23231 23285 e26c5d new 23282->23285 23283 e2315c 23288 e25f88 23283->23288 23285->23283 23298 e34633 7 API calls 2 library calls 23285->23298 23299 e278ca RaiseException __CxxThrowException@8 new 23285->23299 23300 e278ad RaiseException Concurrency::cancel_current_task __CxxThrowException@8 23285->23300 23289 e25f94 __EH_prolog3 23288->23289 23301 e261d7 23289->23301 23293 e25fba _Yarn 23307 e2622f 23293->23307 23295 e25fb2 23315 e2611d 37 API calls _Atexit 23295->23315 23296 e2600e std::locale::_Locimp::_Locimp_dtor 23296->23243 23298->23285 23302 e261e6 23301->23302 23303 e261ed 23301->23303 23316 e31cc3 EnterCriticalSection std::_Lockit::_Lockit 23302->23316 23305 e25f9f 23303->23305 23317 e2647b EnterCriticalSection 23303->23317 23305->23293 23314 e260f8 8 API calls 2 library calls 23305->23314 23308 e26239 23307->23308 23309 e31ccc 23307->23309 23311 e2624c 23308->23311 23318 e26489 LeaveCriticalSection 23308->23318 23319 e31cac LeaveCriticalSection 23309->23319 23311->23296 23312 e31cd3 23312->23296 23314->23295 23315->23293 23316->23305 23317->23305 23318->23311 23319->23312 23321 e22132 23320->23321 23322 e22ad9 23320->23322 23321->23256 23332 e292ea RaiseException 23321->23332 23322->23321 23323 e26c58 new 8 API calls 23322->23323 23324 e22ae9 23323->23324 23334 e22d00 23324->23334 23328 e22b35 23344 e25bfd 35 API calls 2 library calls 23328->23344 23330 e22b48 23345 e22e00 74 API calls 2 library calls 23330->23345 23332->23256 23333->23249 23335 e261d7 std::_Lockit::_Lockit 2 API calls 23334->23335 23336 e22d32 23335->23336 23337 e22db9 23336->23337 23351 e29102 20 API calls 2 library calls 23336->23351 23346 e2608b 23337->23346 23340 e22da1 23352 e292ea RaiseException 23340->23352 23341 e22b1f 23343 e2624e 38 API calls __Getctype 23341->23343 23343->23328 23344->23330 23345->23321 23353 e31ac6 23346->23353 23348 e26097 _Yarn 23349 e31ac6 std::_Locinfo::_Locinfo_dtor 73 API calls 23348->23349 23350 e260bf _Yarn 23348->23350 23349->23350 23350->23341 23351->23340 23352->23337 23354 e31ad2 ___DestructExceptionObject 23353->23354 23376 e31a29 23354->23376 23356 e31ade 23357 e3502f __Getctype 35 API calls 23356->23357 23360 e31ae6 ___DestructExceptionObject 23356->23360 23358 e31af2 23357->23358 23416 e3a189 40 API calls 3 library calls 23358->23416 23360->23348 23364 e31b17 23364->23360 23365 e31b8a 23364->23365 23367 e31b7a 23364->23367 23417 e2c098 IsProcessorFeaturePresent 23364->23417 23421 e31e61 23364->23421 23428 e3a189 40 API calls 3 library calls 23364->23428 23429 e31c64 EnterCriticalSection 23365->23429 23367->23365 23369 e31b7e 23367->23369 23368 e31b94 23373 e32695 _free 20 API calls 23368->23373 23374 e31bb7 23368->23374 23371 e32695 _free 20 API calls 23369->23371 23370 e31bed 23430 e31c1a LeaveCriticalSection std::_Lockit::~_Lockit 23370->23430 23371->23360 23373->23374 23374->23370 23375 e32695 _free 20 API calls 23374->23375 23375->23370 23377 e31a43 23376->23377 23378 e31a35 23376->23378 23380 e39ee8 __cftoe 39 API calls 23377->23380 23379 e33d1a std::_Locinfo::_Locinfo_dtor 64 API calls 23378->23379 23381 e31a3f 23379->23381 23382 e31a5a 23380->23382 23381->23356 23383 e31a9d 23382->23383 23384 e31cd5 __Getctype 20 API calls 23382->23384 23385 e2c098 __Getctype 11 API calls 23383->23385 23386 e31a75 23384->23386 23391 e31ac5 ___DestructExceptionObject 23385->23391 23387 e31aa8 23386->23387 23389 e39ee8 __cftoe 39 API calls 23386->23389 23388 e32695 _free 20 API calls 23387->23388 23388->23381 23390 e31a8c 23389->23390 23392 e31a93 23390->23392 23393 e31a9f 23390->23393 23395 e31a29 std::_Locinfo::_Locinfo_dtor 73 API calls 23391->23395 23392->23383 23392->23387 23394 e33d1a std::_Locinfo::_Locinfo_dtor 64 API calls 23393->23394 23394->23387 23396 e31ade 23395->23396 23397 e3502f __Getctype 35 API calls 23396->23397 23400 e31ae6 ___DestructExceptionObject 23396->23400 23398 e31af2 23397->23398 23399 e3a189 std::_Locinfo::_Locinfo_dtor 40 API calls 23398->23399 23404 e31b17 23399->23404 23400->23356 23401 e31e61 std::_Locinfo::_Locinfo_dtor 21 API calls 23401->23404 23402 e2c098 __Getctype 11 API calls 23402->23404 23403 e3a189 std::_Locinfo::_Locinfo_dtor 40 API calls 23403->23404 23404->23400 23404->23401 23404->23402 23404->23403 23405 e31b8a 23404->23405 23407 e31b7a 23404->23407 23406 e31c64 std::_Lockit::_Lockit EnterCriticalSection 23405->23406 23408 e31b94 23406->23408 23407->23405 23409 e31b7e 23407->23409 23413 e32695 _free 20 API calls 23408->23413 23414 e31bb7 23408->23414 23411 e32695 _free 20 API calls 23409->23411 23410 e31bed 23412 e31c1a std::_Locinfo::_Locinfo_dtor LeaveCriticalSection 23410->23412 23411->23400 23412->23400 23413->23414 23414->23410 23415 e32695 _free 20 API calls 23414->23415 23415->23410 23416->23364 23418 e2c0a3 23417->23418 23419 e2bea1 _Atexit 8 API calls 23418->23419 23420 e2c0b8 GetCurrentProcess TerminateProcess 23419->23420 23420->23364 23422 e31e9f 23421->23422 23426 e31e6f __Getctype 23421->23426 23423 e2c341 _free 20 API calls 23422->23423 23425 e31e9d 23423->23425 23424 e31e8a RtlAllocateHeap 23424->23425 23424->23426 23425->23364 23426->23422 23426->23424 23427 e34633 new 7 API calls 23426->23427 23427->23426 23428->23364 23429->23368 23430->23360 23431->23262 23432->23267 23433->23273 23434->23264 23435->23270 23436->23277 23437->23266 23438->23272 23439->23278 23440->23281 23442 e26c58 new 8 API calls 23441->23442 23443 e21153 23442->23443 23444 e25f88 std::locale::_Init 40 API calls 23443->23444 23445 e125e0 23444->23445 23445->22990 23447 e12d3d __wsopen_s ___scrt_get_show_window_mode 23446->23447 23662 e127e0 23447->23662 23451 e12e2d 23452 e12e7c GetFileAttributesW 23451->23452 23453 e12e8b 23452->23453 23454 e12e9e 23453->23454 23455 e30efe __Getctype 20 API calls 23453->23455 23456 e12ec7 wsprintfW 23454->23456 23455->23454 23457 e15020 87 API calls 23456->23457 23458 e12eed wsprintfW 23457->23458 23459 e15020 87 API calls 23458->23459 23460 e12f0d GetFileAttributesW 23459->23460 23461 e12f1d 23460->23461 23462 e1314e wsprintfW 23460->23462 23461->23462 23463 e12f28 23461->23463 23464 e15020 87 API calls 23462->23464 23465 e30efe __Getctype 20 API calls 23463->23465 23466 e1316d 23464->23466 23468 e12f3a 23465->23468 23467 e30efe __Getctype 20 API calls 23466->23467 23471 e13185 23467->23471 23469 e12f6f 23468->23469 23470 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23468->23470 23474 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23469->23474 23470->23469 23472 e131bd 23471->23472 23473 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23471->23473 23476 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23472->23476 23473->23472 23475 e12f82 wsprintfW 23474->23475 23477 e15020 87 API calls 23475->23477 23478 e131d0 wsprintfW 23476->23478 23479 e12fa8 wsprintfW 23477->23479 23480 e15020 87 API calls 23478->23480 23481 e15020 87 API calls 23479->23481 23482 e131f7 23480->23482 23483 e12fcc ___scrt_get_show_window_mode 23481->23483 23484 e131fd SHGetFolderPathW 23482->23484 23488 e30efe __Getctype 20 API calls 23483->23488 23485 e13215 23484->23485 23486 e13218 GetLastError FormatMessageW 23484->23486 23487 e15020 87 API calls 23485->23487 23486->23485 23489 e13249 23487->23489 23492 e12ff4 23488->23492 23490 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23489->23490 23491 e13256 23490->23491 23511 e18500 23491->23511 23493 e13020 23492->23493 23494 e13036 23492->23494 23495 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23493->23495 23496 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23494->23496 23495->23494 23497 e1304f FindFirstFileW 23496->23497 23498 e13071 23497->23498 23499 e130e2 FindClose SHGetFolderPathW 23497->23499 23502 e30efe __Getctype 20 API calls 23498->23502 23500 e13118 GetLastError FormatMessageW 23499->23500 23501 e1310b 23499->23501 23504 e15020 87 API calls 23500->23504 23503 e15020 87 API calls 23501->23503 23506 e13083 23502->23506 23505 e13113 23503->23505 23504->23505 23505->23484 23507 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23506->23507 23508 e130bd 23506->23508 23507->23508 23509 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23508->23509 23510 e130d2 23509->23510 23510->23499 23512 e27a90 __wsopen_s 23511->23512 23513 e1850d GetCommandLineW CommandLineToArgvW 23512->23513 23514 e188c1 23513->23514 23520 e18540 ___scrt_get_show_window_mode 23513->23520 23515 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23514->23515 23516 e188ce 23515->23516 23516->22996 23516->22997 23517 e30efe 20 API calls __Getctype 23517->23520 23518 e2eb05 20 API calls std::_Locinfo::_Locinfo_dtor 23518->23520 23519 e188ba LocalFree 23519->23514 23520->23514 23520->23517 23520->23518 23520->23519 23522 e1869b 23520->23522 23524 e2c14e 37 API calls std::_Locinfo::_Locinfo_dtor 23520->23524 23526 e15020 87 API calls 23520->23526 23792 e1ca80 25 API calls 3 library calls 23520->23792 23522->23520 23523 e15020 87 API calls 23522->23523 23791 e1ba30 23 API calls 3 library calls 23522->23791 23523->23522 23524->23520 23526->23520 23528 e29190 ___scrt_get_show_window_mode 23527->23528 23529 e1a499 wsprintfW 23528->23529 23530 e15020 87 API calls 23529->23530 23531 e1a4c6 ___scrt_get_show_window_mode 23530->23531 23532 e189b0 21 API calls 23531->23532 23533 e1a4ea 23532->23533 23793 e1a2c0 23533->23793 23536 e1a51f 23539 e15020 87 API calls 23536->23539 23537 e1a4fe 23538 e15020 87 API calls 23537->23538 23541 e1a508 23538->23541 23539->23541 23540 e1a546 23543 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23540->23543 23541->23540 23542 e1a53e MessageBoxW 23541->23542 23542->23540 23544 e1a556 23543->23544 23544->23001 23546 e1a9f6 23545->23546 23547 e1a9fc SysAllocString 23545->23547 23809 e25100 RaiseException __CxxThrowException@8 23546->23809 23549 e1aa31 CoCreateInstance 23547->23549 23550 e1aa13 23547->23550 23556 e1aa5e 23549->23556 23550->23549 23810 e25100 RaiseException __CxxThrowException@8 23550->23810 23551 e1aab7 MessageBoxW 23555 e1aacb VariantClear 23551->23555 23552 e1aaa9 23554 e15020 87 API calls 23552->23554 23557 e1aa9c 23554->23557 23555->23008 23556->23551 23556->23552 23556->23557 23557->23555 23558->23001 23559->23213 23560->23014 23561->23018 23811 e1e850 23562->23811 23567 e1e850 86 API calls 23568 e15071 23567->23568 23569 e21620 86 API calls 23568->23569 23570 e1507d 23569->23570 23571 e1e850 86 API calls 23570->23571 23572 e15087 23571->23572 23573 e21620 86 API calls 23572->23573 23574 e15093 23573->23574 23575 e1e850 86 API calls 23574->23575 23576 e1509d 23575->23576 23577 e21620 86 API calls 23576->23577 23578 e150a9 23577->23578 23579 e1e850 86 API calls 23578->23579 23580 e150b3 23579->23580 23581 e21620 86 API calls 23580->23581 23582 e150bf 23581->23582 23583 e21620 86 API calls 23582->23583 23584 e150cb 23583->23584 23831 e21980 23584->23831 23589 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23590 e150e9 #205 23589->23590 23590->23024 23590->23025 23592 e30f0b 23591->23592 23593 e30f19 23591->23593 23592->23593 23596 e30f32 23592->23596 23870 e2c341 20 API calls __dosmaperr 23593->23870 23595 e30f23 __cftoe 23595->23011 23596->23595 23871 e2c341 20 API calls __dosmaperr 23596->23871 23598->23021 23599->23026 23600->23213 23601->23036 23602->23040 23603->23213 23604->23053 23605->23076 23606->23088 23607->23102 23608->23079 23609->23087 23610->23093 23611->23100 23612->23109 23613->23193 23615 e30efe __Getctype 20 API calls 23614->23615 23616 e189df 23615->23616 23617 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23616->23617 23618 e18a26 23616->23618 23617->23618 23619 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23618->23619 23620 e18a3f GetPrivateProfileStringW 23619->23620 23621 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23620->23621 23622 e18a6f 23621->23622 23622->23073 23622->23074 23623->23213 23624->23095 23625->23104 23626->23119 23627->23144 23628->23159 23629->23158 23630->23166 23633 e2eb22 23631->23633 23634 e2eb14 23631->23634 23872 e2c341 20 API calls __dosmaperr 23633->23872 23634->23633 23636 e2eb52 23634->23636 23635 e2eb2c __cftoe 23635->23170 23636->23635 23873 e2c341 20 API calls __dosmaperr 23636->23873 23638->23209 23639->23094 23640->23124 23641->23141 23642->23152 23643->23156 23644->23160 23645->23171 23646->23187 23647->23197 23648->23205 23649->23211 23650->23203 23651->23167 23652->23172 23653->23177 23654->23193 23655->23120 23656->23121 23657->23139 23658->23142 23659->23128 23660->23137 23661->23013 23663 e29190 ___scrt_get_show_window_mode 23662->23663 23664 e12826 GetTempPathW 23663->23664 23665 e12843 CreateDirectoryW 23664->23665 23666 e12a06 23664->23666 23669 e12860 23665->23669 23667 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23666->23667 23668 e12a24 GetModuleFileNameW GetLongPathNameW 23667->23668 23692 e31195 23668->23692 23670 e12896 23669->23670 23671 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23669->23671 23672 e30efe __Getctype 20 API calls 23670->23672 23671->23670 23673 e128b1 23672->23673 23674 e2eb05 std::_Locinfo::_Locinfo_dtor 20 API calls 23673->23674 23676 e128ca std::_Locinfo::_Locinfo_dtor 23674->23676 23675 e12930 23695 e20030 23675->23695 23676->23675 23678 e1290b WideCharToMultiByte 23676->23678 23678->23675 23679 e1293e 23680 e12949 23679->23680 23681 e1296b 23679->23681 23683 e24060 50 API calls 23680->23683 23682 e24060 50 API calls 23681->23682 23684 e12964 23682->23684 23683->23684 23684->23666 23685 e24060 50 API calls 23684->23685 23686 e1299f 23685->23686 23687 e30efe __Getctype 20 API calls 23686->23687 23689 e129b5 std::_Locinfo::_Locinfo_dtor 23687->23689 23688 e129db 23703 e1dd00 116 API calls 23688->23703 23689->23688 23702 e24f30 WideCharToMultiByte 23689->23702 23764 e30f62 23692->23764 23694 e311df 23694->23451 23696 e20062 23695->23696 23697 e2014b 23695->23697 23704 e25d94 23696->23704 23697->23679 23699 e2006f 23699->23697 23714 e21ce0 76 API calls 4 library calls 23699->23714 23701 e2010d 23701->23679 23702->23688 23703->23666 23705 e25cf2 23704->23705 23706 e25d51 23705->23706 23709 e25d9d 23 API calls 23705->23709 23710 e25d38 23705->23710 23713 e25d58 23706->23713 23715 e25d9d 23706->23715 23709->23706 23710->23699 23713->23710 23718 e30b30 64 API calls 3 library calls 23713->23718 23714->23701 23720 e31a13 23715->23720 23717 e25d6d 23717->23710 23719 e2fc63 61 API calls 23717->23719 23718->23710 23719->23713 23721 e31952 ___DestructExceptionObject 23720->23721 23722 e3196c 23721->23722 23724 e31999 23721->23724 23743 e2c341 20 API calls __dosmaperr 23722->23743 23725 e319ab 23724->23725 23726 e3199e 23724->23726 23735 e39059 23725->23735 23744 e2c341 20 API calls __dosmaperr 23726->23744 23729 e319b4 23731 e319bb 23729->23731 23732 e319c8 23729->23732 23730 e31971 ___DestructExceptionObject __cftoe 23730->23717 23745 e2c341 20 API calls __dosmaperr 23731->23745 23746 e319fc LeaveCriticalSection 23732->23746 23736 e39065 ___DestructExceptionObject 23735->23736 23747 e31c64 EnterCriticalSection 23736->23747 23738 e39073 23748 e390f3 23738->23748 23742 e390a4 ___DestructExceptionObject 23742->23729 23743->23730 23744->23730 23745->23730 23746->23730 23747->23738 23755 e39116 23748->23755 23749 e3916f 23750 e31cd5 __Getctype 20 API calls 23749->23750 23751 e39178 23750->23751 23753 e32695 _free 20 API calls 23751->23753 23752 e30996 EnterCriticalSection 23752->23755 23754 e39181 23753->23754 23756 e38198 __wsopen_s 11 API calls 23754->23756 23760 e39080 23754->23760 23755->23749 23755->23752 23755->23755 23758 e309aa LeaveCriticalSection 23755->23758 23755->23760 23757 e391a0 23756->23757 23759 e30996 EnterCriticalSection 23757->23759 23758->23755 23759->23760 23761 e390af 23760->23761 23762 e31cac std::_Lockit::~_Lockit LeaveCriticalSection 23761->23762 23763 e390b6 23762->23763 23763->23742 23765 e31139 23764->23765 23766 e30f79 23764->23766 23790 e2c341 20 API calls __dosmaperr 23765->23790 23766->23765 23769 e30fe4 23766->23769 23768 e31019 __cftoe 23768->23694 23770 e31009 23769->23770 23772 e31031 23769->23772 23785 e31371 20 API calls 2 library calls 23769->23785 23784 e2c341 20 API calls __dosmaperr 23770->23784 23772->23770 23779 e3109d 23772->23779 23786 e31371 20 API calls 2 library calls 23772->23786 23773 e31106 23773->23768 23773->23770 23776 e31119 23773->23776 23774 e310bb 23774->23770 23777 e310db 23774->23777 23787 e31371 20 API calls 2 library calls 23774->23787 23789 e31371 20 API calls 2 library calls 23776->23789 23777->23768 23777->23770 23781 e310f4 23777->23781 23779->23773 23779->23774 23788 e31371 20 API calls 2 library calls 23781->23788 23784->23768 23785->23772 23786->23779 23787->23777 23788->23768 23789->23768 23790->23768 23791->23522 23792->23520 23794 e29190 ___scrt_get_show_window_mode 23793->23794 23795 e1a316 wsprintfW 23794->23795 23796 e15020 87 API calls 23795->23796 23797 e1a33d RegCreateKeyExW 23796->23797 23798 e1a373 23797->23798 23799 e1a3a8 RegSetValueExW RegCloseKey RegCreateKeyExW 23797->23799 23798->23799 23802 e1a378 23798->23802 23800 e1a412 23799->23800 23801 e1a42a RegSetValueExW RegCloseKey 23799->23801 23800->23801 23803 e1a417 23800->23803 23804 e1a384 23801->23804 23805 e15020 87 API calls 23802->23805 23807 e15020 87 API calls 23803->23807 23806 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23804->23806 23805->23804 23808 e1a3a2 23806->23808 23807->23804 23808->23536 23808->23537 23812 e1e895 23811->23812 23815 e1e8be 23812->23815 23847 e20f80 23812->23847 23814 e24060 50 API calls 23817 e1e9aa 23814->23817 23820 e1e8f1 23815->23820 23855 e21e10 76 API calls 4 library calls 23815->23855 23819 e1505b 23817->23819 23856 e21040 50 API calls 23817->23856 23821 e21620 23819->23821 23820->23814 23820->23817 23822 e21660 23821->23822 23823 e216dc 23822->23823 23824 e20f80 50 API calls 23822->23824 23825 e22070 76 API calls 23823->23825 23830 e216f8 23823->23830 23824->23823 23825->23830 23826 e24060 50 API calls 23828 e2193a 23826->23828 23827 e15067 23827->23567 23828->23827 23859 e21040 50 API calls 23828->23859 23830->23826 23830->23828 23832 e219c2 23831->23832 23833 e20f80 50 API calls 23832->23833 23838 e21a4c 23832->23838 23833->23838 23834 e24060 50 API calls 23835 e21bf1 23834->23835 23836 e150d4 23835->23836 23860 e21040 50 API calls 23835->23860 23839 e21c40 23836->23839 23838->23834 23838->23835 23840 e21c7a 23839->23840 23841 e22070 76 API calls 23840->23841 23842 e21c87 23841->23842 23861 e22390 23842->23861 23845 e20f80 50 API calls 23846 e150da 23845->23846 23846->23589 23848 e20fb4 23847->23848 23853 e21015 23847->23853 23857 e1f080 50 API calls 23848->23857 23850 e20ffd 23850->23853 23858 e21040 50 API calls 23850->23858 23851 e20fbd 23851->23850 23854 e24060 50 API calls 23851->23854 23853->23815 23854->23850 23855->23820 23856->23819 23857->23851 23858->23853 23859->23827 23860->23836 23862 e223d7 23861->23862 23863 e22400 23862->23863 23864 e20f80 50 API calls 23862->23864 23865 e24060 50 API calls 23863->23865 23867 e224cf 23863->23867 23864->23863 23865->23867 23866 e21cc6 23866->23845 23867->23866 23869 e21040 50 API calls 23867->23869 23869->23866 23870->23595 23871->23595 23872->23635 23873->23635 23875 e1e7d2 23874->23875 23877 e1e7ff error_info_injector 23875->23877 23879 e1ff70 69 API calls 23875->23879 23877->23221 23878->23218 23879->23877 23881 e330ec _Atexit 23880->23881 23882 e33104 23881->23882 23884 e27524 _Atexit GetModuleHandleW 23881->23884 23902 e31c64 EnterCriticalSection 23882->23902 23885 e330f8 23884->23885 23885->23882 23914 e3323a GetModuleHandleExW 23885->23914 23886 e331aa 23903 e331ea 23886->23903 23890 e33181 23891 e33199 23890->23891 23923 e3300d 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 23890->23923 23924 e3300d 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 23891->23924 23892 e3310c 23892->23886 23892->23890 23922 e34a32 20 API calls _Atexit 23892->23922 23893 e331f3 23925 e439e9 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 23893->23925 23894 e331c7 23906 e331f9 23894->23906 23902->23892 23926 e31cac LeaveCriticalSection 23903->23926 23905 e331c3 23905->23893 23905->23894 23927 e383dd 23906->23927 23909 e33227 23911 e3323a _Atexit 8 API calls 23909->23911 23910 e33207 GetPEB 23910->23909 23912 e33217 GetCurrentProcess TerminateProcess 23910->23912 23913 e3322f ExitProcess 23911->23913 23912->23909 23915 e33287 23914->23915 23916 e33264 GetProcAddress 23914->23916 23917 e33296 23915->23917 23918 e3328d FreeLibrary 23915->23918 23919 e33279 23916->23919 23920 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23917->23920 23918->23917 23919->23915 23921 e332a0 23920->23921 23921->23882 23922->23890 23923->23891 23924->23886 23926->23905 23928 e38402 23927->23928 23929 e383f8 23927->23929 23934 e37d9a 5 API calls 2 library calls 23928->23934 23931 e26c47 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 23929->23931 23932 e33203 23931->23932 23932->23909 23932->23910 23933 e38419 23933->23929 23934->23933 23935 e39b09 23940 e398d7 23935->23940 23937 e39b1f 23938 e39b31 23937->23938 23950 e41cd6 23937->23950 23941 e39902 23940->23941 23949 e39a4b 23941->23949 23953 e41588 43 API calls 2 library calls 23941->23953 23943 e39a54 __cftoe 23943->23937 23945 e39a95 23945->23949 23954 e41588 43 API calls 2 library calls 23945->23954 23947 e39ab4 23947->23949 23955 e41588 43 API calls 2 library calls 23947->23955 23949->23943 23956 e2c341 20 API calls __dosmaperr 23949->23956 23957 e416ab 23950->23957 23952 e41cf1 23952->23938 23953->23945 23954->23947 23955->23949 23956->23943 23960 e416b7 ___DestructExceptionObject 23957->23960 23958 e416c5 23973 e2c341 20 API calls __dosmaperr 23958->23973 23960->23958 23961 e416fe 23960->23961 23966 e41c85 23961->23966 23964 e416ca ___DestructExceptionObject __cftoe 23964->23952 23975 e431b1 23966->23975 23968 e41c9b 23969 e41722 23968->23969 23995 e41cf6 23968->23995 23974 e4174b LeaveCriticalSection __wsopen_s 23969->23974 23972 e32695 _free 20 API calls 23972->23969 23973->23964 23974->23964 23976 e431d4 23975->23976 23977 e431bd 23975->23977 23979 e431f3 23976->23979 23980 e431dc 23976->23980 24041 e2c341 20 API calls __dosmaperr 23977->24041 24043 e37eb1 10 API calls 2 library calls 23979->24043 24042 e2c341 20 API calls __dosmaperr 23980->24042 23983 e431fa MultiByteToWideChar 23984 e43229 23983->23984 23985 e43219 GetLastError 23983->23985 23987 e31e61 std::_Locinfo::_Locinfo_dtor 21 API calls 23984->23987 24044 e2c30b 20 API calls 2 library calls 23985->24044 23989 e43231 23987->23989 23988 e431c2 __cftoe 23988->23968 23990 e43259 23989->23990 23991 e43238 MultiByteToWideChar 23989->23991 23992 e32695 _free 20 API calls 23990->23992 23991->23990 23993 e4324d GetLastError 23991->23993 23992->23988 24045 e2c30b 20 API calls 2 library calls 23993->24045 23996 e41d13 23995->23996 23997 e41d41 23996->23997 23998 e41d28 23996->23998 24046 e3c97b 23997->24046 24060 e2c32e 20 API calls __dosmaperr 23998->24060 24001 e41d46 24002 e41d66 24001->24002 24003 e41d4f 24001->24003 24059 e419c4 CreateFileW 24002->24059 24062 e2c32e 20 API calls __dosmaperr 24003->24062 24007 e41d9f 24009 e41e1c GetFileType 24007->24009 24011 e41df1 GetLastError 24007->24011 24064 e419c4 CreateFileW 24007->24064 24008 e41d54 24063 e2c341 20 API calls __dosmaperr 24008->24063 24012 e41e27 GetLastError 24009->24012 24015 e41e6e 24009->24015 24065 e2c30b 20 API calls 2 library calls 24011->24065 24066 e2c30b 20 API calls 2 library calls 24012->24066 24068 e3c8c4 21 API calls 3 library calls 24015->24068 24017 e41d2d 24061 e2c341 20 API calls __dosmaperr 24017->24061 24018 e41e35 CloseHandle 24018->24017 24021 e41e5e 24018->24021 24020 e41de4 24020->24009 24020->24011 24067 e2c341 20 API calls __dosmaperr 24021->24067 24023 e41e8f 24025 e41edb 24023->24025 24069 e41bd5 69 API calls 3 library calls 24023->24069 24024 e41e63 24024->24017 24029 e41f08 24025->24029 24070 e41777 72 API calls 3 library calls 24025->24070 24028 e41f01 24028->24029 24030 e41f19 24028->24030 24071 e38fbd 23 API calls 2 library calls 24029->24071 24032 e41cc3 24030->24032 24033 e41f97 CloseHandle 24030->24033 24032->23972 24072 e419c4 CreateFileW 24033->24072 24035 e41fc2 24036 e41fcc GetLastError 24035->24036 24037 e41f11 24035->24037 24073 e2c30b 20 API calls 2 library calls 24036->24073 24037->24032 24039 e41fd8 24074 e3ca8d 21 API calls 3 library calls 24039->24074 24041->23988 24042->23988 24043->23983 24044->23988 24045->23990 24047 e3c987 ___DestructExceptionObject 24046->24047 24075 e31c64 EnterCriticalSection 24047->24075 24049 e3c98e 24050 e3c9b3 24049->24050 24055 e3ca21 EnterCriticalSection 24049->24055 24056 e3c9d5 24049->24056 24079 e3c75a 21 API calls 3 library calls 24050->24079 24053 e3c9fe ___DestructExceptionObject 24053->24001 24054 e3c9b8 24054->24056 24080 e3c8a1 EnterCriticalSection 24054->24080 24055->24056 24057 e3ca2e LeaveCriticalSection 24055->24057 24076 e3ca84 24056->24076 24057->24049 24059->24007 24060->24017 24061->24032 24062->24008 24063->24017 24064->24020 24065->24017 24066->24018 24067->24024 24068->24023 24069->24025 24070->24028 24071->24037 24072->24035 24073->24039 24074->24037 24075->24049 24081 e31cac LeaveCriticalSection 24076->24081 24078 e3ca8b 24078->24053 24079->24054 24080->24056 24081->24078

    Executed Functions

    Function 00E12D30 Relevance: 47.6, APIs: 18, Strings: 9, Instructions: 382windowfileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 401 e12d30-e12e89 call e27a90 call e29190 * 5 call e12a50 call e127e0 GetModuleFileNameW GetLongPathNameW call e31195 call e31366 * 2 GetFileAttributesW 424 e12e92-e12e9e call e30efe 401->424 425 e12e8b-e12e90 401->425 426 e12ea1-e12f17 call e31366 wsprintfW call e15020 wsprintfW call e15020 GetFileAttributesW 424->426 425->424 425->426 435 e12f1d-e12f22 426->435 436 e1314e-e1318d wsprintfW call e15020 call e30efe 426->436 435->436 437 e12f28-e12f3f call e30efe 435->437 446 e13190-e13199 436->446 444 e12f42-e12f4b 437->444 444->444 445 e12f4d-e12f56 444->445 447 e12f58-e12f5d 445->447 448 e12f5f-e12f6f call e2eb05 445->448 446->446 449 e1319b-e1319f 446->449 447->448 450 e12f72-e12ffd call e2eb05 wsprintfW call e15020 wsprintfW call e15020 call e29190 call e30efe 447->450 448->450 452 e131a1-e131ab 449->452 453 e131ad-e131bd call e2eb05 449->453 478 e13000-e13009 450->478 452->453 455 e131c0-e131f2 call e2eb05 wsprintfW call e15020 452->455 453->455 466 e131f7 455->466 468 e131fd-e13213 SHGetFolderPathW 466->468 470 e13215-e13216 468->470 471 e13218-e1323c GetLastError FormatMessageW 468->471 473 e13242-e13259 call e15020 call e26c47 470->473 471->473 478->478 480 e1300b-e1300f 478->480 482 e13011-e1301e 480->482 483 e13020-e13036 call e2eb05 480->483 482->483 484 e13039-e1306f call e2eb05 FindFirstFileW 482->484 483->484 489 e13071-e1308b call e30efe 484->489 490 e130e2-e13109 FindClose SHGetFolderPathW 484->490 499 e13090-e13099 489->499 491 e13118-e13149 GetLastError FormatMessageW call e15020 490->491 492 e1310b-e13113 call e15020 490->492 491->468 492->468 499->499 500 e1309b-e1309f 499->500 501 e130a1-e130ab 500->501 502 e130ad-e130bd call e2eb05 500->502 501->502 504 e130c0-e130db call e2eb05 501->504 502->504 504->490
    APIs
      • Part of subcall function 00E127E0: GetTempPathW.KERNEL32(00000400,?), ref: 00E12835
      • Part of subcall function 00E127E0: CreateDirectoryW.KERNEL32(?,00000000), ref: 00E1284C
      • Part of subcall function 00E127E0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 00E12921
    • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 00E12DDE
    • GetLongPathNameW.KERNEL32(?,?,00000400), ref: 00E12DF1
    • GetFileAttributesW.KERNEL32(?), ref: 00E12E80
    • wsprintfW.USER32 ref: 00E12EDA
    • wsprintfW.USER32 ref: 00E12EFA
    • GetFileAttributesW.KERNEL32(?,?), ref: 00E12F0E
    • wsprintfW.USER32 ref: 00E12F91
    • wsprintfW.USER32 ref: 00E12FB5
    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E13060
    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E130E3
    • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00E13105
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E13118
    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 00E13136
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • SHGetFolderPathW.SHELL32(00000000,00008023,00000000,00000000,?,?), ref: 00E1320F
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E13218
    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 00E13236
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: FilePathwsprintf$AttributesErrorFindFolderFormatLastMessageName$ByteCharCloseCreateDirectoryFirstLocalLongModuleMultiTempTimeWide
    • String ID: *.msp$Files$Information : No patch Exists$Information : Patch Folder Exists$Markets\Markets.xml$Patches$Xml Used as %s$m_szPatchDir: %s$m_szSrcDir: %s
    • API String ID: 2050725286-1472794149
    • Opcode ID: 39cff1c00a4362f5a5f1639baa3f434c6916a5665d965da7d528b5bcc320be97
    • Instruction ID: 2fe2749d2c06a91de6626b8a4e0938436812bb03bc06b8559f4deeec3b724ab7
    • Opcode Fuzzy Hash: 39cff1c00a4362f5a5f1639baa3f434c6916a5665d965da7d528b5bcc320be97
    • Instruction Fuzzy Hash: EFD1DBB1A403187ADB20E7609C46FEE73BCAF45704F445858FB05F61C1EBB06A99CBA5
    Function 00E15020 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 68timeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: LocalTime
    • String ID: 48$48$48$88$88$<8$.$.
    • API String ID: 481472006-2253082907
    • Opcode ID: 83d97c73438496455765114f5817cc5ce59bb7e396524e3d3e2395f86e500633
    • Instruction ID: 9ffa0e442f991a18fb6be691b3650515c0eb0181db2df4709cacac5e7e6647a6
    • Opcode Fuzzy Hash: 83d97c73438496455765114f5817cc5ce59bb7e396524e3d3e2395f86e500633
    • Instruction Fuzzy Hash: 121121B1F00154678F0C7BB0681B46FB6E79FD4340F4829B8B805BB385ED35DA5A8792
    Function 00E1A9B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 101commemorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 605 e1a9b0-e1a9f4 VariantClear 606 e1a9f6-e1a9f7 call e25100 605->606 607 e1a9fc-e1aa11 SysAllocString 605->607 606->607 609 e1aa31-e1aa5c CoCreateInstance 607->609 610 e1aa13-e1aa15 607->610 612 e1aaa0-e1aaa7 609->612 613 e1aa5e-e1aa70 609->613 610->609 611 e1aa17-e1aa2c call e25100 610->611 611->609 614 e1aab7-e1aac5 MessageBoxW 612->614 615 e1aaa9-e1aab5 call e15020 612->615 619 e1aa79-e1aa7b 613->619 618 e1aacb-e1aae8 VariantClear 614->618 615->618 619->612 621 e1aa7d-e1aa84 619->621 621->612 622 e1aa86-e1aa9a 621->622 622->612 624 e1aa9c-e1aa9e 622->624 624->618
    APIs
    • VariantClear.OLEAUT32(?), ref: 00E1A9EC
    • SysAllocString.OLEAUT32(?), ref: 00E1AA06
    • CoCreateInstance.OLE32(00E58D0C,00000000,00000017,00E58CE4,?), ref: 00E1AA54
    • VariantClear.OLEAUT32(?), ref: 00E1AACF
      • Part of subcall function 00E25100: __CxxThrowException@8.LIBVCRUNTIME ref: 00E25112
    • MessageBoxW.USER32(00000000,Could not load the markets xml file.,Setup,00000010), ref: 00E1AAC5
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ClearVariant$AllocCreateException@8InstanceLocalMessageStringThrowTime
    • String ID: Could not load the markets xml file.$Setup
    • API String ID: 3254058793-705404800
    • Opcode ID: 2f55082108c86927bb9d5bdc909d325497d83c4e6fc298932f1c0d5579a1dea5
    • Instruction ID: a551ca54445727621889535cdd589b8944502e4bc2bd2b7f8fa833f83b655290
    • Opcode Fuzzy Hash: 2f55082108c86927bb9d5bdc909d325497d83c4e6fc298932f1c0d5579a1dea5
    • Instruction Fuzzy Hash: EA31F231A40709ABDB108F64CD04BEBB7B8FF46718F445A2AE915F7290D774A444C7A6
    Function 00E331F9 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1017 e331f9-e33205 call e383dd 1020 e33227-e33233 call e3323a ExitProcess 1017->1020 1021 e33207-e33215 GetPEB 1017->1021 1021->1020 1023 e33217-e33221 GetCurrentProcess TerminateProcess 1021->1023 1023->1020
    APIs
    • GetCurrentProcess.KERNEL32(00000003,?,00E331CF,00000003,00E5B790,0000000C,00E332E2,00000003,00000002,00000000,?,00E31E60,00000003), ref: 00E3321A
    • TerminateProcess.KERNEL32(00000000,?,00E331CF,00000003,00E5B790,0000000C,00E332E2,00000003,00000002,00000000,?,00E31E60,00000003), ref: 00E33221
    • ExitProcess.KERNEL32 ref: 00E33233
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: ec8d6b471a920f081991389633cdf5a73aaecbada70abd6095968468c229f576
    • Instruction ID: b5a9c34163889a1a0c39fa5a0ea4ffd34c5c3be0ac4a13c7ce9df3b8b29cd32f
    • Opcode Fuzzy Hash: ec8d6b471a920f081991389633cdf5a73aaecbada70abd6095968468c229f576
    • Instruction Fuzzy Hash: 0BE0B635001648AFCF616F65ED0DE5A3FA9EB4675AF015014F849AA232CB35DE46CA41
    Function 00E18EA0 Relevance: 91.9, APIs: 16, Strings: 36, Instructions: 927COMMON
    Download Yara Rule
    Strings
    • SmartFit\, xrefs: 00E196C7
    • Setup, xrefs: 00E197B8
    • Update done, xrefs: 00E19C29
    • Related Product found. ProductCode: '%s', xrefs: 00E19006
    • MsiEnumRelatedProducts returned: '%lu', xrefs: 00E190EB
    • Prereqs met, xrefs: 00E19193
    • Error retrieving Transforms property: '%lu', xrefs: 00E198F8
    • Cannot upgrade a product that is not installed., xrefs: 00E19299
    • GN ReSound\FSW Notify\, xrefs: 00E1966C
    • Patch invoke did not return a success code..., xrefs: 00E19B64
    • Aventa3\, xrefs: 00E196B4
    • Transforms, xrefs: 00E198C3
    • Running in silent mode and .NET Framework installer requested a reboot. Caller should Reboot machine then restart Setup to continu, xrefs: 00E19229
    • Related Product's ProductCode is same as current ProductCode, xrefs: 00E190B8
    • No Related Products found., xrefs: 00E190C7
    • Pre X13 Installed, xrefs: 00E1926B
    • Update was not installed successfully., xrefs: 00E19C07, 00E19C16
    • Transforms: '%s' szProductCode: '%s' sLangId: '%s', xrefs: 00E199E4
    • Running in web update mode so no need to reboot since .NET Framework already installed, xrefs: 00E191D5
    • InstallLocation, xrefs: 00E1949A, 00E19506
    • Product Is Already Installed, xrefs: 00E191FA
    • Running Feature Update, xrefs: 00E19786
    • Update installed successfully., xrefs: 00E1979F, 00E197BD, 00E19BE0, 00E19BF3
    • Feature Update invoke did not return a success code..., xrefs: 00E197CF
    • Legacy Uninstall did not complete successfully; User may have cancelled. Uninstall or run installer again., xrefs: 00E192F4
    • Related Product's ProductCode is different from one in Markets.xml and will be used., xrefs: 00E19093
    • Running in silent mode and VCRedist installer requested a reboot. Caller should Reboot machine then restart Setup to continue., xrefs: 00E19215
    • InstallLocation: '%s' InstallLegacyLocation: '%s' InstallNewLocation: '%s' NotifyInstallLocation: '%s', xrefs: 00E19700
    • PackageCode, xrefs: 00E19419
    • UpgradeCode: '%s', xrefs: 00E18FAF
    • Related Product's ProductCode is same as one in Markets.xml, xrefs: 00E190B1
    • Uninstall did not complete successfully; User may have cancelled. Uninstall or run installer again., xrefs: 00E19A59
    • Running webupdate/patch, xrefs: 00E19B3A
    • Error retrieving InstallLocation property: '%lu', xrefs: 00E194D9, 00E1953B
    • m_szInstallLocation is empty. Getting CSIDL_PROGRAM_FILES..., xrefs: 00E19571
    • VC Redist wants to reboot. Verify it is not a fake request per KB. Just continue for now..., xrefs: 00E19246
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CommandFileLineName$ArgvAttributesFreeLocalLongMessageModulePathwsprintf
    • String ID: Aventa3\$Cannot upgrade a product that is not installed.$Error retrieving InstallLocation property: '%lu'$Error retrieving Transforms property: '%lu'$Feature Update invoke did not return a success code...$GN ReSound\FSW Notify\$InstallLocation$InstallLocation: '%s' InstallLegacyLocation: '%s' InstallNewLocation: '%s' NotifyInstallLocation: '%s'$Legacy Uninstall did not complete successfully; User may have cancelled. Uninstall or run installer again.$MsiEnumRelatedProducts returned: '%lu'$No Related Products found.$PackageCode$Patch invoke did not return a success code...$Pre X13 Installed$Prereqs met$Product Is Already Installed$Related Product found. ProductCode: '%s'$Related Product's ProductCode is different from one in Markets.xml and will be used.$Related Product's ProductCode is same as current ProductCode$Related Product's ProductCode is same as one in Markets.xml$Running Feature Update$Running in silent mode and .NET Framework installer requested a reboot. Caller should Reboot machine then restart Setup to continu$Running in silent mode and VCRedist installer requested a reboot. Caller should Reboot machine then restart Setup to continue.$Running in web update mode so no need to reboot since .NET Framework already installed$Running webupdate/patch$Setup$SmartFit\$Transforms$Transforms: '%s' szProductCode: '%s' sLangId: '%s'$Uninstall did not complete successfully; User may have cancelled. Uninstall or run installer again.$Update done$Update installed successfully.$Update was not installed successfully.$UpgradeCode: '%s'$VC Redist wants to reboot. Verify it is not a fake request per KB. Just continue for now...$m_szInstallLocation is empty. Getting CSIDL_PROGRAM_FILES...
    • API String ID: 4019564706-1855592880
    • Opcode ID: f05a7e576301b6b0ee7addca3b1fb1648a251b07686fdc5dd3dbeb09e9e01ff3
    • Instruction ID: ba47166e077cccfc217b222c2f4bfed1e9c4f91876225bb79deb2aa9e800b4da
    • Opcode Fuzzy Hash: f05a7e576301b6b0ee7addca3b1fb1648a251b07686fdc5dd3dbeb09e9e01ff3
    • Instruction Fuzzy Hash: 1272E671A04714AADB20E760CC66BEEB3F9AF06704F042599E44A771C3DB715BC9CB92
    Function 00E41CF6 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 508 e41cf6-e41d26 call e41a59 511 e41d41-e41d4d call e3c97b 508->511 512 e41d28-e41d33 call e2c32e 508->512 518 e41d66-e41daf call e419c4 511->518 519 e41d4f-e41d64 call e2c32e call e2c341 511->519 517 e41d35-e41d3c call e2c341 512->517 528 e42018-e4201e 517->528 526 e41db1-e41dba 518->526 527 e41e1c-e41e25 GetFileType 518->527 519->517 530 e41df1-e41e17 GetLastError call e2c30b 526->530 531 e41dbc-e41dc0 526->531 532 e41e27-e41e58 GetLastError call e2c30b CloseHandle 527->532 533 e41e6e-e41e71 527->533 530->517 531->530 537 e41dc2-e41def call e419c4 531->537 532->517 547 e41e5e-e41e69 call e2c341 532->547 535 e41e73-e41e78 533->535 536 e41e7a-e41e80 533->536 540 e41e84-e41ed2 call e3c8c4 535->540 536->540 541 e41e82 536->541 537->527 537->530 551 e41ed4-e41ee0 call e41bd5 540->551 552 e41ee2-e41f06 call e41777 540->552 541->540 547->517 551->552 557 e41f0a-e41f14 call e38fbd 551->557 558 e41f08 552->558 559 e41f19-e41f5c 552->559 557->528 558->557 561 e41f7d-e41f8b 559->561 562 e41f5e-e41f62 559->562 565 e42016 561->565 566 e41f91-e41f95 561->566 562->561 564 e41f64-e41f78 562->564 564->561 565->528 566->565 567 e41f97-e41fca CloseHandle call e419c4 566->567 570 e41fcc-e41ff8 GetLastError call e2c30b call e3ca8d 567->570 571 e41ffe-e42012 567->571 570->571 571->565
    APIs
      • Part of subcall function 00E419C4: CreateFileW.KERNEL32(00000000,00000000,?,00E41D9F,?,?,00000000,?,00E41D9F,00000000,0000000C), ref: 00E419E1
    • GetLastError.KERNEL32 ref: 00E41E0A
    • __dosmaperr.LIBCMT ref: 00E41E11
    • GetFileType.KERNEL32(00000000), ref: 00E41E1D
    • GetLastError.KERNEL32 ref: 00E41E27
    • __dosmaperr.LIBCMT ref: 00E41E30
    • CloseHandle.KERNEL32(00000000), ref: 00E41E50
    • CloseHandle.KERNEL32(?), ref: 00E41F9A
    • GetLastError.KERNEL32 ref: 00E41FCC
    • __dosmaperr.LIBCMT ref: 00E41FD3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
    • String ID: H
    • API String ID: 4237864984-2852464175
    • Opcode ID: ab3c6cb6f602f1b5b5fee2438a8a7ddae1862f866cc448013eec814662bf28a0
    • Instruction ID: 1feee87379f2f366b7d5fa40d78c6ed626c31340b8794f0331994da6cbe3465c
    • Opcode Fuzzy Hash: ab3c6cb6f602f1b5b5fee2438a8a7ddae1862f866cc448013eec814662bf28a0
    • Instruction Fuzzy Hash: 9EA13432A102448FDF19DF78E8917AD7BE0AB06325F241189F812BB392DB319D56CB51
    Function 00E33D9A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 625 e33d9a-e33dbb call e31e61 628 e33dc1-e33df5 call e33cd9 625->628 629 e33ed4-e33ed9 625->629 632 e33df8-e33e0d call e2eb05 628->632 635 e33e13-e33e1e 632->635 636 e33f26-e33f5c call e2c098 632->636 637 e33e20-e33e26 635->637 648 e33f7f-e33f9b 636->648 649 e33f5e-e33f60 636->649 639 e33e46-e33e48 637->639 640 e33e28-e33e2b 637->640 644 e33e4b-e33e84 call e33cd9 639->644 642 e33e42-e33e44 640->642 643 e33e2d-e33e35 640->643 642->644 643->639 646 e33e37-e33e40 643->646 644->632 658 e33e8a-e33e8e 644->658 646->637 646->642 650 e33fa1-e33fa5 648->650 651 e341ee-e341ef call e33d9a 648->651 653 e33f72-e33f7a 649->653 654 e33f62-e33f6d call e34218 649->654 656 e33fab-e33fb0 650->656 657 e3410c-e3412d call e33962 650->657 662 e341f4 651->662 660 e341f5-e34205 call e26c47 653->660 654->660 656->657 663 e33fb6-e33fbb 656->663 657->660 678 e34133-e3413a 657->678 665 e33e90-e33e98 658->665 666 e33eda-e33ee9 call e32695 658->666 662->660 663->657 670 e33fc1-e33fd8 call e3d6e3 663->670 672 e33eab-e33eb0 665->672 673 e33e9a-e33ea0 665->673 682 e33eeb-e33ef1 666->682 683 e33efc-e33f01 666->683 694 e34105-e34107 670->694 695 e33fde-e33fe8 670->695 674 e33ec2-e33ed0 672->674 675 e33eb2-e33eb7 672->675 673->672 679 e33ea2-e33eaa call e32695 673->679 681 e33ed3 674->681 675->674 680 e33eb9-e33ec1 call e32695 675->680 685 e34140-e34142 678->685 679->672 680->674 681->629 682->683 693 e33ef3-e33efb call e32695 682->693 690 e33f13-e33f24 683->690 691 e33f03-e33f08 683->691 687 e341c9 685->687 688 e34148-e3414a 685->688 701 e341cf-e341dc 687->701 697 e34150-e3415c 688->697 690->681 691->690 698 e33f0a-e33f12 call e32695 691->698 693->683 694->660 695->694 696 e33fee-e33ff4 695->696 696->694 703 e33ffa-e34005 696->703 704 e34191-e34196 697->704 705 e3415e-e34162 697->705 698->690 701->685 702 e341e2-e341e4 701->702 702->651 708 e341e6 702->708 709 e3400f-e3401d call e2be67 703->709 713 e34198-e3419a 704->713 710 e34164-e34179 705->710 711 e3418b-e3418f 705->711 714 e341e8 708->714 722 e3403b-e3404a 709->722 723 e3401f-e34021 709->723 710->704 716 e3417b-e34189 710->716 711->713 717 e341c8 713->717 718 e3419c-e341b5 call e34218 713->718 714->651 719 e341ea-e341ec 714->719 716->697 716->711 717->687 727 e341b7-e341ba 718->727 728 e341bc-e341c6 718->728 719->660 722->709 726 e3404c-e3406c call e2c3e6 722->726 725 e34024-e34031 723->725 725->725 729 e34033-e34039 725->729 732 e3407a-e34081 726->732 733 e3406e-e34074 726->733 727->687 728->701 729->722 729->726 734 e34083-e3409b call e3143e 732->734 735 e340e2 732->735 733->694 733->732 741 e340a1-e340a9 734->741 742 e3420b-e34217 call e2c098 734->742 736 e340e8-e340f0 735->736 739 e340f2-e340f8 736->739 740 e340fe-e34100 736->740 739->670 739->740 740->714 743 e34206 call e2779e 741->743 744 e340af-e340d7 call e34218 741->744 743->742 744->736 750 e340d9-e340e0 744->750 750->736
    APIs
      • Part of subcall function 00E31E61: RtlAllocateHeap.NTDLL(00000000,00000003,00000000,?,00000003,00E350B2,?,00E2C5E9,?), ref: 00E31E93
    • _free.LIBCMT ref: 00E33EA5
    • _free.LIBCMT ref: 00E33EBC
    • _free.LIBCMT ref: 00E33EDB
    • _free.LIBCMT ref: 00E33EF6
    • _free.LIBCMT ref: 00E33F0D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free$AllocateHeap
    • String ID: i5
    • API String ID: 3033488037-3787849833
    • Opcode ID: eca89e0330f292cbe460263462d89a81abfe083ecfed8c28f9ca269150a12766
    • Instruction ID: 82923c4f9735d14a2496f4bbb60e341e02a936ce7ec053e57f1bae9ca0585f4f
    • Opcode Fuzzy Hash: eca89e0330f292cbe460263462d89a81abfe083ecfed8c28f9ca269150a12766
    • Instruction Fuzzy Hash: 9551B471A00304AFDB20DF7AD846A6ABBF5EF58724F14165DE849FB291E731EA01CB40
    Function 00E31A29 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 751 e31a29-e31a33 752 e31a43-e31a5f call e39ee8 751->752 753 e31a35-e31a3a call e33d1a 751->753 759 e31a61-e31a64 752->759 760 e31a6b-e31a7b call e31cd5 752->760 756 e31a3f-e31a41 753->756 758 e31ab7-e31aba 756->758 761 e31a66-e31a69 759->761 762 e31abb-e31ad9 call e2c098 call e27620 call e31a29 759->762 767 e31a7d-e31a91 call e39ee8 760->767 768 e31aac-e31ab6 call e32695 760->768 761->760 761->762 783 e31ade-e31ae4 762->783 776 e31a93-e31a96 767->776 777 e31a9f-e31aaa call e33d1a 767->777 768->758 776->762 780 e31a98-e31a9b 776->780 777->768 780->768 781 e31a9d 780->781 781->762 784 e31ae6-e31ae8 783->784 785 e31aed-e31b1c call e3502f call e3a189 783->785 787 e31c11-e31c16 call e27666 784->787 793 e31b36-e31b47 call e31e61 785->793 794 e31b1e-e31b21 785->794 793->784 802 e31b49-e31b67 call e3a189 793->802 795 e31b23-e31b26 794->795 796 e31b28 794->796 795->796 798 e31b32-e31b34 795->798 799 e31b2d call e2c098 796->799 798->784 798->793 799->798 805 e31b8a-e31ba4 call e31c64 802->805 806 e31b69-e31b6c 802->806 813 e31bc0-e31bca 805->813 814 e31ba6-e31bac 805->814 807 e31b73-e31b78 806->807 808 e31b6e-e31b71 806->808 807->799 808->807 810 e31b7a-e31b7c 808->810 810->805 812 e31b7e-e31b85 call e32695 810->812 812->784 815 e31bf3-e31c0f call e31c1a 813->815 816 e31bcc-e31bd3 813->816 814->813 818 e31bae-e31bbd call e32695 814->818 815->787 816->815 819 e31bd5-e31bdb 816->819 818->813 819->815 823 e31bdd-e31be2 819->823 823->815 826 e31be4-e31bee call e32695 823->826 826->815
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: __cftoe
    • String ID:
    • API String ID: 4189289331-0
    • Opcode ID: 178a0ec183fec47ebdb8e6de792bc29263eaae5d6ef44acd0b85ad6eba94f9e2
    • Instruction ID: 01fca590f31eeb42ba666ff7e96eb9c9642ab106564087eea96d612dea7fb9a7
    • Opcode Fuzzy Hash: 178a0ec183fec47ebdb8e6de792bc29263eaae5d6ef44acd0b85ad6eba94f9e2
    • Instruction Fuzzy Hash: B8510D32904205EBDF249B68CC49EAEBFF9EF48365F14629DF815B6192EB31C940C664
    Function 00E22070 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 829 e22070-e220ba call e261d7 832 e220eb-e220f4 829->832 833 e220bc-e220cb call e261d7 829->833 835 e22102 832->835 836 e220f6-e220fe 832->836 841 e220dd-e220e5 call e2622f 833->841 842 e220cd-e220d8 833->842 840 e22104-e22108 835->840 838 e22100 836->838 839 e22177-e22192 call e2622f 836->839 838->840 843 e2211a-e2211c 840->843 844 e2210a-e22112 call e25f82 840->844 841->832 842->841 843->839 847 e2211e-e22120 843->847 844->847 854 e22114-e22117 844->854 850 e22122-e22124 847->850 851 e22126-e2212d call e22aa0 847->851 850->839 856 e22132-e22138 851->856 854->843 857 e2213a-e22159 call e292ea 856->857 858 e2215e-e22174 call e25f54 856->858 857->858 858->839
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 00E2209D
    • std::_Lockit::_Lockit.LIBCPMT ref: 00E220C0
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00E220E0
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00E22159
    • std::_Facet_Register.LIBCPMT ref: 00E2216F
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00E2217A
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
    • String ID:
    • API String ID: 2536120697-0
    • Opcode ID: 4f1e7f984db82bca4aad61287e91fe4db3a467542646bb4d43eb124bde4a9d0f
    • Instruction ID: 3291d8e00d29219ca4aef31945671a3aad6b428297c51f735317a540561d40fb
    • Opcode Fuzzy Hash: 4f1e7f984db82bca4aad61287e91fe4db3a467542646bb4d43eb124bde4a9d0f
    • Instruction Fuzzy Hash: 1B310172A00224AFCB25DF90FC81EAEB7B4EF44324F14121DEA01B7291D731AD45CB90
    Function 00E127E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 188COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 863 e127e0-e1283d call e29190 GetTempPathW 866 e12843-e1285b CreateDirectoryW 863->866 867 e12a06-e12a27 call e26c47 863->867 869 e12860-e12869 866->869 869->869 871 e1286b-e1286f 869->871 872 e12871-e1287e 871->872 873 e12880-e12896 call e2eb05 871->873 872->873 874 e12899-e128dd call e30efe call e2eb05 872->874 873->874 881 e128e0-e128e9 874->881 881->881 882 e128eb-e128f6 881->882 883 e12930 882->883 884 e128f8-e12909 call e271f0 882->884 886 e12932-e12939 call e20030 883->886 884->883 889 e1290b-e1292e WideCharToMultiByte 884->889 890 e1293e-e12947 886->890 889->886 891 e12949-e12969 call e24060 890->891 892 e1296b-e1297d call e24060 890->892 895 e12982-e12986 891->895 892->895 895->867 897 e12988-e129be call e24060 call e30efe 895->897 902 e129c1-e129ca 897->902 902->902 903 e129cc-e129d9 902->903 904 e129db-e129dd 903->904 905 e129df-e129f6 call e271f0 call e24f30 903->905 906 e129fb-e12a01 call e1dd00 904->906 905->906 906->867
    APIs
    • GetTempPathW.KERNEL32(00000400,?), ref: 00E12835
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E1284C
    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 00E12921
      • Part of subcall function 00E24060: __CxxThrowException@8.LIBVCRUNTIME ref: 00E24106
      • Part of subcall function 00E24F30: WideCharToMultiByte.KERNEL32(00E129FB,00000000,?,000000FF,?,?,00000000,00000000,?,?,00E129FB,?,00000003,00000000,00000002,?), ref: 00E24F51
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide$CreateDirectoryException@8PathTempThrow
    • String ID: C:\PatchInstaller.log$PatchInstaller.Log
    • API String ID: 1543206543-1754359095
    • Opcode ID: 50da35d2a0de781e70b6c5e1a831524aff34831146560887b7c3f7fe09f30f82
    • Instruction ID: c9640774f43fde2312d6be3882678f738dcf43f884978631032e490beeebf604
    • Opcode Fuzzy Hash: 50da35d2a0de781e70b6c5e1a831524aff34831146560887b7c3f7fe09f30f82
    • Instruction Fuzzy Hash: B2510971A002199FDB24DB24DC42FEA73A8FF44714F149568EA06B71C1EB70AE86CBD5
    Function 00E22AA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 911 e22aa0-e22ad3 912 e22b77-e22b8c 911->912 913 e22ad9-e22adc 911->913 913->912 914 e22ae2-e22b00 call e26c58 913->914 917 e22b02-e22b07 914->917 918 e22b09-e22b0e 914->918 919 e22b13-e22b1a call e22d00 917->919 918->919 920 e22b10 918->920 922 e22b1f-e22b72 call e2624e call e25bfd call e22e00 919->922 920->919 922->912
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: GetctypeGetcvt
    • String ID: 2!
    • API String ID: 492523193-1904098939
    • Opcode ID: d7d0530845638ba8d258b50def115b1317bd9bee5d96bfc0665321fbf1405815
    • Instruction ID: ff8025ff17a6d24c9d401eca0d9ea9088fa4a64fbedece75331c5c126944d843
    • Opcode Fuzzy Hash: d7d0530845638ba8d258b50def115b1317bd9bee5d96bfc0665321fbf1405815
    • Instruction Fuzzy Hash: 5321ADB1D00669ABDB10CF14D941BA9B7B4FF58314F10A26EE949BB251EB70A6D4CB80
    Function 00E22D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 928 e22d00-e22d78 call e261d7 931 e22d7a-e22db4 call e29102 call e292ea 928->931 932 e22db9-e22dbb call e2608b 928->932 931->932 936 e22dc0-e22dd4 932->936
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 00E22D2D
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00E22DB4
      • Part of subcall function 00E292EA: RaiseException.KERNEL32(?,?,00E259CF,?,?,?,?,?,?,?,?,00E259CF,?,00E5B360,?), ref: 00E29349
    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E22DBB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: std::_$ExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow
    • String ID: xc
    • API String ID: 1915927752-1377889829
    • Opcode ID: 907a019e8bc08fed8380363e9ab8a03a618b546a475fce23ddb2f56618a8ab84
    • Instruction ID: 8d24657d3140cdce0766530b06f00216c8dd8f6da581d56a37cf45aeceacc098
    • Opcode Fuzzy Hash: 907a019e8bc08fed8380363e9ab8a03a618b546a475fce23ddb2f56618a8ab84
    • Instruction Fuzzy Hash: FF21A1B18047989FC720CF68D945BCBBBF8AF19304F00565EE845B3641E3B5A6088BA1
    Function 00E36BB9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 938 e36bb9-e36bde 939 e36be0-e36be2 938->939 940 e36be7-e36be9 938->940 941 e36db5-e36dc4 call e26c47 939->941 942 e36beb-e36c05 call e2c32e call e2c341 call e2c06b 940->942 943 e36c0a-e36c2f 940->943 942->941 944 e36c31-e36c34 943->944 945 e36c36-e36c3c 943->945 944->945 948 e36c5e-e36c63 944->948 949 e36c5b 945->949 950 e36c3e-e36c56 call e2c32e call e2c341 call e2c06b 945->950 954 e36c65-e36c71 call e374e7 948->954 955 e36c74-e36c7d call e3675e 948->955 949->948 989 e36dac-e36daf 950->989 954->955 966 e36cb8-e36cca 955->966 967 e36c7f-e36c81 955->967 972 e36d12-e36d33 WriteFile 966->972 973 e36ccc-e36cd2 966->973 969 e36c83-e36c88 967->969 970 e36ca5-e36cae call e3653e 967->970 974 e36c8e-e36c9b call e366f1 969->974 975 e36d7c-e36d8e 969->975 988 e36cb3-e36cb6 970->988 978 e36d35-e36d3b GetLastError 972->978 979 e36d3e 972->979 980 e36d02-e36d0b call e367d4 973->980 981 e36cd4-e36cd7 973->981 998 e36c9e-e36ca0 974->998 986 e36d90-e36d93 975->986 987 e36d99-e36da9 call e2c341 call e2c32e 975->987 978->979 990 e36d41-e36d4c 979->990 995 e36d10 980->995 982 e36cf2-e36d00 call e369a1 981->982 983 e36cd9-e36cdc 981->983 982->988 983->975 991 e36ce2-e36cf0 call e368b3 983->991 986->987 996 e36d95-e36d97 986->996 987->989 988->998 992 e36db4 989->992 999 e36db1 990->999 1000 e36d4e-e36d53 990->1000 991->988 992->941 995->988 996->992 998->990 999->992 1004 e36d55-e36d5a 1000->1004 1005 e36d79 1000->1005 1006 e36d70-e36d77 call e2c30b 1004->1006 1007 e36d5c-e36d6e call e2c341 call e2c32e 1004->1007 1005->975 1006->989 1007->989
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cacb7e8f0423ea5ae2e4733106da73f253c9d76bb893f2985330336cb813a939
    • Instruction ID: 1d7313d036b9761f7aa2f95a8f6aeb5fa30cd7c0dd02dbde392b42fc7f6f4069
    • Opcode Fuzzy Hash: cacb7e8f0423ea5ae2e4733106da73f253c9d76bb893f2985330336cb813a939
    • Instruction Fuzzy Hash: 1951BF71A00219BBCF10EFB9D849BEEBFF4EF05314F60A459E401BB291D6719901DB61
    Function 00E367D4 Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1025 e367d4-e3682b call e27a90 1028 e36892-e36894 1025->1028 1029 e36896 1028->1029 1030 e3682d 1028->1030 1031 e368a0-e368b2 call e26c47 1029->1031 1032 e36833-e36835 1030->1032 1034 e36837-e3683c 1032->1034 1035 e36855-e36877 WriteFile 1032->1035 1037 e36845-e36853 1034->1037 1038 e3683e-e36844 1034->1038 1039 e36879-e36884 1035->1039 1040 e36898-e3689e GetLastError 1035->1040 1037->1032 1037->1035 1038->1037 1039->1031 1041 e36886-e3688c 1039->1041 1040->1031 1041->1028
    APIs
    • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?,?,?,00E36D10,?,?,00000000,?,?,?), ref: 00E3686F
    • GetLastError.KERNEL32(?,00E36D10,?,?,00000000,?,?,?,?,?,?,?,00E5B958,00000014,00E307A6,00000000), ref: 00E36898
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID:
    • API String ID: 442123175-0
    • Opcode ID: bf902d036c1e65ec3e1f2d15512b05c0fd5ae3ced6f84edd80cf3b1c4bfe4b35
    • Instruction ID: a6854ace0c646a2b0b4e9396fe693df6d578ce0b643db8cb5ada4b33cf3fbb77
    • Opcode Fuzzy Hash: bf902d036c1e65ec3e1f2d15512b05c0fd5ae3ced6f84edd80cf3b1c4bfe4b35
    • Instruction Fuzzy Hash: D121B475A002199FCB18CF69D884BE9B7F4FB48306F1058A9E54AE7251D730AE85CB50
    Function 00E1D130 Relevance: 2.5, APIs: 2, Instructions: 28COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • CoInitialize.OLE32(00000000), ref: 00E1D151
      • Part of subcall function 00E12670: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E1276B
    • CoUninitialize.COMBASE(?,80004005,?,00E58560,00E44A18,00E58D1C,00000000,?,?,F9744ECF,?,?,?), ref: 00E1D175
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: InitializeIos_base_dtorUninitializestd::ios_base::_
    • String ID:
    • API String ID: 3253047658-0
    • Opcode ID: 95f6e82223303c67992acd4125787bbb05fa20bf638f413315a132f1b57f08dc
    • Instruction ID: da6145eae7e8880c9f56fd928bde486f1725fc15f3b4267f3c975e6d14bacb08
    • Opcode Fuzzy Hash: 95f6e82223303c67992acd4125787bbb05fa20bf638f413315a132f1b57f08dc
    • Instruction Fuzzy Hash: 41F0A7301182159FC324FB64EC46AAF77D4EB41360F004A2DF886A36E1EE305955D7A3
    Function 00E39B09 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1053 e39b09-e39b2f call e398d7 1056 e39b31-e39b33 1053->1056 1057 e39b35-e39b47 call e41cd6 1053->1057 1058 e39b8a-e39b8d 1056->1058 1060 e39b4c-e39b51 1057->1060 1060->1056 1061 e39b53-e39b87 1060->1061 1061->1058
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: __wsopen_s
    • String ID:
    • API String ID: 3347428461-0
    • Opcode ID: a972da73a61b92068346f98ede6959e1b92fe29ee4e2d24284ff83baafe69546
    • Instruction ID: d5a06e80161ddcb96962e7eb9adc2a60ebf7ed0cbd7f535ed50cd2f308648bd0
    • Opcode Fuzzy Hash: a972da73a61b92068346f98ede6959e1b92fe29ee4e2d24284ff83baafe69546
    • Instruction Fuzzy Hash: 261148B190420AAFCF09DF58E94599B7BF8EF48314F0040A9F808AB312D771DA11CB65
    Function 00E33515 Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00E31CD5: HeapAlloc.KERNEL32(00000008,?,00000000,?,00E350E4,00000001,00000364,?,00E2C08A,00000000,00000000,00000000,00000000,00000000,?,00E25685), ref: 00E31D16
    • _free.LIBCMT ref: 00E33535
      • Part of subcall function 00E32695: HeapFree.KERNEL32(00000000,00000000,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?), ref: 00E326AB
      • Part of subcall function 00E32695: GetLastError.KERNEL32(?,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?,?), ref: 00E326BD
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Heap$AllocErrorFreeLast_free
    • String ID:
    • API String ID: 3091179305-0
    • Opcode ID: 5c740d9e96b96107a8f0300dca8996efb025bedb21a2740f59a75cda9e0ac999
    • Instruction ID: a338306686f94ec2e2c7fa537ab3076563cad1084ee711caf54649de05e877a6
    • Opcode Fuzzy Hash: 5c740d9e96b96107a8f0300dca8996efb025bedb21a2740f59a75cda9e0ac999
    • Instruction Fuzzy Hash: 09F03C71A00609AFC310DF69D446F5ABBF4EB48710F104166E918EB341EB71AA10CBD1
    Function 00E41C85 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: d7183492150423381beb15ce98cff8bf33a3ab4449eb335220340f756bfa2b83
    • Instruction ID: 051ceadff3cd6b079919963f8e7f319b7b4da0d4c752586d0f5d67075aac5f39
    • Opcode Fuzzy Hash: d7183492150423381beb15ce98cff8bf33a3ab4449eb335220340f756bfa2b83
    • Instruction Fuzzy Hash: 53F0BE33910009BBCF115E95EC02DDF7BADEF89374F100155FE14A21A0DA32CA20A7A0
    Function 00E31E61 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,00000003,00000000,?,00000003,00E350B2,?,00E2C5E9,?), ref: 00E31E93
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 14387ea3b22e81c2cd28e5cba73cab6c8e6e4b217539fc02b37792236c915597
    • Instruction ID: 45f57e92501fe2f7fb0c791d3ac98f90e9c896b16442206ce23f17c8b207a136
    • Opcode Fuzzy Hash: 14387ea3b22e81c2cd28e5cba73cab6c8e6e4b217539fc02b37792236c915597
    • Instruction Fuzzy Hash: 39E0653550032096E7312A679C0DBAB7E999FC27A4F152195EC08B61D0DB26DC40D5E5
    Function 00E419C4 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000000,00000000,?,00E41D9F,?,?,00000000,?,00E41D9F,00000000,0000000C), ref: 00E419E1
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a399da22b04d3b3fe3f0bc04c9f90f44374bcef9847decb117245298fb323d68
    • Instruction ID: a8d3ef89d56ee851f0a076338d90d4eb9972991b36963088c45c245f76d59ad5
    • Opcode Fuzzy Hash: a399da22b04d3b3fe3f0bc04c9f90f44374bcef9847decb117245298fb323d68
    • Instruction Fuzzy Hash: 34D06C3200020DBFDF128F85DD06EDA3BAAFB48714F014000BA1866020C736E822AB91

    Non-executed Functions

    Function 00E150F0 Relevance: 70.6, APIs: 26, Strings: 14, Instructions: 562COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E24BB0: VariantInit.OLEAUT32(?), ref: 00E24BF7
      • Part of subcall function 00E24BB0: VariantClear.OLEAUT32(?), ref: 00E24C55
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E1516F
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E151B9
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E15203
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E1524D
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E15297
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E1532B
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E15375
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E153BF
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E15409
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E15453
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E1549D
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E152E1
      • Part of subcall function 00E25100: __CxxThrowException@8.LIBVCRUNTIME ref: 00E25112
    • _wcsrchr.LIBVCRUNTIME ref: 00E155A4
    • wsprintfW.USER32 ref: 00E1584F
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • VariantClear.OLEAUT32(?), ref: 00E15873
    • VariantClear.OLEAUT32(?), ref: 00E1587C
    • VariantClear.OLEAUT32(?), ref: 00E15885
    • VariantClear.OLEAUT32(?), ref: 00E1588E
    • VariantClear.OLEAUT32(?), ref: 00E15897
    • VariantClear.OLEAUT32(?), ref: 00E158A0
    • VariantClear.OLEAUT32(?), ref: 00E158A9
    • VariantClear.OLEAUT32(?), ref: 00E158B2
    • VariantClear.OLEAUT32(?), ref: 00E158BB
    • VariantClear.OLEAUT32(?), ref: 00E158C4
    • VariantClear.OLEAUT32(?), ref: 00E158CD
    • VariantClear.OLEAUT32(?), ref: 00E158D6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Variant$Clear$Copy$Exception@8InitLocalThrowTime_wcsrchrwsprintf
    • String ID: .exe$Brand$DevOpsKey$DevOpsURI$ExeName$MarketPatchKey$NextPatchProductVersion$OriginalProductCode$PreviousProductCode$Product Information:ProductCode: %sExeName: %sProductName: %sBrand: %sProductVer: %sNextPatch Ver: %sMarketPatchKey:$ProductCode$ProductName$ProductVersion$Tag
    • API String ID: 1114562085-1508803850
    • Opcode ID: f468423e5ba3c003d18d30009f09d75d652d76b96f9401db40d4ed377e08cfa9
    • Instruction ID: 176732581c0cb9a814ead6748bedde3c0ebffd36a1425847e0afa8311c1fa009
    • Opcode Fuzzy Hash: f468423e5ba3c003d18d30009f09d75d652d76b96f9401db40d4ed377e08cfa9
    • Instruction Fuzzy Hash: 64225FB1D01618AADB26DB64CC65BDAB7BCEF44304F0095D9E50EF3190EA71ABC98F50
    Function 00E15DD0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 209filewindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • wsprintfW.USER32 ref: 00E15F0A
    • wsprintfW.USER32 ref: 00E15F30
    • FindFirstFileW.KERNEL32(?,?,?,?,?), ref: 00E15F67
    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 00E15F94
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,?), ref: 00E15FB2
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,?), ref: 00E15FC4
    • CopyFileW.KERNEL32(?,?,00000000,?,?,?), ref: 00E15FD6
    • wsprintfW.USER32 ref: 00E15FF3
    • GetFileAttributesW.KERNEL32(?,?), ref: 00E16011
    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00E16029
    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00E1603B
    • GetLastError.KERNEL32(?,?,?), ref: 00E1603F
    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,?,?,?), ref: 00E1605D
    • FindClose.KERNEL32(?), ref: 00E1607D
    Strings
    • Ratatosk db path: '%s', xrefs: 00E15F04
    • Ratatosk db source path: '%s', xrefs: 00E15F2A
    • RatatoskConfiguration.sdf, xrefs: 00E15E95
    • CopyRatatoskDb..., xrefs: 00E15DEA
    • LegacyRatatoskConfiguration.sdf, xrefs: 00E15EAD
    • Ratatosk db copied to '%s', xrefs: 00E15FED
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: File$Attributes$wsprintf$Find$CloseCopyErrorFirstFormatLastLocalMessageTime
    • String ID: CopyRatatoskDb...$LegacyRatatoskConfiguration.sdf$Ratatosk db copied to '%s'$Ratatosk db path: '%s'$Ratatosk db source path: '%s'$RatatoskConfiguration.sdf
    • API String ID: 2855944122-1024932132
    • Opcode ID: 8ba040cb4e22f3a7b922da12531aeea0a91e47c820674a6094ab7178a00ed12f
    • Instruction ID: 46ac48e30cd12a064de487b2c966e9665460d41a3d1c2a535fd08af0e5e9b062
    • Opcode Fuzzy Hash: 8ba040cb4e22f3a7b922da12531aeea0a91e47c820674a6094ab7178a00ed12f
    • Instruction Fuzzy Hash: 7F71ABB5A00318AADB21DB60DC46FDA77BCAF09301F4095D1B545F21C1DB74AB8DCBA5
    Function 00E1A560 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 298filesleepwindowCOMMON
    Download Yara Rule
    APIs
    • wsprintfW.USER32 ref: 00E1A5CB
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • FindFirstFileW.KERNEL32(?,?), ref: 00E1A762
    • FindClose.KERNEL32(00000000), ref: 00E1A792
    • wsprintfW.USER32 ref: 00E1A84F
    • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?), ref: 00E1A8B7
    • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00E1A8C4
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00E1A8E4
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00E1A8F6
    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00E1A908
    • wsprintfW.USER32 ref: 00E1A92C
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00E1A967
    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00E1A985
    Strings
    • szSrcFile: '%s' szTargetDir: '%s', xrefs: 00E1A849
    • *.mst, xrefs: 00E1A741
    • mst file not found under windows installer dir, xrefs: 00E1A993
    • Installer\, xrefs: 00E1A689
    • mst copied to '%s', xrefs: 00E1A926
    • CopyLatestMstForPatch with ProductCode '%s', xrefs: 00E1A5C5
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: File$Attributeswsprintf$Find$CloseCopyErrorFirstFormatLastLocalMessageSleepTime
    • String ID: *.mst$CopyLatestMstForPatch with ProductCode '%s'$Installer\$mst copied to '%s'$mst file not found under windows installer dir$szSrcFile: '%s' szTargetDir: '%s'
    • API String ID: 255911844-1462931032
    • Opcode ID: aec06a45ebb11c292dd66b44aca6f6aee5d5f0e3a3029ae7e175df4599349d65
    • Instruction ID: c1c406b12c656eaf9a9bd5d1b9caa1fbdc1e5f191af26757bdc27d735c84c010
    • Opcode Fuzzy Hash: aec06a45ebb11c292dd66b44aca6f6aee5d5f0e3a3029ae7e175df4599349d65
    • Instruction Fuzzy Hash: CEB1A8B1940218AADB21DBA0EC4AFDA73FCAF08704F0454A1F605F61C1E770BB99CB95
    Function 00E1D1A0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 160synchronizationCOMMON
    Download Yara Rule
    APIs
    • CreateMutexW.KERNEL32(00000000,00000001,00000000,F9744ECF,?,?,00000001), ref: 00E1D1D8
    • GetLastError.KERNEL32(?,?,00000001), ref: 00E1D1DE
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    Strings
    • Waiting for process to finish Timed Out...., xrefs: 00E1D30D, 00E1D317
    • CreateMutex ERROR_ALREADY_EXISTS, xrefs: 00E1D1EB
    • Waiting for process success...., xrefs: 00E1D376
    • Waiting for process to finish closing...., xrefs: 00E1D266
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CreateErrorLastLocalMutexTime
    • String ID: CreateMutex ERROR_ALREADY_EXISTS$Waiting for process success....$Waiting for process to finish Timed Out....$Waiting for process to finish closing....
    • API String ID: 3045055881-1882265619
    • Opcode ID: 5d1af1c64834b94250d65bc4e94dfb9045416a74b84491cae9d7edc28db5ffdd
    • Instruction ID: 4e449bef9de2ac8d0fe09428f7a92b38f625d9800b9fc6509cd227def24e667d
    • Opcode Fuzzy Hash: 5d1af1c64834b94250d65bc4e94dfb9045416a74b84491cae9d7edc28db5ffdd
    • Instruction Fuzzy Hash: F251F832B48308ABEB20DF99EC41BEDB7A4EB46710F00552AF915F72D0DB759884CB91
    Function 00E11070 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 106threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThread.KERNEL32 ref: 00E110AD
    • OpenThreadToken.ADVAPI32(00000000), ref: 00E110B4
    • GetCurrentProcess.KERNEL32(0000000A,00000000), ref: 00E110C7
    • OpenProcessToken.ADVAPI32(00000000), ref: 00E110CE
    • GetVersionExW.KERNEL32(?), ref: 00E110ED
    • GetTokenInformation.ADVAPI32(00000000,00000012(TokenIntegrityLevel),?,00000004,?), ref: 00E11122
    • GetTokenInformation.ADVAPI32(00000000,00000013(TokenIntegrityLevel),00000000,00000004,?), ref: 00E1114D
    • DuplicateToken.ADVAPI32(00000000,00000001,00000000), ref: 00E1116B
    • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00E1118E
    • CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 00E111A9
    • GetLastError.KERNEL32 ref: 00E111B3
    • CloseHandle.KERNEL32(00000000), ref: 00E111CA
    • CloseHandle.KERNEL32(00000000), ref: 00E111E1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Token$CloseCurrentHandleInformationOpenProcessThread$CheckCreateDuplicateErrorKnownLastMembershipVersionWell
    • String ID: D
    • API String ID: 2197316560-2746444292
    • Opcode ID: 44815da97c0093a229316d14259e5e658dbd745edc6a5c614cd2b0d40de71fe6
    • Instruction ID: 418738f55f374f973b483418cbc8c34bcec67195d1e05a3a095e17770ae43e90
    • Opcode Fuzzy Hash: 44815da97c0093a229316d14259e5e658dbd745edc6a5c614cd2b0d40de71fe6
    • Instruction Fuzzy Hash: CF41C674A1521CAFEB219B61DD48BEABBBCBB0A705F0001D5EA08F6190D7719E89CF51
    Function 00E1CA80 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileStringW.KERNEL32(FeatureUpdate,Update,00E52748,?,00000400,?), ref: 00E1CB49
    • GetPrivateProfileStringW.KERNEL32(FeatureUpdate,Keep,00E52748,?,00000400,?), ref: 00E1CB67
    • GetPrivateProfileStringW.KERNEL32(FeatureUpdate,Remove,00E52748,?,00000400,?), ref: 00E1CB85
    • GetPrivateProfileStringW.KERNEL32(FeatureUpdate,Add,00E52748,?,00000400,?), ref: 00E1CBA8
    • GetPrivateProfileStringW.KERNEL32(FeatureUpdate,CmdLineOverride,00E52748,?,00000400,?), ref: 00E1CBCB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: PrivateProfileString
    • String ID: Add$CmdLineOverride$FeatureUpdate$Keep$Remove$Setup.ini$Update
    • API String ID: 1096422788-2229065965
    • Opcode ID: 0a818885d9c1c0183d7f8386adc10f8d462638fd4c87a4291863b7a6a87073ef
    • Instruction ID: 830974d9eaafb1e3b932bf6ba58d430aa4a827492e5d0cb83b5b61e93429f764
    • Opcode Fuzzy Hash: 0a818885d9c1c0183d7f8386adc10f8d462638fd4c87a4291863b7a6a87073ef
    • Instruction Fuzzy Hash: 9531C5B5A8031C6ACB50DA54DD42FD973FCEB08705F44A496BF45B61C0DEB06A4D8BD4
    Function 00E121A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51shutdownCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00E121B6
    • OpenProcessToken.ADVAPI32(00000000), ref: 00E121BD
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00E121E2
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00E12205
    • GetLastError.KERNEL32 ref: 00E1220B
    • ExitWindowsEx.USER32(00000006,80040002), ref: 00E1221C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
    • String ID: SeShutdownPrivilege
    • API String ID: 107509674-3733053543
    • Opcode ID: 2278764458f19c9792054bb744a2343cc858ce8bdb86232bcb0fb7aabb604b53
    • Instruction ID: 0ee9506b01ced2721668ed5ad05e8faa8f74cd9e813beea979e8ec6700373e87
    • Opcode Fuzzy Hash: 2278764458f19c9792054bb744a2343cc858ce8bdb86232bcb0fb7aabb604b53
    • Instruction Fuzzy Hash: 40015274B41208AFDB14DFB1EC0AFBE77B8EB06705F500158FA0AF61D0DA7059598762
    Function 00E3E91B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00E3EC3A,?,00000000), ref: 00E3E9B4
    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00E3EC3A,?,00000000), ref: 00E3E9DD
    • GetACP.KERNEL32(?,?,00E3EC3A,?,00000000), ref: 00E3E9F2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: c7b786635aa8e084526d81f25e2ff0b8a3a14d443cc9c21df0797a2d8da7c62d
    • Instruction ID: 1c02d6fb01944c94aafda0fd328ff3be4d507e439f334c5888795c5f867d010d
    • Opcode Fuzzy Hash: c7b786635aa8e084526d81f25e2ff0b8a3a14d443cc9c21df0797a2d8da7c62d
    • Instruction Fuzzy Hash: 5421C422600105AAD7B49F14C809BA7BFA6EFD4F69F56A5E4E909F7380E732DD41C350
    Function 00E3EAEF Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00E3502F: GetLastError.KERNEL32(?,?,00E2C109,?,00000000,?,00E2C5E9,?), ref: 00E35033
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E35066
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E350A7
      • Part of subcall function 00E3502F: _abort.LIBCMT ref: 00E350AD
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E3508E
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E3509B
    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00E3EBFB
    • IsValidCodePage.KERNEL32(00000000), ref: 00E3EC56
    • IsValidLocale.KERNEL32(?,00000001), ref: 00E3EC65
    • GetLocaleInfoW.KERNEL32(?,00001001,00E33B0B,00000040,?,00E33C2B,00000055,00000000,?,?,00000055,00000000), ref: 00E3ECAD
    • GetLocaleInfoW.KERNEL32(?,00001002,00E33B8B,00000040), ref: 00E3ECCC
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
    • String ID:
    • API String ID: 745075371-0
    • Opcode ID: 8202585b5d17313f7b807e3745c9b08489f612d7f1f89b82ff8755bd8fd100a2
    • Instruction ID: 6f42bf987f5aac51b53d1cc3c308a2657a5eb56adfadc880256aa1909a10a490
    • Opcode Fuzzy Hash: 8202585b5d17313f7b807e3745c9b08489f612d7f1f89b82ff8755bd8fd100a2
    • Instruction Fuzzy Hash: 93518E72A00249AFDF20DFA5CC49ABEBBB8AF45704F142469E915F7290E7709D44CB61
    Function 00E3E1B7 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00E3502F: GetLastError.KERNEL32(?,?,00E2C109,?,00000000,?,00E2C5E9,?), ref: 00E35033
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E35066
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E350A7
      • Part of subcall function 00E3502F: _abort.LIBCMT ref: 00E350AD
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00E33B12,?,?,?,?,?,?,00000004), ref: 00E3E299
    • _wcschr.LIBVCRUNTIME ref: 00E3E329
    • _wcschr.LIBVCRUNTIME ref: 00E3E337
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00E33B12,00000000,00E33C32), ref: 00E3E3DA
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
    • String ID:
    • API String ID: 4212172061-0
    • Opcode ID: 63abede393b8d9e5b879580b383f6377da02729730c524343ec3e0a2bca9d6d2
    • Instruction ID: 8353677ec856bef542b51bc486e9e0180d14f6dfe21c31ea204861e0d9a8c4e7
    • Opcode Fuzzy Hash: 63abede393b8d9e5b879580b383f6377da02729730c524343ec3e0a2bca9d6d2
    • Instruction Fuzzy Hash: CE61FB71600306AADB28AB34DC4ABA77BECEF45714F141429F905F73C1EA71D940CBA0
    Function 00E114B0 Relevance: 6.1, APIs: 4, Instructions: 138processCOMMON
    Download Yara Rule
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E11529
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00E11539
    • Process32NextW.KERNEL32(00000000,?), ref: 00E11640
    • CloseHandle.KERNEL32(00000000,00000000,-00000002,-00000002,00000000,-00000002), ref: 00E11650
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
    • String ID:
    • API String ID: 420147892-0
    • Opcode ID: 4b827180f6afd298c81e807c34b68aab7dcb42bf1b32fcd2cd471571a4ce69d8
    • Instruction ID: c2b8bfa0d2256d880f79b9cc79f6945ff395f884a20fc0b2aed9f5b60622863b
    • Opcode Fuzzy Hash: 4b827180f6afd298c81e807c34b68aab7dcb42bf1b32fcd2cd471571a4ce69d8
    • Instruction Fuzzy Hash: 1141B371900158AACB20EB60DC45BEA73BCFF45304F0455EAE64AF7181EBB46AC58F90
    Function 00E3E5A2 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E3502F: GetLastError.KERNEL32(?,?,00E2C109,?,00000000,?,00E2C5E9,?), ref: 00E35033
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E35066
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E350A7
      • Part of subcall function 00E3502F: _abort.LIBCMT ref: 00E350AD
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E3508E
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E3509B
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E3E5F6
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E3E647
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E3E707
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorInfoLastLocale$_free$_abort
    • String ID:
    • API String ID: 2829624132-0
    • Opcode ID: dd0b9f506741543da5622fcfc5f41abf1245743ef3c7ced73a3ab2eb6ecee26b
    • Instruction ID: e107b9fdb009d6b25939eb344507d2212ca84a1de5da13a5b128d15f5f16eb63
    • Opcode Fuzzy Hash: dd0b9f506741543da5622fcfc5f41abf1245743ef3c7ced73a3ab2eb6ecee26b
    • Instruction Fuzzy Hash: 84619F719002179BEB289F24CC8ABBA7BE8EF14354F1050BAE805E66C1FB74D991DB50
    Function 00E2BEA1 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E2BF99
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E2BFA3
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E2BFB0
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: 13663ad7678159fe1685dde7876354cb64500e05f528d8eacd41c374d568a5ba
    • Instruction ID: 528ba4c32bd846904621a23dcf4562be5baca822c615f8e4883a4254bc07d728
    • Opcode Fuzzy Hash: 13663ad7678159fe1685dde7876354cb64500e05f528d8eacd41c374d568a5ba
    • Instruction Fuzzy Hash: 8331E57590122C9BCB21DF25EC8979DBBB8BF08310F5051EAE80CA7251E7709F858F45
    Function 00E23070 Relevance: 4.6, APIs: 3, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • LoadResource.KERNEL32(00000000,00000000,00000001,?,?,00E23038,00000000,?,00E1DC79,?,00E13851,00E58D1C,?,?,?,User cancelled operation.), ref: 00E2307B
    • LockResource.KERNEL32(00000000,00000000,?,00E23038,00000000,?,00E1DC79,?,00E13851,00E58D1C,?,?,?,User cancelled operation.), ref: 00E2308B
    • SizeofResource.KERNEL32(00000000,00000000,?,00E23038,00000000,?,00E1DC79,?,00E13851,00E58D1C,?,?,?,User cancelled operation.), ref: 00E23099
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Resource$LoadLockSizeof
    • String ID:
    • API String ID: 2853612939-0
    • Opcode ID: 01fe57cd7229666b29f3d1f528087e38541658f6feea0c77bcc3dc51a79cbc53
    • Instruction ID: aa66121c56366e4ad0f8e5733655ebf6b15834d10b117e76c54e5033cc22f6b0
    • Opcode Fuzzy Hash: 01fe57cd7229666b29f3d1f528087e38541658f6feea0c77bcc3dc51a79cbc53
    • Instruction Fuzzy Hash: 16018633A002355A8B302B7ABC48C66B7ACEBC2769305592AE94EE7110E6659D4586A0
    Function 00E278E7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 00E27900
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-3916222277
    • Opcode ID: 14d2a73dc1c9adcb710d8276bec932af132b21d2ed99d8802920c23695ac89be
    • Instruction ID: bc88b8a5fd86e63516101d5f0215d8af1ba687a7b89bda45d3ce3f55213f1b32
    • Opcode Fuzzy Hash: 14d2a73dc1c9adcb710d8276bec932af132b21d2ed99d8802920c23695ac89be
    • Instruction Fuzzy Hash: 0441CFB19043159FDB18CF6AE886B9EBBF0FB44328F10956AD449F7390E3709944CB50
    Function 00E380C7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 00E3811A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: GetLocaleInfoEx
    • API String ID: 2299586839-2904428671
    • Opcode ID: 0ea4be056159c9a97f7900ea0a7180dae5df66480a139bc5695ec48ab475da7b
    • Instruction ID: 9fd57eba36de5f9f664115404074bf69f7baa03ac2949381f93c640ca007125a
    • Opcode Fuzzy Hash: 0ea4be056159c9a97f7900ea0a7180dae5df66480a139bc5695ec48ab475da7b
    • Instruction Fuzzy Hash: 12F0CD31A4031CBBCB15AF61AC0AEAE7F65EB45B10F001214F8047A2A0DB719D12D695
    Function 00E31F40 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dc39df4cd66180675369183970220c78fccd5fb475e0f577b9f7cd68b5e7b421
    • Instruction ID: 78752380aaa1340f5e0748dedf68cee78bfd5d3230cedab69ba62da187bc667a
    • Opcode Fuzzy Hash: dc39df4cd66180675369183970220c78fccd5fb475e0f577b9f7cd68b5e7b421
    • Instruction Fuzzy Hash: 7E023C71E002199BDF18CFA9D8846AEBBF1FF88314F25916DD955F7284D731AA41CB80
    Function 00E3884F Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E3884A,?,?,00000008,?,?,00E42786,00000000), ref: 00E38A7C
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: 9ebde651f31ac0a97ca4e1e1d11167af112cb572a07eabf942b9069547e4092f
    • Instruction ID: 843004824a14191f6f2f601493f5bae4e6cfdce8804febd5bccdeb5bb2015ac0
    • Opcode Fuzzy Hash: 9ebde651f31ac0a97ca4e1e1d11167af112cb572a07eabf942b9069547e4092f
    • Instruction Fuzzy Hash: 6BB15B312106098FD719CF28C58ABA57FE0FF45368F259659F899DF2A1CB35E981CB40
    Function 00E3E7F2 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E3502F: GetLastError.KERNEL32(?,?,00E2C109,?,00000000,?,00E2C5E9,?), ref: 00E35033
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E35066
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E350A7
      • Part of subcall function 00E3502F: _abort.LIBCMT ref: 00E350AD
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E3508E
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E3509B
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E3E846
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLast$_free$InfoLocale_abort
    • String ID:
    • API String ID: 1663032902-0
    • Opcode ID: 16966edb83950bf1dcdcccb33dce2584d46ee98e1bbd9d7edc781a0b4a7cb79c
    • Instruction ID: d66022fde65b202ba373b32d71efa9b87113083043de7f901f5fa6ad2c2d150d
    • Opcode Fuzzy Hash: 16966edb83950bf1dcdcccb33dce2584d46ee98e1bbd9d7edc781a0b4a7cb79c
    • Instruction Fuzzy Hash: 8421C572900216ABDB289F24DC4ABBA7BE8EF04318F14117AF901F62C1EB359D44DB50
    Function 00E3E47A Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00E3502F: GetLastError.KERNEL32(?,?,00E2C109,?,00000000,?,00E2C5E9,?), ref: 00E35033
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E35066
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E350A7
      • Part of subcall function 00E3502F: _abort.LIBCMT ref: 00E350AD
    • EnumSystemLocalesW.KERNEL32(00E3E5A2,00000001,00000000,?,00E33B0B,?,00E3EBCF,00000000,?,?,?), ref: 00E3E4EC
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: ab22375054e4844288d0960d5653eb4779407994ad949381b033e0e3216f11c1
    • Instruction ID: 6b0c7449d6aa5f40090ad7812f8e98521ff73491627cdf82413d9d0f5f2c020d
    • Opcode Fuzzy Hash: ab22375054e4844288d0960d5653eb4779407994ad949381b033e0e3216f11c1
    • Instruction Fuzzy Hash: CD11C63B2007055FDB289F39D89557ABB92FB8435CF14482CE58697780E771B942CB40
    Function 00E3EA22 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E3502F: GetLastError.KERNEL32(?,?,00E2C109,?,00000000,?,00E2C5E9,?), ref: 00E35033
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E35066
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E350A7
      • Part of subcall function 00E3502F: _abort.LIBCMT ref: 00E350AD
    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00E3E7C0,00000000,00000000,?), ref: 00E3EA4E
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale_abort_free
    • String ID:
    • API String ID: 2692324296-0
    • Opcode ID: 41c40e9151b9a4dfb6378c427857d6f02bcad0d42ae55d7395dde0b6aa09ef9f
    • Instruction ID: d216142fcddc64916e14a3ab33eed128b7315ce7efdef43379fd8cb3834fdf7a
    • Opcode Fuzzy Hash: 41c40e9151b9a4dfb6378c427857d6f02bcad0d42ae55d7395dde0b6aa09ef9f
    • Instruction Fuzzy Hash: 15F0F932A00115BBDB389A65880DABA7FA8FB40358F151429EC19B33C0EA71BE41C6D0
    Function 00E3E515 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00E3502F: GetLastError.KERNEL32(?,?,00E2C109,?,00000000,?,00E2C5E9,?), ref: 00E35033
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E35066
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E350A7
      • Part of subcall function 00E3502F: _abort.LIBCMT ref: 00E350AD
    • EnumSystemLocalesW.KERNEL32(00E3E7F2,00000001,00000000,?,00E33B0B,?,00E3EB93,00E33B0B,?,?,?,?,?,00E33B0B,?,?), ref: 00E3E561
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: 1aaab99cbb0cc55e7670cc5961eae5fe46f396443147578ed8626cf4a358202c
    • Instruction ID: 78a4e0c69125219995ceb65fd8d5ca286d24a8d3877cad9561994df52c956a10
    • Opcode Fuzzy Hash: 1aaab99cbb0cc55e7670cc5961eae5fe46f396443147578ed8626cf4a358202c
    • Instruction Fuzzy Hash: 86F0C2362003046FDB245F799C89A7A7F95FF8136CF05442DF946AB790E6B2AC42C650
    Function 00E37CD4 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00E31C64: EnterCriticalSection.KERNEL32(?,?,00E3468E,00000000,00E5B818,0000000C,00E34649,?,?,?,00E31D08,?,?,00E350E4,00000001,00000364), ref: 00E31C73
    • EnumSystemLocalesW.KERNEL32(00E37C8E,00000001,00E5B9B8,0000000C), ref: 00E37D0C
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CriticalEnterEnumLocalesSectionSystem
    • String ID:
    • API String ID: 1272433827-0
    • Opcode ID: fb0438e6d3aa4e0a88d94f2c328e0308dd9400d91bc17f237d8a96495e1a83ec
    • Instruction ID: 72271e2b88778b5957514ac87d33cda236447bcba7bb43e6c981af40fd10b421
    • Opcode Fuzzy Hash: fb0438e6d3aa4e0a88d94f2c328e0308dd9400d91bc17f237d8a96495e1a83ec
    • Instruction Fuzzy Hash: 8AF08C76A14300AFD718EF78E84AB9D7BF0AB08321F115555F400FB2E1CA744A45CB01
    Function 00E3E42F Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00E3502F: GetLastError.KERNEL32(?,?,00E2C109,?,00000000,?,00E2C5E9,?), ref: 00E35033
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E35066
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E350A7
      • Part of subcall function 00E3502F: _abort.LIBCMT ref: 00E350AD
    • EnumSystemLocalesW.KERNEL32(00E3E386,00000001,00000000,?,?,00E3EBF1,00E33B0B,?,?,?,?,?,00E33B0B,?,?,?), ref: 00E3E466
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: 3f78845cfcde25a68adcfcda412499b8881be4df07206dd94e42909f43c65cc3
    • Instruction ID: 2d86715fca8f28869663e8d47846ea3a51248c50ccc5d772ff474f8b5b91cfc1
    • Opcode Fuzzy Hash: 3f78845cfcde25a68adcfcda412499b8881be4df07206dd94e42909f43c65cc3
    • Instruction Fuzzy Hash: A7F0553A30030857CB14AF35D80966ABF91EFC2754F0A4058EA099B391C6329842CB90
    Function 00E27568 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00017574,00E26AC3), ref: 00E2756D
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 569593014f591fe3f1be368196dca169cf870886c665efd75272e6e5c12a75c0
    • Instruction ID: fe0136eddfd10dd110a73bd6c5bb0baf65049e8219a139c8a19455d1702a04a7
    • Opcode Fuzzy Hash: 569593014f591fe3f1be368196dca169cf870886c665efd75272e6e5c12a75c0
    • Instruction Fuzzy Hash:
    Function 00E2D9F8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 4ba2a8a7f36c7eb8bea6061b4ddfb4ddc7e8adf73049128e6dbb7d3d5ac20edd
    • Instruction ID: b9083b80d15e4cfa832c3c3b5900379972cfecdfff93885a227016554adf39b9
    • Opcode Fuzzy Hash: 4ba2a8a7f36c7eb8bea6061b4ddfb4ddc7e8adf73049128e6dbb7d3d5ac20edd
    • Instruction Fuzzy Hash: ED5188E120C67447DF398A68BC66FFE23D99B52308F183909E782FB282C911DE418352
    Function 00E3A256 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: 2a2bb223f6eac89c1ddde86a1f270f66f6e8dd185ad5785ae049597729783b4e
    • Instruction ID: d16cccf0191f1279f735929d05efa8f08bd4bb247101cc55db74accb5cd38979
    • Opcode Fuzzy Hash: 2a2bb223f6eac89c1ddde86a1f270f66f6e8dd185ad5785ae049597729783b4e
    • Instruction Fuzzy Hash: 8DA01130A00300CF8B288F32AE082083AA8AB0A282B000828A808E0220EB3080088B02
    Function 00E3A699 Relevance: .6, Instructions: 637COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 04e11e6e544f349160c660b3edc6670610a69e5dcd229c1e5b8657160663a920
    • Instruction ID: 4ada6ccd3273f50c0822dc4e8558fa37dd54d4bddf5033bf3205562360453e19
    • Opcode Fuzzy Hash: 04e11e6e544f349160c660b3edc6670610a69e5dcd229c1e5b8657160663a920
    • Instruction Fuzzy Hash: CB323921D6AF014DD7635635C826335A658AFB73C8F25E737F816B6EA6EB28C4C38101
    Function 00E2AAA6 Relevance: .3, Instructions: 345COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
    • Instruction ID: e12a07d47bdb7952a8dec9a01c817e3904ad9cacec4ba211a3ca4152a6cf47ad
    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
    • Instruction Fuzzy Hash: CFC1A1722050734BDB2D463AA43453EFBA15BA2BB531E277ED8B2DB0C0EF24C564D621
    Function 00E2AEDB Relevance: .3, Instructions: 341COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
    • Instruction ID: c039c79790a2a5faaa132d2e69d9985fa451f1985527efe7a446b3f166ee0f95
    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
    • Instruction Fuzzy Hash: E7C1A5732051B34ADF2D463AA43453FBBA15BA2BB531E276ED8B2DB0D4EF14C524D620
    Function 00E2A671 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
    • Instruction ID: b952f242f0ad7f08662c84d0fa087f96bdb8d5a3ddbe034f8d4093e1b31245b1
    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
    • Instruction Fuzzy Hash: ACC1A1732051A34BDB2D463AA43453EBBA15BA2BB531E277ED8B3DB0C0EF14C564D611
    Function 00E2A259 Relevance: .3, Instructions: 323COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
    • Instruction ID: 98cdaac03ea5f86600567ca2f0375b6e577ecb352dda6236c47a654a70c13205
    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
    • Instruction Fuzzy Hash: 2DC191732050B34BDB2D463AA43453EBBA15BA1BB531E277ED8B2DB0D4EF14C5249621
    Function 00E2DC27 Relevance: .2, Instructions: 237COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4aa451625d7c6826b2554ee4b37edd7766840e2e360f9811224ab490f60497f4
    • Instruction ID: caaf855679e64cb2ab66381bd42afa63732d66aecfb65f82334b6bf5d026d1a4
    • Opcode Fuzzy Hash: 4aa451625d7c6826b2554ee4b37edd7766840e2e360f9811224ab490f60497f4
    • Instruction Fuzzy Hash: EB617CB164CB3856DA385A28BC97BFEA3D4EB41308F10761AEB42FF281D6919D41C355
    Function 00E29CB0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
    • Instruction ID: f3dbbe3b3bb9132606cd36f40d0b37a71c54d00fb5b106bce087b7920606054a
    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
    • Instruction Fuzzy Hash: 4A11087B2001B243D614862DF4F46B6E795EAC5328F2C727AD0426B75ED622E945BA00
    Function 00E17E30 Relevance: 79.2, APIs: 26, Strings: 19, Instructions: 475registryfilewindowCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\ReSound\Aventa3,00000000,00020019,?), ref: 00E17ED8
    • RegQueryValueExW.ADVAPI32(?,MarketPatchKey,00000000,?,?,?), ref: 00E17F2D
    • wsprintfW.USER32 ref: 00E1800C
    • wsprintfW.USER32 ref: 00E17F4E
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • wsprintfW.USER32 ref: 00E18020
    • wsprintfW.USER32 ref: 00E18039
    • RegCloseKey.ADVAPI32(?,?), ref: 00E18052
    • wsprintfW.USER32 ref: 00E181C1
    • wsprintfW.USER32 ref: 00E1827D
    • RegSetValueExW.ADVAPI32(?,MarketPatchKey,00000000,00000001,00E58D1C,00000002), ref: 00E18323
    • RegCloseKey.ADVAPI32(?,Failed to reset MarketPatchKey registry value), ref: 00E18345
    • PathFileExistsW.SHLWAPI(?), ref: 00E18364
    • wsprintfW.USER32 ref: 00E18381
    • wsprintfW.USER32 ref: 00E18395
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000080,00000000,?,?,?,Failed to reset MarketPatchKey registry value), ref: 00E183C1
    • GetLastError.KERNEL32(?,?,Failed to reset MarketPatchKey registry value), ref: 00E183CC
    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,?,?,Failed to reset MarketPatchKey registry value), ref: 00E183EA
    • CloseHandle.KERNEL32(00000000,?,?,Failed to reset MarketPatchKey registry value), ref: 00E183F9
    • PathFileExistsW.SHLWAPI(?,Legacy File created successfully,?,?,Failed to reset MarketPatchKey registry value), ref: 00E18430
    • wsprintfW.USER32 ref: 00E1844D
    • wsprintfW.USER32 ref: 00E18461
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000080,00000000,?), ref: 00E1848D
    • GetLastError.KERNEL32 ref: 00E18498
    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 00E184B6
    • CloseHandle.KERNEL32(00000000), ref: 00E184C5
    • RegCloseKey.ADVAPI32(?,Legacy File created successfully,?,?,Failed to reset MarketPatchKey registry value), ref: 00E184DC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: wsprintf$Close$File$CreateErrorExistsFormatHandleLastMessagePathValue$LocalOpenQueryTime
    • String ID: .Aventa$.SmartFit$Brand registry key not found or could not open: 'HKLM\%s'. dwRes=%lu$Creating szMarketSmartTagFilename: %s$Creating szMarketTagFilename: %s$Failed to reset MarketPatchKey registry value$File created successfully$Legacy File created successfully$MarketPatchKey$MarketPatchKey registry value reset successfully$MarketPatchKeyRegValue found: %s$MarketPatchKeyRegValue not found. dwRes=%lu$ReSound\Aventa\$ReSound\SmartFit\$SOFTWARE\ReSound\Aventa3$szMarketSmartTagFilename already there: %s$szMarketSmartTagFilename: %s$szMarketTagFilename already there: %s$szMarketTagFilename: %s
    • API String ID: 2277721569-2322944706
    • Opcode ID: 50473b3c5c3404e4a15356c42dc1c94a3041623d277665c5dec00b9944c3ac85
    • Instruction ID: 355eb921dd678d985399b3a8c887e29ab3f0bc39026e6fea91757f0421b1365c
    • Opcode Fuzzy Hash: 50473b3c5c3404e4a15356c42dc1c94a3041623d277665c5dec00b9944c3ac85
    • Instruction Fuzzy Hash: D202F9B5A41318ABDB20DB60CD46FDA73BCAF05704F049595F909F61C0DB74AA89CFA1
    Function 00E19D60 Relevance: 54.6, APIs: 15, Strings: 16, Instructions: 378windowfileCOMMON
    Download Yara Rule
    APIs
    • wsprintfW.USER32 ref: 00E19DBD
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • wsprintfW.USER32 ref: 00E19FAD
    • wsprintfW.USER32 ref: 00E1A098
    • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?), ref: 00E1A104
    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00E1A115
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00E1A11F
    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00E1A13D
    • MessageBoxW.USER32(00000000,Invalid key for Legacy De-Activation. Look at the log file (%TEMP%PatchInstaller.log) for more details.,De-Activation,00000010), ref: 00E1A1B0
    • PathFileExistsW.SHLWAPI(?), ref: 00E1A1DC
    • DeleteFileW.KERNEL32(?), ref: 00E1A1F1
    • GetLastError.KERNEL32 ref: 00E1A1FB
    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 00E1A219
    • MessageBoxW.USER32(00000000,De-Activation completed successfully.,De-Activation,00000040), ref: 00E1A24F
    • MessageBoxW.USER32(00000000,De-Activation did not complete successfully. Look at the log file (%TEMP%PatchInstaller.log) for more details.,De-Activation,00000040), ref: 00E1A260
    Strings
    • De-Activation did not complete successfully. Look at the log file (%TEMP%PatchInstaller.log) for more details., xrefs: 00E1A259
    • szMarketSmartTagFilename: %s, xrefs: 00E1A092
    • Error: invalid Key for Legacy De-Activation., xrefs: 00E1A18D
    • Legacy De-Activation completed successfully., xrefs: 00E1A153, 00E1A173
    • DeActivation invoked with switch '%s', xrefs: 00E19DB7
    • Legacy De-Activation did not complete successfully. Look at the log file (%TEMP%PatchInstaller.log) for more details., xrefs: 00E1A17A
    • ReSound\SmartFit\, xrefs: 00E1A01B
    • De-Activation, xrefs: 00E1A16A, 00E1A1A4, 00E1A240, 00E1A285
    • szMarketTagFilename: %s, xrefs: 00E19FA7
    • Invalid key for De-Activation. Look at the log file (%TEMP%PatchInstaller.log) for more details., xrefs: 00E1A28A
    • .Aventa, xrefs: 00E19F87
    • De-Activation completed successfully., xrefs: 00E1A229, 00E1A249
    • Error: invalid Key for De-Activation., xrefs: 00E1A26E
    • .SmartFit, xrefs: 00E1A072
    • Invalid key for Legacy De-Activation. Look at the log file (%TEMP%PatchInstaller.log) for more details., xrefs: 00E1A1A9
    • ReSound\Aventa\, xrefs: 00E19F29
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Message$File$wsprintf$DeleteErrorExistsFormatLastPath$LocalTime
    • String ID: .Aventa$.SmartFit$De-Activation$De-Activation completed successfully.$De-Activation did not complete successfully. Look at the log file (%TEMP%PatchInstaller.log) for more details.$DeActivation invoked with switch '%s'$Error: invalid Key for De-Activation.$Error: invalid Key for Legacy De-Activation.$Invalid key for De-Activation. Look at the log file (%TEMP%PatchInstaller.log) for more details.$Invalid key for Legacy De-Activation. Look at the log file (%TEMP%PatchInstaller.log) for more details.$Legacy De-Activation completed successfully.$Legacy De-Activation did not complete successfully. Look at the log file (%TEMP%PatchInstaller.log) for more details.$ReSound\Aventa\$ReSound\SmartFit\$szMarketSmartTagFilename: %s$szMarketTagFilename: %s
    • API String ID: 3902050073-1805068752
    • Opcode ID: 0451bc55ab0bf17732968568aaec7a45adcb6deab7a924c0f549de288916da68
    • Instruction ID: 52fa67788982d052f97e2cd6e2c9e71c64bf7f661fa2770ab2e5d074f7afb9f9
    • Opcode Fuzzy Hash: 0451bc55ab0bf17732968568aaec7a45adcb6deab7a924c0f549de288916da68
    • Instruction Fuzzy Hash: 2BD118B1B41318ABDB20DB64CC46FE9B3B8AF05704F0455A4F906B75D1EBB06E89CB91
    Function 00E1ADF0 Relevance: 49.3, APIs: 2, Strings: 26, Instructions: 261COMMON
    Download Yara Rule
    Strings
    • Noah4 found, xrefs: 00E1AE42
    • VCRedist Installation: A restart is required to complete the installation. This message indicates success (3010)., xrefs: 00E1B03D
    • VA build running, skip pre-requisites check as we don't include prereq folder with VA and InstallShield will install if needed., xrefs: 00E1AEDA
    • .NET8 Installation: A restart is required to complete the installation. This message indicates success (1641)., xrefs: 00E1B0E5
    • .NET 8 x86 desktop registry value found. Skipping installation., xrefs: 00E1AF90
    • VCRedist Installation: A restart is required to complete the installation. This message indicates success (1641)., xrefs: 00E1B044
    • .NET8 Installation: A restart is required to complete the installation. This message indicates success (3010)., xrefs: 00E1B12E
    • VCRedist Installation: Installer executable file not found (2)., xrefs: 00E1AFCC
    • .NET8 Installation completed successfully., xrefs: 00E1B0C8
    • Microsoft Visual C++ 2015-2019 runtime installation seem to have installed successfully., xrefs: 00E1AFDF, 00E1B033, 00E1B057
    • VCRedist Installation completed successfully., xrefs: 00E1AFD3
    • .NET8 Installation: Installer executable file not found (2)., xrefs: 00E1B0C1
    • .NET8 Installation: The user's computer does not meet system requirements (5100)., xrefs: 00E1B127
    • Microsoft Visual C++ 2015-2019 runtime v14.22 or higher not detected., xrefs: 00E1AEFC
    • VCRedist Installation: The user canceled installation (1602)., xrefs: 00E1AF69
    • .NET8 Installation: The user canceled installation (1602)., xrefs: 00E1B0CF
    • .NET8 Installation: Unknown Error (%d), xrefs: 00E1B108
    • Noah3 found, xrefs: 00E1AE52
    • VCRedist Installation: A fatal error occurred during installation (1603)., xrefs: 00E1AFE6
    • VCRedist Installation: Unknown Error (%d), xrefs: 00E1B00C
    • Microsoft Visual C++ 2015-2019 runtime installation seem to have failed. Reinstall Microsoft Visual C++ 2015-2019 x86 runtime if n, xrefs: 00E1AF75
    • Noah not found, xrefs: 00E1AE69
    • .NET8 Installation: A fatal error occurred during installation (1603)., xrefs: 00E1B0DE
    • .NET8 Installation: Internal state failure (5101)., xrefs: 00E1B120
    • VCRedist Installation: A newer versions is already installed (5100)., xrefs: 00E1B027
    • .NET 8 x86 was not detected., xrefs: 00E1B061
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ConditionMask$HandleInfoLoadModuleStringVerifyVersion
    • String ID: .NET 8 x86 desktop registry value found. Skipping installation.$.NET 8 x86 was not detected.$.NET8 Installation completed successfully.$.NET8 Installation: A fatal error occurred during installation (1603).$.NET8 Installation: A restart is required to complete the installation. This message indicates success (1641).$.NET8 Installation: A restart is required to complete the installation. This message indicates success (3010).$.NET8 Installation: Installer executable file not found (2).$.NET8 Installation: Internal state failure (5101).$.NET8 Installation: The user canceled installation (1602).$.NET8 Installation: The user's computer does not meet system requirements (5100).$.NET8 Installation: Unknown Error (%d)$Microsoft Visual C++ 2015-2019 runtime installation seem to have failed. Reinstall Microsoft Visual C++ 2015-2019 x86 runtime if n$Microsoft Visual C++ 2015-2019 runtime installation seem to have installed successfully.$Microsoft Visual C++ 2015-2019 runtime v14.22 or higher not detected.$Noah not found$Noah3 found$Noah4 found$VA build running, skip pre-requisites check as we don't include prereq folder with VA and InstallShield will install if needed.$VCRedist Installation completed successfully.$VCRedist Installation: A fatal error occurred during installation (1603).$VCRedist Installation: A newer versions is already installed (5100).$VCRedist Installation: A restart is required to complete the installation. This message indicates success (1641).$VCRedist Installation: A restart is required to complete the installation. This message indicates success (3010).$VCRedist Installation: Installer executable file not found (2).$VCRedist Installation: The user canceled installation (1602).$VCRedist Installation: Unknown Error (%d)
    • API String ID: 2744954590-3324553952
    • Opcode ID: 4ccf8405be25694edd1f64719225dbd7dd157c936b4cbfd22e2be633aa021d93
    • Instruction ID: 410f1af30f9b1b3252e7fe18d9db7f6cf84df596c32deb8cbfac15ef50d60d5f
    • Opcode Fuzzy Hash: 4ccf8405be25694edd1f64719225dbd7dd157c936b4cbfd22e2be633aa021d93
    • Instruction Fuzzy Hash: F981AB7174A300A6DB30A7349C16BFE7296AF48718F083969F856772C2DBA559C9C383
    Function 00E14910 Relevance: 42.4, APIs: 5, Strings: 19, Instructions: 402windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
      • Part of subcall function 00E139A0: #70.MSI(?,VersionMajor,?), ref: 00E13A9B
      • Part of subcall function 00E139A0: #70.MSI(?,VersionMinor,?,?), ref: 00E13ABB
      • Part of subcall function 00E139A0: #70.MSI(?,Version,?,?), ref: 00E13ADB
      • Part of subcall function 00E139A0: #70.MSI(?,VersionString,?,?), ref: 00E13AFB
      • Part of subcall function 00E1A560: wsprintfW.USER32 ref: 00E1A5CB
      • Part of subcall function 00E12390: GetProcessHeap.KERNEL32(?), ref: 00E123BC
      • Part of subcall function 00E12390: __Init_thread_footer.LIBCMT ref: 00E123E7
      • Part of subcall function 00E12390: __Init_thread_footer.LIBCMT ref: 00E12465
    • wsprintfW.USER32 ref: 00E14AF2
      • Part of subcall function 00E25100: __CxxThrowException@8.LIBVCRUNTIME ref: 00E25112
    • wsprintfW.USER32 ref: 00E14B23
      • Part of subcall function 00E11FB0: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E12067
      • Part of subcall function 00E11FB0: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00E1208A
      • Part of subcall function 00E11FB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E120A7
      • Part of subcall function 00E11FB0: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00E120CA
      • Part of subcall function 00E11FB0: GetExitCodeProcess.KERNEL32(?,00000000), ref: 00E120D7
      • Part of subcall function 00E11FB0: CloseHandle.KERNEL32(?,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E120F7
      • Part of subcall function 00E11FB0: CloseHandle.KERNEL32(?,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E120FC
    • wsprintfW.USER32 ref: 00E14BAF
    • wsprintfW.USER32 ref: 00E14D23
    • MessageBoxW.USER32(00000000,?,?,00000030), ref: 00E14DFA
    Strings
    • COUNTRY, xrefs: 00E14AC9, 00E14AFA
    • Legacy Ratatosk db may have not been copied properly., xrefs: 00E14C72
    • szCopyFileStatus: %s, xrefs: 00E14D1D
    • _fswRemoveF.log, xrefs: 00E14A8F
    • %s /update "%s" %s="%s" %s="%s" /l*v "%s" , xrefs: 00E14B1D
    • MsiExec.Exe, xrefs: 00E14AE1, 00E14B12
    • MSIExec Launch call succeeded., xrefs: 00E14B75
    • MEDIATYPE, xrefs: 00E14AC3
    • PATCHSOURCE, xrefs: 00E14AD5, 00E14B06
    • %s /update "%s" %s="%s" %s="%s" %s="%s" /l*v "%s" , xrefs: 00E14AEC
    • MSIExec Invoke ExitCode: %lu, xrefs: 00E14BA9
    • Ratatosk db may have not been copied properly., xrefs: 00E14C91
    • Common Patch files may have not been copied properly., xrefs: 00E14CAE
    • Some Market files may have not been copied properly., xrefs: 00E14C53
    • Missing Patch files may have not been copied properly., xrefs: 00E14CCB
    • Do Patch Install..., xrefs: 00E1494A
    • /qn, xrefs: 00E14B31
    • MSIExec Launch call failed., xrefs: 00E14B7C
    • WEB, xrefs: 00E14ABE
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: wsprintf$Process$CloseHandleInit_thread_footerMessageMultipleObjectsWait$CodeCreateException@8ExitHeapLocalPeekThrowTime
    • String ID: %s /update "%s" %s="%s" %s="%s" %s="%s" /l*v "%s" $%s /update "%s" %s="%s" %s="%s" /l*v "%s" $/qn$COUNTRY$Common Patch files may have not been copied properly.$Do Patch Install...$Legacy Ratatosk db may have not been copied properly.$MEDIATYPE$MSIExec Invoke ExitCode: %lu$MSIExec Launch call failed.$MSIExec Launch call succeeded.$Missing Patch files may have not been copied properly.$MsiExec.Exe$PATCHSOURCE$Ratatosk db may have not been copied properly.$Some Market files may have not been copied properly.$WEB$_fswRemoveF.log$szCopyFileStatus: %s
    • API String ID: 1119058580-2985922655
    • Opcode ID: 119a4c5de1a11e02955e3c88c2ae9ffb572e7cd2a226b15a318e2756a1a84e35
    • Instruction ID: 034c4e0faf3d8299d5d29f97e65affa4d1ed3d008793a89ba55518c6f9170523
    • Opcode Fuzzy Hash: 119a4c5de1a11e02955e3c88c2ae9ffb572e7cd2a226b15a318e2756a1a84e35
    • Instruction Fuzzy Hash: 90F192B1900318ABDB21DB24CC55BD9B7ECAF04314F0495E9F919B72D2DA709F898F90
    Function 00E17130 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 242memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
      • Part of subcall function 00E24E90: SysFreeString.OLEAUT32(00000000), ref: 00E24EE6
    • SysAllocString.OLEAUT32(name), ref: 00E17244
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E17273
    • SysFreeString.OLEAUT32(00000000), ref: 00E17286
    • SysAllocString.OLEAUT32(destpath), ref: 00E1728D
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E172BC
    • SysFreeString.OLEAUT32(00000000), ref: 00E172CF
    • SysAllocString.OLEAUT32(dest), ref: 00E172D6
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E17308
    • SysFreeString.OLEAUT32(00000000), ref: 00E1731B
    • VariantClear.OLEAUT32(?), ref: 00E17359
    • VariantClear.OLEAUT32(?), ref: 00E1735F
    • VariantClear.OLEAUT32(00000000), ref: 00E17365
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: String$Variant$Free$AllocClearCopy$LocalTime
    • String ID: CopyMissingPatchFiles....$File candidate(s) to Copy found...$Getting file(s) to Copy...$No files specified to copy...$PatchMissingFiles/PatchMissingFile$dest$destpath$name
    • API String ID: 784096192-4131843049
    • Opcode ID: 975538eabc48245a9422e24f9a26321a59dde911f7bfeb3f11e4dd54a20a9373
    • Instruction ID: 2c0854be6c8c42bfb83d5922978f865e86a78ed447cc0bfbfe595dd426d45956
    • Opcode Fuzzy Hash: 975538eabc48245a9422e24f9a26321a59dde911f7bfeb3f11e4dd54a20a9373
    • Instruction Fuzzy Hash: F991CF70A05359EFDF14DBA4C884BEEBBB8EF09708F141059E802B7291DB709985CBA1
    Function 00E16E30 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 242memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
      • Part of subcall function 00E24E90: SysFreeString.OLEAUT32(00000000), ref: 00E24EE6
    • SysAllocString.OLEAUT32(name), ref: 00E16F44
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E16F73
    • SysFreeString.OLEAUT32(00000000), ref: 00E16F86
    • SysAllocString.OLEAUT32(destpath), ref: 00E16F8D
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E16FBC
    • SysFreeString.OLEAUT32(00000000), ref: 00E16FCF
    • SysAllocString.OLEAUT32(dest), ref: 00E16FD6
    • VariantCopy.OLEAUT32(?,00000000), ref: 00E17008
    • SysFreeString.OLEAUT32(00000000), ref: 00E1701B
    • VariantClear.OLEAUT32(?), ref: 00E17059
    • VariantClear.OLEAUT32(?), ref: 00E1705F
    • VariantClear.OLEAUT32(00000000), ref: 00E17065
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: String$Variant$Free$AllocClearCopy$LocalTime
    • String ID: CopyCommonPatchFiles....$File(s) to Copy found$Files/File$Getting file(s) to Copy...$No files specified to copy...$dest$destpath$name
    • API String ID: 784096192-2524250316
    • Opcode ID: 9aacf7d9eba422f6d8c1f5dd6cb1d2ec2a54bff7aa9217f19316f747a539d93c
    • Instruction ID: 2f4f87f08e1d9b178d05334f443176d971855aef34923330ed201b389dcc0974
    • Opcode Fuzzy Hash: 9aacf7d9eba422f6d8c1f5dd6cb1d2ec2a54bff7aa9217f19316f747a539d93c
    • Instruction Fuzzy Hash: 0A91CD70A05349EFDF14DBA4C854BEEBBB8EF09708F145059E802B7291DB709E85CBA1
    Function 00E144C0 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 282windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • wsprintfW.USER32 ref: 00E14560
    • GetLastError.KERNEL32 ref: 00E1458A
    • FormatMessageW.KERNEL32(000013FF,00000000,?,00000400,?,00000000,00000000), ref: 00E145AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorFormatLastLocalMessageTimewsprintf
    • String ID: %lu$%s /P /K "%s" /U "%s" /B "%s" /E "%s" /T "%s" /I "%s" /M "%s" /V "%s" $Analytics$GNWeb Launch ExitCode: %lu$GNWeb Launch call failed.$GNWeb Launch call succeeded.$GNWeb.exe$Invoking GNWeb...$_gnWeb.log
    • API String ID: 4153586964-4153175164
    • Opcode ID: 94981b540f6c99405daeaa3365db8d2d9d25df19a833b5071fd9ecca604ee0ab
    • Instruction ID: b5a6474e27849f0a4744fa52a87969c18e086b34c3d29456e3ec319218cda8d7
    • Opcode Fuzzy Hash: 94981b540f6c99405daeaa3365db8d2d9d25df19a833b5071fd9ecca604ee0ab
    • Instruction Fuzzy Hash: AAB196B1940218AADB20DB60DC46FDAB7FDAF04704F0095A5F609B72C1D771AB99CFA4
    Function 00E1AC90 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 115registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86,00000000,00020019,F9744ECF,F9744ECF,?,?,?,00E1AEF4,?,Noah not found,F9744ECF,?,?,?), ref: 00E1ACE4
    • RegQueryValueExW.ADVAPI32(F9744ECF,Installed,00000000,F9744ECF,?,?,?,?,00E1AEF4), ref: 00E1AD16
    • RegQueryValueExW.ADVAPI32(F9744ECF,Major,00000000,00E1AEF4,00000004,00000004,?,?,00E1AEF4), ref: 00E1AD56
      • Part of subcall function 00E25720: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000004,00000004,?,00000004,?,00E1AD86,Minor,00000004), ref: 00E2573D
    • RegCloseKey.ADVAPI32(00000000,Error Reading VCRedist registry value named Installed under HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86,?,?,00E1AEF4,?,Noah not found,F9744ECF,?,?,?), ref: 00E1ADD3
    Strings
    • SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86, xrefs: 00E1ACD4
    • Major, xrefs: 00E1AD50
    • Error Reading VCRedist registry value named Major under HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86, xrefs: 00E1ADBB
    • Major version is less than 14 under HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86, xrefs: 00E1ADB4
    • Error Reading VCRedist registry value named Minor under HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86, xrefs: 00E1ADA2
    • Installed, xrefs: 00E1AD10
    • Minor version of 21 or lower reported., xrefs: 00E1AD9B
    • Minor version of 22 or higher reported. No need to install newer VC runtime., xrefs: 00E1AD94
    • Minor, xrefs: 00E1AD79
    • VC runtime version higher than 14 found under 14 key. Allow running redist as it will skip if this is a valid future version., xrefs: 00E1ADAD
    • Error Reading VCRedist registry value named Installed under HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86, xrefs: 00E1ADC2
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: QueryValue$CloseOpen
    • String ID: Error Reading VCRedist registry value named Installed under HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86$Error Reading VCRedist registry value named Major under HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86$Error Reading VCRedist registry value named Minor under HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86$Installed$Major$Major version is less than 14 under HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86$Minor$Minor version of 21 or lower reported.$Minor version of 22 or higher reported. No need to install newer VC runtime.$SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x86$VC runtime version higher than 14 found under 14 key. Allow running redist as it will skip if this is a valid future version.
    • API String ID: 1586453840-1800911297
    • Opcode ID: 6c55b5d40f0e5e3b8a91bdef0fbd7e12fd96e27375c734c2cc0dc3dd277d0c96
    • Instruction ID: dd547c0639e3255021951154aa6ac9b0ec2db816827c4e099c7555e09a34482d
    • Opcode Fuzzy Hash: 6c55b5d40f0e5e3b8a91bdef0fbd7e12fd96e27375c734c2cc0dc3dd277d0c96
    • Instruction Fuzzy Hash: CC41B3B5A417099ACB20CF41DC41BFFBBB8FB4570AF94152AE901F3680D77059498BA2
    Function 00E1B4B0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 157registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7A22ED05-ABD2-4A20-9C34-51416E5823BD},00000000,00020019,?), ref: 00E1B517
    • RegCloseKey.ADVAPI32(00000000), ref: 00E1B52C
    • GetFileAttributesW.KERNEL32(?,ModuleAPI proxy uninstall registry key not found; installing...), ref: 00E1B563
    • PathQuoteSpacesW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E1B62A
    • wsprintfW.USER32 ref: 00E1B6BD
    Strings
    • InvokeModuleApiProxyInstall..., xrefs: 00E1B4C9
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7A22ED05-ABD2-4A20-9C34-51416E5823BD}, xrefs: 00E1B50D
    • /v/qb, xrefs: 00E1B65F
    • Prereq\Himsa\ModuleAPIProxy Install.exe, xrefs: 00E1B60A
    • /S /v/qn, xrefs: 00E1B658
    • ModuleAPI Invoke ExitCode: %lu, xrefs: 00E1B6B7
    • ModuleAPI proxy uninstall registry key found in registry; skipping install..., xrefs: 00E1B532
    • ModuleAPI proxy uninstall registry key not found; installing..., xrefs: 00E1B550
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: AttributesCloseFileLocalOpenPathQuoteSpacesTimewsprintf
    • String ID: /S /v/qn$/v/qb$InvokeModuleApiProxyInstall...$ModuleAPI Invoke ExitCode: %lu$ModuleAPI proxy uninstall registry key found in registry; skipping install...$ModuleAPI proxy uninstall registry key not found; installing...$Prereq\Himsa\ModuleAPIProxy Install.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7A22ED05-ABD2-4A20-9C34-51416E5823BD}
    • API String ID: 1467927168-2515610524
    • Opcode ID: 92ee594c240dc043eebb36e145aa03b9d5ce54eafa6568972ac1eca717708647
    • Instruction ID: 6ee83d121c0d0f662a1c5a076387f72e26506857823bb08c9cb539560a9dcbc2
    • Opcode Fuzzy Hash: 92ee594c240dc043eebb36e145aa03b9d5ce54eafa6568972ac1eca717708647
    • Instruction Fuzzy Hash: D351E4B5A00218A6DB24EB60DC06FE973A9EF04705F449895FA49B21C1EF706BCDCBD4
    Function 00E1A2C0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 114registryCOMMON
    Download Yara Rule
    APIs
    • wsprintfW.USER32 ref: 00E1A326
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • RegCreateKeyExW.ADVAPI32(80000002,Software\Policies\Microsoft\Windows\Installer,00000000,00000000,00000000,000F003F,00000000,?,?,?), ref: 00E1A362
    • RegSetValueExW.ADVAPI32(?,SecureRepairPolicy,00000000,00000004,?,00000004), ref: 00E1A3CA
    • RegCloseKey.ADVAPI32(?), ref: 00E1A3D6
    • RegCreateKeyExW.ADVAPI32(80000002,Software\Policies\Microsoft\Windows\Installer\SecureRepairWhiteList,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00E1A401
    • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 00E1A439
    • RegCloseKey.ADVAPI32(?), ref: 00E1A445
    Strings
    • SecureRepairPolicy, xrefs: 00E1A3BF
    • RegCreateKeyEx failed creating Windows Installer key, xrefs: 00E1A378
    • Software\Policies\Microsoft\Windows\Installer\SecureRepairWhiteList, xrefs: 00E1A3F7
    • RegCreateKeyEx failed creating SecureRepairWhiteList key, xrefs: 00E1A417
    • Software\Policies\Microsoft\Windows\Installer, xrefs: 00E1A358
    • CreateWhiteListEntries with ProductCode '%s', xrefs: 00E1A320
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CloseCreateValue$LocalTimewsprintf
    • String ID: CreateWhiteListEntries with ProductCode '%s'$RegCreateKeyEx failed creating SecureRepairWhiteList key$RegCreateKeyEx failed creating Windows Installer key$SecureRepairPolicy$Software\Policies\Microsoft\Windows\Installer$Software\Policies\Microsoft\Windows\Installer\SecureRepairWhiteList
    • API String ID: 1290931165-1234784166
    • Opcode ID: a941179f01017506cafe3f7f2280fe7e0a57b8047cd7aa358834c9210dd8f334
    • Instruction ID: 13680a4afaf41949d27c734ac019d2c9f5647337ab323d8a9d9e3afcb7d9813c
    • Opcode Fuzzy Hash: a941179f01017506cafe3f7f2280fe7e0a57b8047cd7aa358834c9210dd8f334
    • Instruction Fuzzy Hash: 6141A575A40318BBDB309B50EC4AFAE77B9EB09B00F101095F605B61D0D7B16A89CF55
    Function 00E31543 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free$Info
    • String ID:
    • API String ID: 2509303402-0
    • Opcode ID: 15543300dc5fa76a00b3c352c1a140b289706b276f68611f590248121aca175a
    • Instruction ID: 2d0457ebe8dc9788069d865d9cf90c2deb2b6e5a6738bbfafe50d6174b688ec2
    • Opcode Fuzzy Hash: 15543300dc5fa76a00b3c352c1a140b289706b276f68611f590248121aca175a
    • Instruction Fuzzy Hash: 6CB1BD719003059FDB159F69C88ABEEBBF4BF49304F1850ADF599BB242DB759841CB20
    Function 00E18500 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 266COMMON
    Download Yara Rule
    APIs
    • GetCommandLineW.KERNEL32(?), ref: 00E18523
    • CommandLineToArgvW.SHELL32(00000000), ref: 00E1852A
    • LocalFree.KERNEL32(?), ref: 00E188BB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CommandLine$ArgvFreeLocal
    • String ID: /fu$/noPrereqs$/v/qn$/webupdate$/whitelist$Ini Oveerride found. Running in Major upgrade web update mode.$Markets folder found, running in Major upgrade web update mode.$Markets folder not found, running in web update mode.$xM
    • API String ID: 1415666456-4032329724
    • Opcode ID: f953c38b8e5af289bad64357dd124bf1bf7ac3ec84d7af63883020dbe82b8f77
    • Instruction ID: 59d97ed560632b866e11a1230adb9e8b36b42b296feb52a6ff007cdc0dc12597
    • Opcode Fuzzy Hash: f953c38b8e5af289bad64357dd124bf1bf7ac3ec84d7af63883020dbe82b8f77
    • Instruction Fuzzy Hash: 8B913BB1D0031496DB20EB60DD46FEA73F86F14309F8469A5E94AF7182EF71AAC8C751
    Function 00E3D7A5 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 00E3D7E9
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CBA5
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CBB7
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CBC9
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CBDB
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CBED
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CBFF
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CC11
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CC23
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CC35
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CC47
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CC59
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CC6B
      • Part of subcall function 00E3CB88: _free.LIBCMT ref: 00E3CC7D
    • _free.LIBCMT ref: 00E3D7DE
      • Part of subcall function 00E32695: HeapFree.KERNEL32(00000000,00000000,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?), ref: 00E326AB
      • Part of subcall function 00E32695: GetLastError.KERNEL32(?,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?,?), ref: 00E326BD
    • _free.LIBCMT ref: 00E3D800
    • _free.LIBCMT ref: 00E3D815
    • _free.LIBCMT ref: 00E3D820
    • _free.LIBCMT ref: 00E3D842
    • _free.LIBCMT ref: 00E3D855
    • _free.LIBCMT ref: 00E3D863
    • _free.LIBCMT ref: 00E3D86E
    • _free.LIBCMT ref: 00E3D8A6
    • _free.LIBCMT ref: 00E3D8AD
    • _free.LIBCMT ref: 00E3D8CA
    • _free.LIBCMT ref: 00E3D8E2
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: c9705f0a9496d5aedd54171864404e9b049ad04b6ba0f32a0d5194b6f52644d8
    • Instruction ID: 26b8bf69c2ab761fa4911ad2c62f21ec644cebfc0bc5fc8ec3acc817ae64ce3e
    • Opcode Fuzzy Hash: c9705f0a9496d5aedd54171864404e9b049ad04b6ba0f32a0d5194b6f52644d8
    • Instruction Fuzzy Hash: 77317E71A083009FEB24AA39EC4EB567BE9AF44318F146429E488FB191DF31FC40CB15
    Function 00E15930 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 313commemoryCOMMON
    Download Yara Rule
    APIs
    • VariantClear.OLEAUT32(?), ref: 00E15986
    • SysAllocString.OLEAUT32(00000001), ref: 00E159A3
    • CoCreateInstance.OLE32(00E58D0C,00000000,00000017,00E58CE4,00000000), ref: 00E15A15
    • VariantInit.OLEAUT32(?), ref: 00E15B4C
      • Part of subcall function 00E25100: __CxxThrowException@8.LIBVCRUNTIME ref: 00E25112
    • VariantClear.OLEAUT32(?), ref: 00E15B96
    • VariantClear.OLEAUT32(?), ref: 00E15DA7
      • Part of subcall function 00E24BB0: VariantInit.OLEAUT32(?), ref: 00E24BF7
      • Part of subcall function 00E24BB0: VariantClear.OLEAUT32(?), ref: 00E24C55
      • Part of subcall function 00E24C80: VariantCopy.OLEAUT32(?,?), ref: 00E24C8F
    • SysFreeString.OLEAUT32(?), ref: 00E15C54
    • VariantClear.OLEAUT32(00000000), ref: 00E15D0F
    Strings
    • userSettings/ReSound.Ratatosk.Properties.Settings/setting[@name='AttachDBFilename'], xrefs: 00E15A88
    • `<u, xrefs: 00E15C54
    • value, xrefs: 00E15B29
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Variant$Clear$InitString$AllocCopyCreateException@8FreeInstanceThrow
    • String ID: `<u$userSettings/ReSound.Ratatosk.Properties.Settings/setting[@name='AttachDBFilename']$value
    • API String ID: 2147581873-3608125196
    • Opcode ID: bc2432242c1e8b302d2fd6c5b4edfba19d626e3ae3f4fc797626bb05adc2e584
    • Instruction ID: 05f03dc8bf7c8b331ca736324ad88bb1a9b6a7e679aeabc67f6325d3aadada92
    • Opcode Fuzzy Hash: bc2432242c1e8b302d2fd6c5b4edfba19d626e3ae3f4fc797626bb05adc2e584
    • Instruction Fuzzy Hash: 6BD19C71A01619EBDB20DB64DC48BEEB7B8BF55308F1451D8E809BB291DB71AE84CF50
    Function 00E1B850 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127libraryloaderwindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E12390: GetProcessHeap.KERNEL32(?), ref: 00E123BC
      • Part of subcall function 00E12390: __Init_thread_footer.LIBCMT ref: 00E123E7
      • Part of subcall function 00E12390: __Init_thread_footer.LIBCMT ref: 00E12465
    • wsprintfW.USER32 ref: 00E1B904
    • PathFileExistsW.SHLWAPI(00E16992,?), ref: 00E1B923
    • LoadLibraryW.KERNEL32(IOUtilsWrapper.dll), ref: 00E1B932
    • GetLastError.KERNEL32 ref: 00E1B93E
    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 00E1B959
    • FreeLibrary.KERNEL32(00000000), ref: 00E1B96D
      • Part of subcall function 00E25100: __CxxThrowException@8.LIBVCRUNTIME ref: 00E25112
    • GetProcAddress.KERNEL32(00000000,GetVersion), ref: 00E1B999
    • wsprintfW.USER32 ref: 00E1B9CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Init_thread_footerLibrarywsprintf$AddressErrorException@8ExistsFileFormatFreeHeapLastLoadMessagePathProcProcessThrow
    • String ID: GetMarketVersion for '%s'$GetVersion$IOUtilsWrapper.dll
    • API String ID: 3779942870-1907825684
    • Opcode ID: 51a2b883211073ef1b73e788a8192e3169fba9eea37359ede068e0d698b65b22
    • Instruction ID: 78ff949d52bf45d16162ccc865c897276cb227e3ac8cd8a38668f402cc5cf5bd
    • Opcode Fuzzy Hash: 51a2b883211073ef1b73e788a8192e3169fba9eea37359ede068e0d698b65b22
    • Instruction Fuzzy Hash: D94172B5A00218ABDB20DF55DC46BDEB7FCEB49700F008069F909F3281DF745A898BA5
    Function 00E11FB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 126processfilewindowCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,00000004,00000003,?,00000002,00000080,00000000), ref: 00E12029
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E12067
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00E1208A
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E120A7
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00E120CA
    • GetExitCodeProcess.KERNEL32(?,00000000), ref: 00E120D7
    • GetLastError.KERNEL32(?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E120E6
    • CloseHandle.KERNEL32(?,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E120F7
    • CloseHandle.KERNEL32(?,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E120FC
    • GetLastError.KERNEL32(?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E12107
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CloseCreateErrorHandleLastMultipleObjectsProcessWait$CodeExitFileMessagePeek
    • String ID: D
    • API String ID: 4178554234-2746444292
    • Opcode ID: bfc5e584dd0ddc207ff146887330fef1fc62eec0cff1b673190e3f6f377ab0f3
    • Instruction ID: 07dae0a8de974c0bef3a0c999100a0b338109da8ef858b56c52aab3f442f46d6
    • Opcode Fuzzy Hash: bfc5e584dd0ddc207ff146887330fef1fc62eec0cff1b673190e3f6f377ab0f3
    • Instruction Fuzzy Hash: 80416E71A40218ABFB20CB95DC45FED7BB8EB09714F104219F608FA2D0DBB56985CB55
    Function 00E3CC86 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: b7a3d084b842a4195ad796a7fc43d165787ab42fd2656e668e3d45b7e6f4c105
    • Instruction ID: 42e29cc76803e74cea5edf1618cfc065e2d8a13e00c90757f6f3fd4bfde12ace
    • Opcode Fuzzy Hash: b7a3d084b842a4195ad796a7fc43d165787ab42fd2656e668e3d45b7e6f4c105
    • Instruction Fuzzy Hash: 3BC155B2E40204AFDB20DBA8CC46FEE7BF9AF09704F541165FA44FB282D6709941C760
    Function 00E139A0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 127COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: wsprintf
    • String ID: VerMajor=%s, VerMinor=%s, Version=%s, VersionString=%s$Version$VersionMajor$VersionMinor$VersionString
    • API String ID: 2111968516-2105339926
    • Opcode ID: e38686bfc74569acd9e0dff3badcb066f669d0a8e1d63d6322b3975005358dac
    • Instruction ID: 60e2d8ab8c31d67a4a72f09a95c3c8fd6e2a177269f4c809932a4dd18d400335
    • Opcode Fuzzy Hash: e38686bfc74569acd9e0dff3badcb066f669d0a8e1d63d6322b3975005358dac
    • Instruction Fuzzy Hash: 694154B594021C9AEB10DB50DC89FDA77FCEB05310F0055E6E649F7181EBB1AB888FA0
    Function 00E17B90 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 189COMMON
    Download Yara Rule
    APIs
    • wsprintfW.USER32 ref: 00E17D30
    • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,00000000,00000001,?), ref: 00E17DAD
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000001,?), ref: 00E17DC2
      • Part of subcall function 00E15930: VariantClear.OLEAUT32(?), ref: 00E15986
      • Part of subcall function 00E15930: SysAllocString.OLEAUT32(00000001), ref: 00E159A3
      • Part of subcall function 00E15930: CoCreateInstance.OLE32(00E58D0C,00000000,00000017,00E58CE4,00000000), ref: 00E15A15
      • Part of subcall function 00E15930: VariantInit.OLEAUT32(?), ref: 00E15B4C
      • Part of subcall function 00E15930: VariantClear.OLEAUT32(?), ref: 00E15B96
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Variant$AttributesClearFile$AllocCreateInitInstanceStringwsprintf
    • String ID: DATA$Market$Market.Pref$ReSound.Fuse2.Config.dll.config$ReSound.Ratatosk.Configuration.dll.config$Using Market file location: %s
    • API String ID: 3507443516-2823571208
    • Opcode ID: 3f733dd6ec2e3a35dc79f1184fbaf5b70f2b902606960aa4aeeac5be34b0fa9d
    • Instruction ID: d3e681efe62b4736b870c42aa4f07745c2aa8607a6720776fd9ad10772b99045
    • Opcode Fuzzy Hash: 3f733dd6ec2e3a35dc79f1184fbaf5b70f2b902606960aa4aeeac5be34b0fa9d
    • Instruction Fuzzy Hash: 5551C4B5E40318A6DB60D7A0EC4BFDA73BCAB04705F445495BA49F61C1EAB066CCCBD4
    Function 00E1463C Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 183COMMON
    Download Yara Rule
    APIs
    • PathQuoteSpacesW.SHLWAPI(?), ref: 00E147E4
    • wsprintfW.USER32 ref: 00E1484E
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
      • Part of subcall function 00E11FB0: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E12067
      • Part of subcall function 00E11FB0: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00E1208A
      • Part of subcall function 00E11FB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E120A7
      • Part of subcall function 00E11FB0: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 00E120CA
      • Part of subcall function 00E11FB0: GetExitCodeProcess.KERNEL32(?,00000000), ref: 00E120D7
      • Part of subcall function 00E11FB0: CloseHandle.KERNEL32(?,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E120F7
      • Part of subcall function 00E11FB0: CloseHandle.KERNEL32(?,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 00E120FC
    • wsprintfW.USER32 ref: 00E148D2
    Strings
    • GNWeb Launch ExitCode: %lu, xrefs: 00E148CC
    • %s /P /K "%s" /U "%s" /B "%s" /E "%s" /T "%s" /I "%s" /M "%s" /V "%s" , xrefs: 00E14848
    • GNWeb.exe, xrefs: 00E147C4
    • GNWeb Launch call succeeded., xrefs: 00E1488D
    • _gnWeb.log, xrefs: 00E146C9
    • Analytics, xrefs: 00E14769
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CloseHandleMultipleObjectsProcessWaitwsprintf$CodeCreateExitLocalMessagePathPeekQuoteSpacesTime
    • String ID: %s /P /K "%s" /U "%s" /B "%s" /E "%s" /T "%s" /I "%s" /M "%s" /V "%s" $Analytics$GNWeb Launch ExitCode: %lu$GNWeb Launch call succeeded.$GNWeb.exe$_gnWeb.log
    • API String ID: 2375186778-2865028443
    • Opcode ID: 10c5cf488e4c6a256beaf51aa27fec899bda84b0d0c0acd67da23a249e1019a4
    • Instruction ID: 06041b295ec436037b1f819b6aabac1cd647bf72e3c35e33c495e51f772df068
    • Opcode Fuzzy Hash: 10c5cf488e4c6a256beaf51aa27fec899bda84b0d0c0acd67da23a249e1019a4
    • Instruction Fuzzy Hash: 9C61BAF1D40218A6DB30DB60DC46FDAB3BC6F04700F0494E5AA49B62C1E775A799CFA4
    Function 00E18A80 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 135sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(000000FA,0000000A,Displaying Noah4Running message,?,?,F9744ECF), ref: 00E18B88
    • wsprintfW.USER32 ref: 00E18BEA
    • Sleep.KERNEL32(0000015E,?), ref: 00E18C0D
      • Part of subcall function 00E1AAF0: GetModuleHandleW.KERNEL32(00000000,00000000,?,00000800), ref: 00E1ABAF
      • Part of subcall function 00E1AAF0: LoadStringW.USER32(00000000), ref: 00E1ABB6
    Strings
    • Displaying SetupRunning message, xrefs: 00E18B39
    • Noah4.exe, xrefs: 00E18B60
    • Displaying Noah4Running message, xrefs: 00E18B6E
    • Displaying SoftwareRunning message, xrefs: 00E18B03
    • FSW still running...., xrefs: 00E18BBB
    • Killing FSW process '%s'...., xrefs: 00E18BE4
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Sleep$HandleLoadModuleStringwsprintf
    • String ID: Displaying Noah4Running message$Displaying SetupRunning message$Displaying SoftwareRunning message$FSW still running....$Killing FSW process '%s'....$Noah4.exe
    • API String ID: 3349528799-3849168952
    • Opcode ID: a7aae434e555f74bca1f9078ec2c179f81a22100ac35ec343a30b595bd606717
    • Instruction ID: d6e9fe8b1c3228e78f2c6144769ddc24b53532ec2acccd1dcaea2d6a47e1f1b5
    • Opcode Fuzzy Hash: a7aae434e555f74bca1f9078ec2c179f81a22100ac35ec343a30b595bd606717
    • Instruction Fuzzy Hash: 284156B07407149ADA25A7209D26BFEB3D5AF86744F042459F886B72C1CFA419C583E6
    Function 00E1D3C0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 131COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ExistsFilePathwsprintf
    • String ID: ReSound\SmartFit\1\$SAData.sdf$SADataDB.db$szSADb: %s$szSADbNew: %s
    • API String ID: 2360385415-231781144
    • Opcode ID: 6f6eacf416c5383af0962ec08545d8072bf44c5886a8e2775b80cb3be64e870f
    • Instruction ID: 238a62aa0bcb9b8dc4838e7c3eb28228be57f9430327d7eba866cb031e8453ce
    • Opcode Fuzzy Hash: 6f6eacf416c5383af0962ec08545d8072bf44c5886a8e2775b80cb3be64e870f
    • Instruction Fuzzy Hash: 764159B5D0021CA6DB60D6A0EC46FDA73FCEB04705F4454A2A949F7181EEB0ABDC8BD4
    Function 00E14ED0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • wsprintfW.USER32 ref: 00E14F87
    • GetLastError.KERNEL32(?,?,?,?,?,?,Uninstalling Application with Parmaters), ref: 00E14FD7
    • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,?,?,?,?,?,?,Uninstalling Application with Parmaters), ref: 00E14FF5
    Strings
    • %s /uninstall "%s" /qn /l*v "%s", xrefs: 00E14F64
    • %s /uninstall "%s" /qb! /l*v "%s", xrefs: 00E14F7B
    • _fswUninstall.log, xrefs: 00E14F2F
    • %s /uninstall "%s" /l*v "%s", xrefs: 00E14F74
    • MsiExec.Exe, xrefs: 00E14F5D
    • Uninstalling Application with Parmaters, xrefs: 00E14F44
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorFormatLastLocalMessageTimewsprintf
    • String ID: %s /uninstall "%s" /l*v "%s"$%s /uninstall "%s" /qb! /l*v "%s"$%s /uninstall "%s" /qn /l*v "%s"$MsiExec.Exe$Uninstalling Application with Parmaters$_fswUninstall.log
    • API String ID: 4153586964-1021344114
    • Opcode ID: 447a437842ef4b373ee81140641ae322823368cfe4a1e5724f1ecd3205a5e98c
    • Instruction ID: e195e6801d4690f7ecbe5793d73a45ec48e6828e66356f1d9d55c42651142280
    • Opcode Fuzzy Hash: 447a437842ef4b373ee81140641ae322823368cfe4a1e5724f1ecd3205a5e98c
    • Instruction Fuzzy Hash: B231B9B5B00318AADB20D764DC06FDEB7A8AB08705F005596F549B63C1DAB06ACDCBA5
    Function 00E34F3B Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00E34F4F
      • Part of subcall function 00E32695: HeapFree.KERNEL32(00000000,00000000,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?), ref: 00E326AB
      • Part of subcall function 00E32695: GetLastError.KERNEL32(?,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?,?), ref: 00E326BD
    • _free.LIBCMT ref: 00E34F5B
    • _free.LIBCMT ref: 00E34F66
    • _free.LIBCMT ref: 00E34F71
    • _free.LIBCMT ref: 00E34F7C
    • _free.LIBCMT ref: 00E34F87
    • _free.LIBCMT ref: 00E34F92
    • _free.LIBCMT ref: 00E34F9D
    • _free.LIBCMT ref: 00E34FA8
    • _free.LIBCMT ref: 00E34FB6
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: ae25e2295849bab58e3b9bcbfa77e13556c93fae32f46dcf89160912362a718c
    • Instruction ID: 8732b85caa80504b4624cde68c0e3f94632e5f4da0ca8593c04e33528a193a38
    • Opcode Fuzzy Hash: ae25e2295849bab58e3b9bcbfa77e13556c93fae32f46dcf89160912362a718c
    • Instruction Fuzzy Hash: BC11A476500108AFCB01EF55C956CD93FA6EF08354F4164A9BA48AF262DE32EA50DB81
    Function 00E1B6F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • GetSystemDefaultLCID.KERNEL32 ref: 00E1B74E
    • GetModuleHandleW.KERNEL32(00000000,000000C9,?,00000800), ref: 00E1B7BA
    • LoadStringW.USER32(00000000), ref: 00E1B7C1
    • wsprintfW.USER32 ref: 00E1B7DC
    • MessageBoxW.USER32(00000000,?,?,00000014), ref: 00E1B804
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: DefaultHandleLoadLocalMessageModuleStringSystemTimewsprintf
    • String ID: Handling Reboot....$Rebooting.....$User opted to reboot later....
    • API String ID: 1737272312-618185655
    • Opcode ID: 5375690c13a5717834b728febd41cd0d9163e993762a2c42a5c8e8ccb943618b
    • Instruction ID: 84e12cb126ec77d047051405d1e8976a38f69172fd639dd6178bc2e0c6dab016
    • Opcode Fuzzy Hash: 5375690c13a5717834b728febd41cd0d9163e993762a2c42a5c8e8ccb943618b
    • Instruction Fuzzy Hash: CF313975600304ABE724A778EC4AFED33A8EB85704F002566F106F61D1DB645DC98796
    Function 00E19C60 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 76windowCOMMON
    Download Yara Rule
    APIs
    • wsprintfW.USER32 ref: 00E19CA0
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • MessageBoxW.USER32(00000000,Activation completed successfully.,Activation,00000040), ref: 00E19D00
    • MessageBoxW.USER32(00000000,Invalid key for activation. Look at the log file (%TEMP%PatchInstaller.log) for more details.,Activation,00000010), ref: 00E19D39
    Strings
    • Error: invalid Key for activation., xrefs: 00E19D18
    • Activation completed successfully., xrefs: 00E19CDD, 00E19CF9
    • Activation invoked with switch '%s', xrefs: 00E19C9A
    • Invalid key for activation. Look at the log file (%TEMP%PatchInstaller.log) for more details., xrefs: 00E19D32
    • Activation, xrefs: 00E19CF4, 00E19D2D
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Message$LocalTimewsprintf
    • String ID: Activation$Activation completed successfully.$Activation invoked with switch '%s'$Error: invalid Key for activation.$Invalid key for activation. Look at the log file (%TEMP%PatchInstaller.log) for more details.
    • API String ID: 347051814-1400046012
    • Opcode ID: fbfdb75df8d249144e07bd27f45d8d43c1bb37d954a72d171442378a38b215e5
    • Instruction ID: e5e2c90ef0a7a1e26a48e5a6d0ac112a9c3cb6c16918e4a30abf3cbb74d5e41e
    • Opcode Fuzzy Hash: fbfdb75df8d249144e07bd27f45d8d43c1bb37d954a72d171442378a38b215e5
    • Instruction Fuzzy Hash: 8B216B72F447087ADB20E774AC1BFEDB3A59F45701F401998FC19B72C1DFA0298886A5
    Function 00E40E02 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 00f4f8939218bb6ef84f90c6659d1a6570a27fdf940e0cf2da19aa4c872e6285
    • Instruction ID: 6081a93b54dc5c77e70eacd6c892b097a5fefda76d90031ca587713b802723f6
    • Opcode Fuzzy Hash: 00f4f8939218bb6ef84f90c6659d1a6570a27fdf940e0cf2da19aa4c872e6285
    • Instruction Fuzzy Hash: 27C1E174A04389AFDF15DFA9E881BADBBF0BF09304F146599E905B7392C7309981CB61
    Function 00E3966F Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,Y,00E2E259,?,?,?,00E398C0,00000001,00000001,99E85006), ref: 00E396C9
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E398C0,00000001,00000001,99E85006,?,?,?), ref: 00E3974F
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,99E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E39849
    • __freea.LIBCMT ref: 00E39856
      • Part of subcall function 00E31E61: RtlAllocateHeap.NTDLL(00000000,00000003,00000000,?,00000003,00E350B2,?,00E2C5E9,?), ref: 00E31E93
    • __freea.LIBCMT ref: 00E3985F
    • __freea.LIBCMT ref: 00E39884
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocateHeap
    • String ID: Y
    • API String ID: 1414292761-3314497812
    • Opcode ID: b03bbb336d0ebf6dd964d062594e0ec9f553f53611adc747c61f31f8c12f5bb6
    • Instruction ID: 9746ec72c4e5f5a63f33094c4df2324c04ef6febeb00fb3f247852c9ed2c174f
    • Opcode Fuzzy Hash: b03bbb336d0ebf6dd964d062594e0ec9f553f53611adc747c61f31f8c12f5bb6
    • Instruction Fuzzy Hash: B951E072600216AFDB298E64DC49EAB7FA9EF81714F14562DFC08F6142EBB4DC44C6A0
    Function 00E21CE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 00E21D0D
    • std::_Lockit::_Lockit.LIBCPMT ref: 00E21D30
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00E21D50
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00E21DC9
    • std::_Facet_Register.LIBCPMT ref: 00E21DDF
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00E21DEA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
    • String ID: 8O
    • API String ID: 2536120697-3761743594
    • Opcode ID: 52b88f88a7be4c5107be0e405a821a98def80bd1b09e0b54a5dd3b11b83bf800
    • Instruction ID: d0ac2bd6a76066d0992eea411d3433073bd46feea56a61aeba258db8b9c14aaa
    • Opcode Fuzzy Hash: 52b88f88a7be4c5107be0e405a821a98def80bd1b09e0b54a5dd3b11b83bf800
    • Instruction Fuzzy Hash: 1F31E172A04224DFCB24DF94FC41AADB7B4FB24316F14169AE801B7251DB30AE05CB90
    Function 00E21F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 00E21F6D
    • std::_Lockit::_Lockit.LIBCPMT ref: 00E21F90
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00E21FB0
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00E22029
    • std::_Facet_Register.LIBCPMT ref: 00E2203F
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00E2204A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
    • String ID: hO
    • API String ID: 2536120697-3626264865
    • Opcode ID: c714bbeaff01c58ad34b582736c3889201342cbd1c2fb99132eb6cc7707175fd
    • Instruction ID: 492d9d7fe82a81bc8ac2e602ffcf33a2b928cf83c0687dc61c1d82c42beeefeb
    • Opcode Fuzzy Hash: c714bbeaff01c58ad34b582736c3889201342cbd1c2fb99132eb6cc7707175fd
    • Instruction Fuzzy Hash: 69311472E042249FDB14CF94F941AADB7B4EF14324F14525AE801B73A1DB70AE09CB90
    Function 00E1A470 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 67windowCOMMON
    Download Yara Rule
    APIs
    • wsprintfW.USER32 ref: 00E1A4AF
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
      • Part of subcall function 00E189B0: GetPrivateProfileStringW.KERNEL32(Startup,PackageCode,00E52748,?,00000400,?), ref: 00E18A5E
      • Part of subcall function 00E1A2C0: wsprintfW.USER32 ref: 00E1A326
      • Part of subcall function 00E1A2C0: RegCreateKeyExW.ADVAPI32(80000002,Software\Policies\Microsoft\Windows\Installer,00000000,00000000,00000000,000F003F,00000000,?,?,?), ref: 00E1A362
    • MessageBoxW.USER32(00000000,Error Whitelisting. Look at the log file (%TEMP%PatchInstaller.log) for more details.,WhiteList,00000010), ref: 00E1A540
    Strings
    • Error Whitelisting. Look at the log file (%TEMP%PatchInstaller.log) for more details., xrefs: 00E1A539
    • WhiteList, xrefs: 00E1A513, 00E1A534
    • Setup invoked with WhiteList switch '%s', xrefs: 00E1A4A9
    • Error Whitelisting: look at log file for more details., xrefs: 00E1A51F
    • WhiteList completed successfully., xrefs: 00E1A4FE, 00E1A518
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: wsprintf$CreateLocalMessagePrivateProfileStringTime
    • String ID: Error Whitelisting. Look at the log file (%TEMP%PatchInstaller.log) for more details.$Error Whitelisting: look at log file for more details.$Setup invoked with WhiteList switch '%s'$WhiteList$WhiteList completed successfully.
    • API String ID: 1034281970-1845519667
    • Opcode ID: 875b3bbd34133853065b79fac8efe48bb048625d8dde418dcee14b89a746a86c
    • Instruction ID: 73c85313dcdc159caab8e2d49296c3b5fe575bdcdca0bb907ba67b7a11811de3
    • Opcode Fuzzy Hash: 875b3bbd34133853065b79fac8efe48bb048625d8dde418dcee14b89a746a86c
    • Instruction Fuzzy Hash: 15110DB0F4031C66DF24E771AC4AFE977A99B05710F441865F809B71C1DAB05A88C6A2
    Function 00E24060 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00E24099
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00E240C0
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00E240E3
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00E24106
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-1866435925
    • Opcode ID: dd949fbfbb533a7c37fcf6e3c21ee1c020b00cf6b4661a222ffcb99dc6fae552
    • Instruction ID: b2394f10b2a2b5062c72a7cf1d1986f0edddd9c5385c49a78be6421c0eb885c2
    • Opcode Fuzzy Hash: dd949fbfbb533a7c37fcf6e3c21ee1c020b00cf6b4661a222ffcb99dc6fae552
    • Instruction Fuzzy Hash: E21182B16043146AD714FB70FD53F6A73D86B51B02F406819BA91760C2EFA4AA4C8B9A
    Function 00E160A0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 277COMMON
    Download Yara Rule
    APIs
    Strings
    • Invalid or corrupt market file version: %s, xrefs: 00E16163
    • Invalid or corrupt market file major version: %s, xrefs: 00E163E3
    • Invalid or corrupt market file minor version: %s, xrefs: 00E163DA
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _wcsrchr_wcsstrwsprintf
    • String ID: Invalid or corrupt market file major version: %s$Invalid or corrupt market file minor version: %s$Invalid or corrupt market file version: %s
    • API String ID: 3507916290-4082492693
    • Opcode ID: cf946a55d99356bc39a1ea2e27f845bae91728e42f7c3758cb9a9def3f328833
    • Instruction ID: bdb088488c82eff810b807b2f041ad0d04237714a348ccf0a7b79abc063b5486
    • Opcode Fuzzy Hash: cf946a55d99356bc39a1ea2e27f845bae91728e42f7c3758cb9a9def3f328833
    • Instruction Fuzzy Hash: 0EB19071A016159BCB24DF68C888BD9B7F4FF55314F1492A9E81ABB291DB30DE84CF50
    Function 00E3D0AB Relevance: 10.7, APIs: 7, Instructions: 204COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 4e36e71f365810b93b5de414fc7ebe4b335588339c20d13f8e8dcb1c25e0484e
    • Instruction ID: 3218656064f521e33299b07501e5fb4a0131b8d3ba113433347b1a1e65d8cd04
    • Opcode Fuzzy Hash: 4e36e71f365810b93b5de414fc7ebe4b335588339c20d13f8e8dcb1c25e0484e
    • Instruction Fuzzy Hash: C161BD71D08205AFDB20DFA8DC46BAABFF5EF48720F1451A9E944FB292DB709941CB50
    Function 00E3653E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E36CB3,?,?,00000000,?,?,?), ref: 00E36580
    • __fassign.LIBCMT ref: 00E365FB
    • __fassign.LIBCMT ref: 00E36616
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000005,00000000,00000000), ref: 00E3663C
    • WriteFile.KERNEL32(?,00000000,00000000,00E36CB3,00000000,?,?,?,?,?,?,?,?,?,00E36CB3,?), ref: 00E3665B
    • WriteFile.KERNEL32(?,?,00000001,00E36CB3,00000000,?,?,?,?,?,?,?,?,?,00E36CB3,?), ref: 00E36694
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: 174d5d6b5000a0083a68bba9e5995f3fd04817894611600c8ea31e6ee08a9df9
    • Instruction ID: 78597bb900e55ca28aac894f05dc8f09814ffa56ffd5151175570fbfab30fe34
    • Opcode Fuzzy Hash: 174d5d6b5000a0083a68bba9e5995f3fd04817894611600c8ea31e6ee08a9df9
    • Instruction Fuzzy Hash: A251A271900249AFCB14CFB8D88AAEEBBF8FF09301F14955AE956F7251E6309951CB60
    Function 00E22520 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Getcvt$Concurrency::cancel_current_task
    • String ID: ,$false$true
    • API String ID: 1267538876-760133229
    • Opcode ID: 742f49e6d060a373d6566df9cc12826eb8327642a982c828c2a43eb6362b60f5
    • Instruction ID: 35c2ec9ad7f380e87fabfe2203f97f87c633017ed491ec8fd3724e7700044a32
    • Opcode Fuzzy Hash: 742f49e6d060a373d6566df9cc12826eb8327642a982c828c2a43eb6362b60f5
    • Instruction Fuzzy Hash: 6851E3B1D003589FDB10CFA4D841BEEBBB8FF08304F14926AE905BB241EB71AA45CB51
    Function 00E1AAF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126windowCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000800), ref: 00E1ABAF
    • LoadStringW.USER32(00000000), ref: 00E1ABB6
    • MessageBoxW.USER32(00000000,?,?,00000010), ref: 00E1AC6A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: HandleLoadMessageModuleString
    • String ID: Setup$Setup.exe
    • API String ID: 2734547477-2205716801
    • Opcode ID: ac19633e809d95fbdf7568d9ccb89525d9ba889a39eb2fa558e6a4cf08cc067f
    • Instruction ID: 61c90328d726e69e80c90acbfba9f592cdc1b2bb640e05be7f0bf6d786fba9c5
    • Opcode Fuzzy Hash: ac19633e809d95fbdf7568d9ccb89525d9ba889a39eb2fa558e6a4cf08cc067f
    • Instruction Fuzzy Hash: 7A41E976A011186BDB24DB649C46FFDB3A8EB44300F0492B6F909B7181DF706A98CBD6
    Function 00E1B190 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • GetFileAttributesW.KERNEL32(?,Invoking .NET 8 x86 Install,?), ref: 00E1B1D8
    • PathQuoteSpacesW.SHLWAPI(?), ref: 00E1B29A
    Strings
    • /install /passive /norestart, xrefs: 00E1B2CF
    • Prereq\Net\windowsdesktop-runtime-8.0.1-win-x86.exe, xrefs: 00E1B27A
    • Invoking .NET 8 x86 Install, xrefs: 00E1B1A5
    • /install /quiet /norestart, xrefs: 00E1B2C8
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: AttributesFileLocalPathQuoteSpacesTime
    • String ID: /install /passive /norestart$/install /quiet /norestart$Invoking .NET 8 x86 Install$Prereq\Net\windowsdesktop-runtime-8.0.1-win-x86.exe
    • API String ID: 2168460608-3913349600
    • Opcode ID: 00c1cd3d21bf76b77524167c89b8cdcfed0e3ab11d62c1542dea6c9960b22087
    • Instruction ID: d282831774848b8dbdd328e89eb88750868957afb50782773cd9111078261b23
    • Opcode Fuzzy Hash: 00c1cd3d21bf76b77524167c89b8cdcfed0e3ab11d62c1542dea6c9960b22087
    • Instruction Fuzzy Hash: CA31A47590021896DB74DB60DC06FD973B8EB04704F449994AA89B61C0EF706ACDCBD4
    Function 00E1B320 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • GetFileAttributesW.KERNEL32(?,Invoking VC Redist x86 v14.22 Install...,?), ref: 00E1B368
    • PathQuoteSpacesW.SHLWAPI(?), ref: 00E1B42A
    Strings
    • /quiet /norestart, xrefs: 00E1B458
    • Prereq\VCRedist\vcredist_x86.exe, xrefs: 00E1B40A
    • /passive /norestart, xrefs: 00E1B45F
    • Invoking VC Redist x86 v14.22 Install..., xrefs: 00E1B335
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: AttributesFileLocalPathQuoteSpacesTime
    • String ID: /passive /norestart$/quiet /norestart$Invoking VC Redist x86 v14.22 Install...$Prereq\VCRedist\vcredist_x86.exe
    • API String ID: 2168460608-1423580529
    • Opcode ID: e10781e8cf070c0bd259a7c44f531fef4bdfbf0f8d6e8c02ae7fac0b34382ed4
    • Instruction ID: a03487fb3da543cb0f1e28a663cbad134927139d7c954385742f0288cf404bcd
    • Opcode Fuzzy Hash: e10781e8cf070c0bd259a7c44f531fef4bdfbf0f8d6e8c02ae7fac0b34382ed4
    • Instruction Fuzzy Hash: B831D6B590031896DB64DB60DC06FDA73B8EF04304F409994EA89B6181EFB06ADECBD4
    Function 00E11E70 Relevance: 10.6, APIs: 7, Instructions: 90processCOMMON
    Download Yara Rule
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E11EB0
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00E11EC0
    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00E11F61
    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 00E11F71
    • TerminateProcess.KERNEL32(00000000,?), ref: 00E11F7E
    • Process32NextW.KERNEL32(00000000,?), ref: 00E11F8C
    • CloseHandle.KERNEL32(00000000), ref: 00E11F97
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Process$Process32$CloseCodeCreateExitFirstHandleNextOpenSnapshotTerminateToolhelp32
    • String ID:
    • API String ID: 4076460876-0
    • Opcode ID: 18c2c47864f976de247be95b4ccf1b083144d8fa1dab6b1596c134f61bf1a022
    • Instruction ID: c3a8f15fdf24fd2acedd8a830d074fde8cc2d26373de12376b3e635cf97c8ee6
    • Opcode Fuzzy Hash: 18c2c47864f976de247be95b4ccf1b083144d8fa1dab6b1596c134f61bf1a022
    • Instruction Fuzzy Hash: A5316675A01218AADB20EB61DC4AFEE73BCEF09704F0041D5F609F6181DB749B998B65
    Function 00E431B1 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 68b8e7f0d533e841bb42f86fb59635a82394dfecbfaa004c7c3cdb25f882b068
    • Instruction ID: 778c2721fc0ef63c08ac9c86d74dc237765512cbfbfbfcb42423c69366bdc8db
    • Opcode Fuzzy Hash: 68b8e7f0d533e841bb42f86fb59635a82394dfecbfaa004c7c3cdb25f882b068
    • Instruction Fuzzy Hash: FD1136B2505225BFDB202FB6FC08D6F3AA8EF83724B205654B815F7251DE708901D660
    Function 00E3D580 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00E3D2C7: _free.LIBCMT ref: 00E3D2F0
    • _free.LIBCMT ref: 00E3D5CE
      • Part of subcall function 00E32695: HeapFree.KERNEL32(00000000,00000000,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?), ref: 00E326AB
      • Part of subcall function 00E32695: GetLastError.KERNEL32(?,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?,?), ref: 00E326BD
    • _free.LIBCMT ref: 00E3D5D9
    • _free.LIBCMT ref: 00E3D5E4
    • _free.LIBCMT ref: 00E3D638
    • _free.LIBCMT ref: 00E3D643
    • _free.LIBCMT ref: 00E3D64E
    • _free.LIBCMT ref: 00E3D659
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 4823ed74ff2b2a181ba03e8bd3704a0034a048cd6f32e05b26b66c1f602ddd3a
    • Instruction ID: 3fd0dc9ebc60d4b63c7badd0636f3e1074e2ebbd0e32533d0a92e85a97600bfe
    • Opcode Fuzzy Hash: 4823ed74ff2b2a181ba03e8bd3704a0034a048cd6f32e05b26b66c1f602ddd3a
    • Instruction Fuzzy Hash: A3110AB1544B04AAD620BBB1DC4FFCB7FECAF04700F445919B29DBB0A2DA69F904C651
    Function 00E2BA0E Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,00E2BA05,00E285F7,00E5B4A8,00000010,00E27DBF,?,?,?,?,?,00000000,?), ref: 00E2BA1C
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E2BA2A
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E2BA43
    • SetLastError.KERNEL32(00000000,00E2BA05,00E285F7,00E5B4A8,00000010,00E27DBF,?,?,?,?,?,00000000,?), ref: 00E2BA95
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 9a5d47be3cb9fe52f2ddca60f83c261d017a6d27b6c9aa508b0c4809a54de218
    • Instruction ID: 6825d2f928616f3a7724e5d423780e69b7bc0a3e7eec90025f9ce2bcc09717fe
    • Opcode Fuzzy Hash: 9a5d47be3cb9fe52f2ddca60f83c261d017a6d27b6c9aa508b0c4809a54de218
    • Instruction Fuzzy Hash: EA01D47210E7359EA73C2B767C856A73BD9EB01779B20223DF128750E1EF114C469240
    Function 00E24A90 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,00E24B57,?,?,?,?,00000000,?), ref: 00E24AA0
    • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00E24AB0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegCreateKeyTransactedW$SOFTWARE\ReSound\Aventa3$T*
    • API String ID: 1646373207-1258704450
    • Opcode ID: 35434b67b706c5c80e1d30cecd660ff1f5c7490a555163db720d9c83c6989418
    • Instruction ID: f70fa0a21ede88318047a274015d18e374384dc6360217114c2e20e2dec35c11
    • Opcode Fuzzy Hash: 35434b67b706c5c80e1d30cecd660ff1f5c7490a555163db720d9c83c6989418
    • Instruction Fuzzy Hash: 8F018FB1240318ABEB248F95EC4AFD67BE4EB0571AF105419FA047A1C1C7F5D868CB94
    Function 00E34218 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00E3502F: GetLastError.KERNEL32(?,?,00E2C109,?,00000000,?,00E2C5E9,?), ref: 00E35033
      • Part of subcall function 00E3502F: _free.LIBCMT ref: 00E35066
      • Part of subcall function 00E3502F: SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E350A7
      • Part of subcall function 00E3502F: _abort.LIBCMT ref: 00E350AD
    • _memcmp.LIBVCRUNTIME ref: 00E344C2
    • _free.LIBCMT ref: 00E34533
    • _free.LIBCMT ref: 00E3454C
    • _free.LIBCMT ref: 00E3457E
    • _free.LIBCMT ref: 00E34587
    • _free.LIBCMT ref: 00E34593
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free$ErrorLast$_abort_memcmp
    • String ID:
    • API String ID: 1679612858-0
    • Opcode ID: 475018c02799691c9ecf5ec898876465ea9d40906a789d48aaee4ee1d9a1fa34
    • Instruction ID: c89dace504c961d1413b66816c65e877a299f1faa4ad71f8c230699e7a88ce7f
    • Opcode Fuzzy Hash: 475018c02799691c9ecf5ec898876465ea9d40906a789d48aaee4ee1d9a1fa34
    • Instruction Fuzzy Hash: B4B139B59012199FDB24DF18C889BADBBB4FF48304F1055AAE949B73A1D731AE90CF40
    Function 00E21E10 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 00E21E3D
    • std::_Lockit::_Lockit.LIBCPMT ref: 00E21E60
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00E21E80
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00E21EF9
    • std::_Facet_Register.LIBCPMT ref: 00E21F0F
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00E21F1A
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
    • String ID:
    • API String ID: 2536120697-0
    • Opcode ID: c3f3792ef588f246497c8d8a6fe6735c295307348a658a04971a117f2db688b1
    • Instruction ID: f7c4b6d368ab16e8f819ef4a4c782777bb474cd31f240a1c8625b85dddeeb351
    • Opcode Fuzzy Hash: c3f3792ef588f246497c8d8a6fe6735c295307348a658a04971a117f2db688b1
    • Instruction Fuzzy Hash: 6731D072A00224DFDB14DF54EC41AAEB7B4FF14324F19169AE805B7391DB31AE05CB90
    Function 00E3502F Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,00E2C109,?,00000000,?,00E2C5E9,?), ref: 00E35033
    • _free.LIBCMT ref: 00E35066
    • _free.LIBCMT ref: 00E3508E
    • SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E3509B
    • SetLastError.KERNEL32(00000000,?,00E2C5E9,?), ref: 00E350A7
    • _abort.LIBCMT ref: 00E350AD
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: 340246fedc1289771e1c3be8295e2753626c8728155dd3cf2c5f910f61d50d04
    • Instruction ID: d7fbb3cb05283e63ebb1cc0fc2b6c37447e8947ec69fdd9c4611d51b6b891c3f
    • Opcode Fuzzy Hash: 340246fedc1289771e1c3be8295e2753626c8728155dd3cf2c5f910f61d50d04
    • Instruction Fuzzy Hash: 67F04937505B002FD73933369C0EE5E1EA99FC2775F252018F404B23D2EE228806C491
    Function 00E1CBE0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 157COMMON
    Download Yara Rule
    APIs
    • wsprintfW.USER32 ref: 00E1CCE3
      • Part of subcall function 00E15020: GetLocalTime.KERNEL32(?,75BF73E0,?,?,?,?,?,?,00E12EED,?), ref: 00E1503B
    • #111.MSI(?,00E58924,00000000), ref: 00E1CCAD
      • Part of subcall function 00E1D8D0: _wcsstr.LIBVCRUNTIME ref: 00E1D955
      • Part of subcall function 00E1D8D0: _wcsstr.LIBVCRUNTIME ref: 00E1D969
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _wcsstr$#111LocalTimewsprintf
    • String ID: %s=false$sKeeps=%s$sUpdates=%s
    • API String ID: 1346525361-486326842
    • Opcode ID: 733f7f897ac8b6db729e132ede01662665a6d760607de76964fddd9d559958f7
    • Instruction ID: 6ebded3a10722c9f879a8fc6d54b71959ec728f46e1f21facc584eab6bb43a59
    • Opcode Fuzzy Hash: 733f7f897ac8b6db729e132ede01662665a6d760607de76964fddd9d559958f7
    • Instruction Fuzzy Hash: 6C5151719002289BCB24EF14DD45AADB7F4FF84715F10A5A9E889B7291DF709A88CFC1
    Function 00E25AAA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136COMMON
    Download Yara Rule
    APIs
    • __Getcvt.LIBCPMT ref: 00E25B02
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000001,00000002,?,00000000,?,00000001,00000000,?,invalid string position,F9744ECF,00000000,?,00E23B35,00000000), ref: 00E25B50
    • MultiByteToWideChar.KERNEL32(00000000,00000009,?,?,?,00000000,?,00000001,00000000,?,invalid string position,F9744ECF,00000000,?,00E23B35,00000000), ref: 00E25BC2
    • MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000001,?,00000000,?,00000001,00000000,?,invalid string position,F9744ECF,00000000,?,00E23B35,00000000), ref: 00E25BEA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide$Getcvt
    • String ID: _<
    • API String ID: 3195005509-2997813957
    • Opcode ID: 1fe9c40802413f1c5412a81bec5503f84a80132ee3b80a1183deb3dc1d76a5a0
    • Instruction ID: a802a3a9893acddc3218cbf4a76196a91365e666da59ea112393d7c2ba0977ca
    • Opcode Fuzzy Hash: 1fe9c40802413f1c5412a81bec5503f84a80132ee3b80a1183deb3dc1d76a5a0
    • Instruction Fuzzy Hash: A0411472600B69EFDB218F65E981BAAB7F9FF02314F24552AF811AB290D771DC40CB10
    Function 00E39552 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,99E85006,00E2D0E8,00000000,00000000,00E2E259,?,Y,?,00000001,00E2D0E8,99E85006,00000001,00E2E259,00E2E259), ref: 00E3959F
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E39628
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E3963A
    • __freea.LIBCMT ref: 00E39643
      • Part of subcall function 00E31E61: RtlAllocateHeap.NTDLL(00000000,00000003,00000000,?,00000003,00E350B2,?,00E2C5E9,?), ref: 00E31E93
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
    • String ID: Y
    • API String ID: 2652629310-3314497812
    • Opcode ID: 9de6cfbe8b97be575b2d1834bf0d48509aa39d630b50cfbbc73baed7e61e1a14
    • Instruction ID: 2b37521f31f6e0bcaca351f58e34e0578a13e53e6bf1deeaee02b1ff2fd40b96
    • Opcode Fuzzy Hash: 9de6cfbe8b97be575b2d1834bf0d48509aa39d630b50cfbbc73baed7e61e1a14
    • Instruction Fuzzy Hash: 7E310172A0121AAFDF258F65DC8ADAE7BA5EF41314F144168FC04EB252E735CC55CBA0
    Function 00E11220 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\dotnet\Setup\InstalledVersions\x86\sharedfx\Microsoft.WindowsDesktop.App,00000000,00020019,?), ref: 00E1124E
    • RegEnumValueW.ADVAPI32(?,00000000,?,00000208,00000000,?,?,?), ref: 00E112A0
    • RegCloseKey.ADVAPI32(?), ref: 00E112E7
    Strings
    • SOFTWARE\dotnet\Setup\InstalledVersions\x86\sharedfx\Microsoft.WindowsDesktop.App, xrefs: 00E11244
    • 8.0, xrefs: 00E112BD
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CloseEnumOpenValue
    • String ID: 8.0$SOFTWARE\dotnet\Setup\InstalledVersions\x86\sharedfx\Microsoft.WindowsDesktop.App
    • API String ID: 4012628704-2633004180
    • Opcode ID: 1f8251df3c3e251a5fd842b05631d89b6ee54edf0b09119cbef538637cb00548
    • Instruction ID: dc7180f09edff9993979f178247ad8651a2a07540355a29e32afe31e9e543275
    • Opcode Fuzzy Hash: 1f8251df3c3e251a5fd842b05631d89b6ee54edf0b09119cbef538637cb00548
    • Instruction Fuzzy Hash: 5321277598022CAADB308B51DC8CFDAB3BCEB15304F0011E5EA09F2151EA319F88DF91
    Function 00E11420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\HIMSA\Installationinfo\Noah\v4,00000000,00020019,?), ref: 00E1144C
    • RegQueryValueExW.ADVAPI32(00000000,Installed,00000000,?,00000000,?), ref: 00E11475
    • RegCloseKey.ADVAPI32(00000000), ref: 00E11492
    Strings
    • SOFTWARE\HIMSA\Installationinfo\Noah\v4, xrefs: 00E11439
    • Installed, xrefs: 00E1146F
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID: Installed$SOFTWARE\HIMSA\Installationinfo\Noah\v4
    • API String ID: 3677997916-3839896131
    • Opcode ID: 0bc6bd586ba2219243ab62b80a5e317117bb1b21858a11973b1ffb88d974b448
    • Instruction ID: 9b0814f3a802957ccaeac6b8560327bae9a6b7182d273e7987dd30fbeacef04e
    • Opcode Fuzzy Hash: 0bc6bd586ba2219243ab62b80a5e317117bb1b21858a11973b1ffb88d974b448
    • Instruction Fuzzy Hash: 0901D87194121CBFDB30CFD49C45BEEB3BCAB06B19F1051C6EA14B3140D3716A489AA5
    Function 00E3323A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E3322F,00000003,?,00E331CF,00000003,00E5B790,0000000C,00E332E2,00000003,00000002), ref: 00E3325A
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E3326D
    • FreeLibrary.KERNEL32(00000000,?,?,?,00E3322F,00000003,?,00E331CF,00000003,00E5B790,0000000C,00E332E2,00000003,00000002,00000000), ref: 00E33290
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 140b4612b37130443d2554d2bb8528fed0a33d6a27eda65e64864890bee9a6d5
    • Instruction ID: 49f6ac61611251577f1e1b6bf4350e81b4234410b594adad007b3298e6ad62a6
    • Opcode Fuzzy Hash: 140b4612b37130443d2554d2bb8528fed0a33d6a27eda65e64864890bee9a6d5
    • Instruction Fuzzy Hash: 0BF04434904218BFDB159FA5DC09FAEBFB5EF05756F000168F805B6160CB708E45CB95
    Function 00E39F08 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d016166e07be4ee9a84f7e3520df9745307e13eaee2543219158e51b98a87556
    • Instruction ID: 4d6e85017a8cf6791bfffb9802e7e18e5edc690bab51a6811ae043cbd67a2ce5
    • Opcode Fuzzy Hash: d016166e07be4ee9a84f7e3520df9745307e13eaee2543219158e51b98a87556
    • Instruction Fuzzy Hash: FD71D2B19012169BCB249F55CC48ABFBF75EF51354F286239E891B7281D7708DC1CB62
    Function 00E348DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: db6acd16b34335b912f17c2ea73f7a1134f064409bdb33e6cc30e5cf4e0f8cf2
    • Instruction ID: afdcf04023608b0ea29cff6d8293b121e0079158bd6076c9e946c67c85ef4968
    • Opcode Fuzzy Hash: db6acd16b34335b912f17c2ea73f7a1134f064409bdb33e6cc30e5cf4e0f8cf2
    • Instruction Fuzzy Hash: BA41D5B2A002149FCB24DF78C885A6EBBF5EF85314F1556A9E515FB381EB31AD02CB40
    Function 00E116A0 Relevance: 7.6, APIs: 5, Instructions: 93processCOMMON
    Download Yara Rule
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E116E0
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00E116F0
    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00E11791
    • Process32NextW.KERNEL32(00000000,?), ref: 00E1179D
    • CloseHandle.KERNEL32(00000000), ref: 00E117A8
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Process32$CloseCreateFirstHandleNextOpenProcessSnapshotToolhelp32
    • String ID:
    • API String ID: 1181503618-0
    • Opcode ID: 46270ff30ad29071eacb18af6c18d885fadbab3cdc67a05f14eff7c5699f4bf9
    • Instruction ID: e2d9ab697a18e586e2993255d35f4c0b1ef1155524b5755c7ed68a69d31458fc
    • Opcode Fuzzy Hash: 46270ff30ad29071eacb18af6c18d885fadbab3cdc67a05f14eff7c5699f4bf9
    • Instruction Fuzzy Hash: CE218C76A012186AD720EB659C46FDE73FCFF45701F0011A6F609F6141DE349B998B61
    Function 00E350B3 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000000,00000000,00000000,00E2C006,00000000,?,?,00E2C08A,00000000,00000000,00000000,00000000,00000000,?,00E25685), ref: 00E350B8
    • _free.LIBCMT ref: 00E350ED
    • _free.LIBCMT ref: 00E35114
    • SetLastError.KERNEL32(00000000), ref: 00E35121
    • SetLastError.KERNEL32(00000000), ref: 00E3512A
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: c88986d12d3989bcec8cbb4090766b329e58aba63b0c9413d68e6be7de1303a1
    • Instruction ID: 4d6e66887680cf5699d8a3d1fea60b4158658bec7818cf0a6a874eb1969c582f
    • Opcode Fuzzy Hash: c88986d12d3989bcec8cbb4090766b329e58aba63b0c9413d68e6be7de1303a1
    • Instruction Fuzzy Hash: 8601213B142F002AD32A63365C8EA5B2EA9DFC6375F302428F414B2392EE24880AC161
    Function 00E3D042 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00E3D05A
      • Part of subcall function 00E32695: HeapFree.KERNEL32(00000000,00000000,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?), ref: 00E326AB
      • Part of subcall function 00E32695: GetLastError.KERNEL32(?,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?,?), ref: 00E326BD
    • _free.LIBCMT ref: 00E3D06C
    • _free.LIBCMT ref: 00E3D07E
    • _free.LIBCMT ref: 00E3D090
    • _free.LIBCMT ref: 00E3D0A2
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: e98d56a80bfb8949fd4d56358726b67ed5bff62e50b6c9eeec139c8eb1d9d912
    • Instruction ID: 7c15886139ce9fd42441d8252bc08e007ab78b31229b7672239fee77c7cb7c86
    • Opcode Fuzzy Hash: e98d56a80bfb8949fd4d56358726b67ed5bff62e50b6c9eeec139c8eb1d9d912
    • Instruction Fuzzy Hash: C9F03C725097006B8638EB65FD8AC5A7BEBAF44B29F982809F144FB550CA30FC81CA55
    Function 00E34B2D Relevance: 7.5, APIs: 5, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00E34B4B
      • Part of subcall function 00E32695: HeapFree.KERNEL32(00000000,00000000,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?), ref: 00E326AB
      • Part of subcall function 00E32695: GetLastError.KERNEL32(?,?,00E3D2F5,?,00000000,?,00000000,?,00E3D599,?,00000007,?,?,00E3D93D,?,?), ref: 00E326BD
    • _free.LIBCMT ref: 00E34B5D
    • _free.LIBCMT ref: 00E34B70
    • _free.LIBCMT ref: 00E34B81
    • _free.LIBCMT ref: 00E34B92
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: da247b23af90f801b8707261c3f9910d8e4c05563feaa408c01fcfd405612d42
    • Instruction ID: 0d3d86c815518a560e17cb4f27352c7a553db623f41d18e838af381b8723b7b8
    • Opcode Fuzzy Hash: da247b23af90f801b8707261c3f9910d8e4c05563feaa408c01fcfd405612d42
    • Instruction Fuzzy Hash: 4DF030B04153108F871E6F26BC4B4183FB1FB09726B081949F5587A371DF711A49CB87
    Function 00E23320 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00E233F3
    • std::_Xinvalid_argument.LIBCPMT ref: 00E233FD
    • __Wcrtomb.LIBCPMT ref: 00E23444
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_$Wcrtomb
    • String ID: string too long
    • API String ID: 1459785110-2556327735
    • Opcode ID: e92fcd803b7ba08daa7e6804b89088cb36938b7c5d795ab6e123f74eefa42f78
    • Instruction ID: 35c17d97f82cb73701cbf01fd9996c74ca7accdd7722fc90e503d5f4cf13033d
    • Opcode Fuzzy Hash: e92fcd803b7ba08daa7e6804b89088cb36938b7c5d795ab6e123f74eefa42f78
    • Instruction Fuzzy Hash: E151D772700224DBCB24DF6CF8819AEB3F8FF58711B10556FE956E7241DA319A14CBA0
    Function 00E18C70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
    Download Yara Rule
    APIs
    • #70.MSI(?,VersionMajor,?,?), ref: 00E18D3C
    • #70.MSI(?,VersionMinor,?,?), ref: 00E18D5C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID: VersionMajor$VersionMinor
    • API String ID: 0-2995207800
    • Opcode ID: 45d315c603d2c4e0b8adc0f3dff1e29430dfb906d61e661e56cc9ac70971f500
    • Instruction ID: 78f8013cdb8ec620cc5cca016f2f0275f77553d70873c6585a6a833316152984
    • Opcode Fuzzy Hash: 45d315c603d2c4e0b8adc0f3dff1e29430dfb906d61e661e56cc9ac70971f500
    • Instruction Fuzzy Hash: 2B5126B590021C8ADB24DB10DD45BFAB3B9EF55304F4445E9D90ABB282DF32AF85CB64
    Function 00E18C62 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON
    Download Yara Rule
    APIs
    • #70.MSI(?,VersionMajor,?,?), ref: 00E18D3C
    • #70.MSI(?,VersionMinor,?,?), ref: 00E18D5C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID: VersionMajor$VersionMinor
    • API String ID: 0-2995207800
    • Opcode ID: ba9183e36ba304b0cb0464ae7a3e1c99c5302dcb2f76cd84879449a58eddadbb
    • Instruction ID: e612ccc26e7cd0126b3f0cd7a7493590a043e9565a24fabeffb190dfcdf8de00
    • Opcode Fuzzy Hash: ba9183e36ba304b0cb0464ae7a3e1c99c5302dcb2f76cd84879449a58eddadbb
    • Instruction Fuzzy Hash: 215127B590021C9ADB24DB10CD45FEAB3BDEF55304F4445E5DA0ABB182EB31AF86CB64
    Function 00E37014 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E3716D
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E37182
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
    • String ID: o$o
    • API String ID: 885266447-2774027131
    • Opcode ID: 0db5bd88e037f7f0837ced7c33efb990530580da5dfda529b61d2c2409944ff3
    • Instruction ID: 5081e22fa08cebe354a601b15d47d34f9f8addcddbf11476e9f846aabc07b62a
    • Opcode Fuzzy Hash: 0db5bd88e037f7f0837ced7c33efb990530580da5dfda529b61d2c2409944ff3
    • Instruction Fuzzy Hash: D55171B2A04209AFCB28DF59C888AADBFF2EF84314F199159E858A7361D7319D41DB40
    Function 00E214E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00E215E6
    • std::_Xinvalid_argument.LIBCPMT ref: 00E215F0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_
    • String ID: invalid string position$string too long
    • API String ID: 909987262-4289949731
    • Opcode ID: 9d95002b8d9bddf61ca7ee85b23cb444565022be56900eb2ce8fe49128aa19b0
    • Instruction ID: 4231f48698aebf533c573a0a3801528141a00222889bd7db8e1be3bdda59f489
    • Opcode Fuzzy Hash: 9d95002b8d9bddf61ca7ee85b23cb444565022be56900eb2ce8fe49128aa19b0
    • Instruction Fuzzy Hash: C931E4327447249B8B24DF58F88186AB3F9FFE475431069AFF443EB250DA31EA048794
    Function 00E32A93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Setup.exe,00000104), ref: 00E32ACE
    • _free.LIBCMT ref: 00E32B99
    • _free.LIBCMT ref: 00E32BA3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free$FileModuleName
    • String ID: C:\Users\user\Desktop\Setup.exe
    • API String ID: 2506810119-2320538190
    • Opcode ID: 0b63f07c6d5c01e605cb5a4ad639d25c80bfa432d86e7ac9cbadf1dea2c1e4af
    • Instruction ID: 16c8f5a756b635b622d25b6a27329ab702c425162a029a35dbb2b0f80a0fc05e
    • Opcode Fuzzy Hash: 0b63f07c6d5c01e605cb5a4ad639d25c80bfa432d86e7ac9cbadf1dea2c1e4af
    • Instruction Fuzzy Hash: FF318171A00318AFCB25DF9ADC89C9EBFF8EB89314F1050AAEA44B7210D6715E45CB90
    Function 00E236C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00E237A8
    • std::_Xinvalid_argument.LIBCPMT ref: 00E237B2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_
    • String ID: invalid string position$string too long
    • API String ID: 909987262-4289949731
    • Opcode ID: eb57b14b016541a57c9e540da04d3632e7b85aaf0ef04a0b15150412e293940f
    • Instruction ID: b11371fbd3fa42e168047aec918fbd8e0ef91e4f502e08dbfd406af931071d03
    • Opcode Fuzzy Hash: eb57b14b016541a57c9e540da04d3632e7b85aaf0ef04a0b15150412e293940f
    • Instruction Fuzzy Hash: EB31A2B63017208FDB24CE6CF840A6BB3E5EF95711B10192FE552E7681C771D9408BA5
    Function 00E1BA30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 00E1BAAC
    • GetLongPathNameW.KERNEL32(?,?,00000400), ref: 00E1BABF
    • GetFileAttributesW.KERNEL32(?), ref: 00E1BB3E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: FileName$AttributesLongModulePath
    • String ID: Markets
    • API String ID: 489188955-3631104298
    • Opcode ID: 0f1f1cd85c24c232d61d943448195829c8252444dfb6198a7985bfd86014cc49
    • Instruction ID: f2092e77ac4b7b7f8c68e6aac0a78c45887b772f31750b8ddde84a48b9f56fff
    • Opcode Fuzzy Hash: 0f1f1cd85c24c232d61d943448195829c8252444dfb6198a7985bfd86014cc49
    • Instruction Fuzzy Hash: 3A31F1B6D5031CAAEB11DBA0DC86FDA73BCAB08701F5056D1B709F60C1DA70AB49CB64
    Function 00E11300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\HIMSA\Installationinfo\NOAH Engine,00000000,00020019,?), ref: 00E11376
      • Part of subcall function 00E256A0: RegQueryValueExW.ADVAPI32(00000000,Major,00000000,?,?,?,?,00000000,?,00E113B1,?,?,00000104), ref: 00E256CA
    • RegCloseKey.ADVAPI32(00000000,?,?,00000104), ref: 00E113F6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID: ,#$SOFTWARE\HIMSA\Installationinfo\NOAH Engine
    • API String ID: 3677997916-2636575691
    • Opcode ID: 9f89cff8e75493e6566c01e36b9033e4b0e41ba732f7db2ae5830cee1989f491
    • Instruction ID: 435835bbad77b88c9aa38f287ed148e615b147b16b60f3793be9fd34624746f4
    • Opcode Fuzzy Hash: 9f89cff8e75493e6566c01e36b9033e4b0e41ba732f7db2ae5830cee1989f491
    • Instruction Fuzzy Hash: 4B21F8B194122C9ADB20EF50DC49BEAB3B4EB35308F5111E6D919B7241E7715E84CE90
    Function 00E24E90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57memoryCOMMON
    Download Yara Rule
    APIs
    • SysFreeString.OLEAUT32(00000000), ref: 00E24EE6
    • SysAllocString.OLEAUT32(00E13DD8), ref: 00E24F02
    • VariantClear.OLEAUT32 ref: 00E24F21
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: String$AllocClearFreeVariant
    • String ID: `<u
    • API String ID: 1665868789-3367579956
    • Opcode ID: f794fee0e12c74f39edf0a418b25521bd214e4d385ab304d3da4c95dbb380478
    • Instruction ID: 70e3766a12041a7579891de8d1ecc05ca06e73e4495c064b9cf827b456df1ebf
    • Opcode Fuzzy Hash: f794fee0e12c74f39edf0a418b25521bd214e4d385ab304d3da4c95dbb380478
    • Instruction Fuzzy Hash: 8C115E72904618EFDB14CF6ADD08B9ABBECFB46724F10825AF814E7750D7B599018B90
    Function 00E188E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileStringW.KERNEL32(Startup,UpgradeCode,00E52748,?,00000400,?), ref: 00E1898E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: PrivateProfileString
    • String ID: Setup.ini$Startup$UpgradeCode
    • API String ID: 1096422788-3103580541
    • Opcode ID: afc31eb6822c728d63356f9976b165a8a3c87f01b78b7359b2a2be4ccc7e64ed
    • Instruction ID: f329fa544e56ea30fe7bab618b3ac16e9d5d42b1d80607706ccaf02adda57564
    • Opcode Fuzzy Hash: afc31eb6822c728d63356f9976b165a8a3c87f01b78b7359b2a2be4ccc7e64ed
    • Instruction Fuzzy Hash: 3411A7F1A402186BCB20DB94DD06FEA73F8EB04705F45A4A1EB49B71C0EE706A5D87D5
    Function 00E189B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileStringW.KERNEL32(Startup,PackageCode,00E52748,?,00000400,?), ref: 00E18A5E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: PrivateProfileString
    • String ID: PackageCode$Setup.ini$Startup
    • API String ID: 1096422788-2852067979
    • Opcode ID: 08c543c8a01f13b134d1bedba35612af038cb4c6b927ee17723035e83304c06f
    • Instruction ID: d76179de192d6f10e2ec8356a2027dff75ed45e3902616bf2d87131f290788fc
    • Opcode Fuzzy Hash: 08c543c8a01f13b134d1bedba35612af038cb4c6b927ee17723035e83304c06f
    • Instruction Fuzzy Hash: 2E11A7F1A403186BCB20DB94DD06FEA73F8EB04705F45A4A1EA49B71C0EE706A5D87D5
    Function 00E257A5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E25780: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,00E257D4,?,?,?,00E1100A), ref: 00E25785
      • Part of subcall function 00E25780: GetLastError.KERNEL32(?,?,?,00E1100A), ref: 00E2578F
    • IsDebuggerPresent.KERNEL32(?,?,?,00E1100A), ref: 00E257D8
    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E1100A), ref: 00E257E7
    Strings
    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E257E2
    • b, xrefs: 00E257C8
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$b
    • API String ID: 3511171328-4164368264
    • Opcode ID: bcba7fe18981b493863d82c127cc13084cd606b12707a98b5cb08e1483e65375
    • Instruction ID: 0683580cf28b700977b1ad5d9fa5d18716d39467e62c60d835cdc5995b026547
    • Opcode Fuzzy Hash: bcba7fe18981b493863d82c127cc13084cd606b12707a98b5cb08e1483e65375
    • Instruction Fuzzy Hash: 89E06D71200B618FC334DF26F5093467AE4AB06344F00982EE492F2650EBF4D4888BA2
    Function 00E35672 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: ddb67ea5e7390498592550945761c74f9022e2f8b1ae10fba023ebbbe9c96b51
    • Instruction ID: d0585446d9e555ff32e54025c8360ec37a19362ac995e9524cedbdf2d1b0f989
    • Opcode Fuzzy Hash: ddb67ea5e7390498592550945761c74f9022e2f8b1ae10fba023ebbbe9c96b51
    • Instruction Fuzzy Hash: AFA13373A00B86DFEB258F28C8867BEBFE5EF55314F24516EE495AB381C2348941C750
    Function 00E1D8D0 Relevance: 6.2, APIs: 4, Instructions: 232COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _wcsstr
    • String ID:
    • API String ID: 1512112989-0
    • Opcode ID: 791109fb9614cba2f59bae7c047191e4be5d86144869c9c1133bba8f579bddd0
    • Instruction ID: 3ea93f4373b05d0ecff6a98521bc3bac919140736f3721891ec4c6b10dc66791
    • Opcode Fuzzy Hash: 791109fb9614cba2f59bae7c047191e4be5d86144869c9c1133bba8f579bddd0
    • Instruction Fuzzy Hash: 3371C175E0861A8FCF14DFA8DD819EEB7B5EF88304B155169DD05B7200EB70AE45CB90
    Function 00E43278 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: e61f259f34bf3a954350fc2a873c530e588ffbb2917e9b2ced9946a5558c538e
    • Instruction ID: 7557591c710bb7dc3a78e3dc6d12f1417a2b5aa7f3cb4e4455c9879789955be2
    • Opcode Fuzzy Hash: e61f259f34bf3a954350fc2a873c530e588ffbb2917e9b2ced9946a5558c538e
    • Instruction Fuzzy Hash: 68413931A00210ABDB316FBDAC4AAAE3EE5EF41374F246659F438F7191DE344E019262
    Function 00E25350 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • Concurrency::cancel_current_task.LIBCPMT ref: 00E253D4
      • Part of subcall function 00E278AD: __CxxThrowException@8.LIBVCRUNTIME ref: 00E278C4
    • Concurrency::cancel_current_task.LIBCPMT ref: 00E253E9
    • new.LIBCMT ref: 00E253EF
    • new.LIBCMT ref: 00E25403
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task$Exception@8Throw
    • String ID:
    • API String ID: 3339364867-0
    • Opcode ID: f3c91ac5e71468208783491a5b7dca96217866e04bf46314a8f99bfef4c115ec
    • Instruction ID: d0497284b4c0931e10a0a44a2dc5a48510098ad5a90af5fadb6af174d3c778b4
    • Opcode Fuzzy Hash: f3c91ac5e71468208783491a5b7dca96217866e04bf46314a8f99bfef4c115ec
    • Instruction Fuzzy Hash: 8641E772604A20DBC724EF24FA8166AF7F5EB44355B20272DE463E7390EB709944C7A1
    Function 00E37E36 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00E37DDD,?,00000000,00000000,00000000,?,00E38095,00000006,FlsSetValue), ref: 00E37E68
    • GetLastError.KERNEL32(?,00E37DDD,?,00000000,00000000,00000000,?,00E38095,00000006,FlsSetValue,00E4BEC8,00E4BED0,00000000,00000364,?,00E35101), ref: 00E37E74
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E37DDD,?,00000000,00000000,00000000,?,00E38095,00000006,FlsSetValue,00E4BEC8,00E4BED0,00000000), ref: 00E37E82
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: 23ff6b866146e4f8e4f56514cc3e1571514778bcf1fbf41731818e8c2ca3958a
    • Instruction ID: 17442b4125d034ffab359aa53f9526f8f55f73dd5b9a5f0b8034bcdacd29e325
    • Opcode Fuzzy Hash: 23ff6b866146e4f8e4f56514cc3e1571514778bcf1fbf41731818e8c2ca3958a
    • Instruction Fuzzy Hash: AE01D47661A322AFC7314B6BDC489577F98AF46BA1B210668F98AF3241D720DC05C6E0
    Function 00E27D7A Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___BuildCatchObject.LIBVCRUNTIME ref: 00E27D91
      • Part of subcall function 00E283C9: ___AdjustPointer.LIBCMT ref: 00E28413
    • _UnwindNestedFrames.LIBCMT ref: 00E27DA8
    • ___FrameUnwindToState.LIBVCRUNTIME ref: 00E27DBA
    • CallCatchBlock.LIBVCRUNTIME ref: 00E27DDE
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
    • String ID:
    • API String ID: 2633735394-0
    • Opcode ID: 19d28792bf5ad10568d26a9260ad0be167e286851862e4513cb67c6fa0c2f46d
    • Instruction ID: b344ab17275497a74e19cb47190fc4806d20f745953e67fd62ab3af915741dd5
    • Opcode Fuzzy Hash: 19d28792bf5ad10568d26a9260ad0be167e286851862e4513cb67c6fa0c2f46d
    • Instruction Fuzzy Hash: ED01E532000129BBCF129F55EC01EEA7BBAFF49754F15A014FD5876121D772E8A1EBA0
    Function 00E252F0 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ab4bb586d9406ce3075532d00346e5fbac91d128ee3bcd05abf8e932d62cc2d1
    • Instruction ID: e64bb81afd621619908769d443a8096fe2f6f03a20d5677853b5c5af9c641b62
    • Opcode Fuzzy Hash: ab4bb586d9406ce3075532d00346e5fbac91d128ee3bcd05abf8e932d62cc2d1
    • Instruction Fuzzy Hash: C3F020F36082300B9B0CF374BC5793E73C8CB203A87102239F01AE6285F932E814C269
    Function 00E2B944 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00E2B944
    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00E2B949
    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00E2B94E
      • Part of subcall function 00E2BCBE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00E2BCCF
    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00E2B963
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
    • String ID:
    • API String ID: 1761009282-0
    • Opcode ID: 7041c0a9c5153094988800ed5fbccf238efb4d57f388d269b370a6803fb669da
    • Instruction ID: e4ac869e25fb50f75a70e2dc5c88318f545eb20dbb5800a629183198da97af5b
    • Opcode Fuzzy Hash: 7041c0a9c5153094988800ed5fbccf238efb4d57f388d269b370a6803fb669da
    • Instruction Fuzzy Hash: 4CC04C54044272501C243BB131132AE93D41CD6BC9B9034C1FAAA374135F06148A5237
    Function 00E3248D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
    Download Yara Rule
    APIs
    • __startOneArgErrorHandling.LIBCMT ref: 00E3251D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ErrorHandling__start
    • String ID: pow
    • API String ID: 3213639722-2276729525
    • Opcode ID: e8dcedfda6431aa05b69925b0e60590b7eb1988bf32891f73a5f6afa48742ee2
    • Instruction ID: bd7143550ec00998550540abbd54b7a8bd79a0f73879b8b07f288d4ca1df16f6
    • Opcode Fuzzy Hash: e8dcedfda6431aa05b69925b0e60590b7eb1988bf32891f73a5f6afa48742ee2
    • Instruction Fuzzy Hash: 8351BB71A05205AACB117B14C91E3BE2FD0DB40704F30AD5DE2C7B62B9EB708D95DA47
    Function 00E23AD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00E23BEB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_
    • String ID: invalid string position$string too long
    • API String ID: 909987262-4289949731
    • Opcode ID: e40af0bf6662129aed4f4a33d9a0c4896c0e3f06c38dab908e192a1928c7cbc1
    • Instruction ID: 02f4b62211d36eb8cb63b375759f8a4837d935808d471fb7f6379aacd8f6b6b8
    • Opcode Fuzzy Hash: e40af0bf6662129aed4f4a33d9a0c4896c0e3f06c38dab908e192a1928c7cbc1
    • Instruction Fuzzy Hash: 3241E8323007208BD7349E7CF881A5AF7E9EF94711F20192FE556A7681C775DD408BA5
    Function 00E235A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00E236A4
    • std::_Xinvalid_argument.LIBCPMT ref: 00E236AE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_
    • String ID: string too long
    • API String ID: 909987262-2556327735
    • Opcode ID: 418bc580028e8b792d14a6d938b9606b4f97ea9272273051a98140c37f5b5128
    • Instruction ID: a2b4a328296a4cbe22a42c2caafff8a022e7d6c52710dd1c83e92154ae53ef28
    • Opcode Fuzzy Hash: 418bc580028e8b792d14a6d938b9606b4f97ea9272273051a98140c37f5b5128
    • Instruction Fuzzy Hash: 323129323406305BD734D96CB88096AF3EDEB95721B202D2EE596F7781CB25DD448BA0
    Function 00E251D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00E252E5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_
    • String ID: invalid string position$string too long
    • API String ID: 909987262-4289949731
    • Opcode ID: 52055a585d57704e42fc5eaa0a93e835eedac5d7d83859932ad089267695565e
    • Instruction ID: c550b7d3234806f863ebe012fc815feb781af1b21cb6422c29f67796e718e4ce
    • Opcode Fuzzy Hash: 52055a585d57704e42fc5eaa0a93e835eedac5d7d83859932ad089267695565e
    • Instruction Fuzzy Hash: 0E318033305B24CB87249F98F98096AF3F9FFD4751310292FE456E76A1EB31A81487A5
    Function 00E24740 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00E24817
    • std::_Xinvalid_argument.LIBCPMT ref: 00E24821
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_
    • String ID: string too long
    • API String ID: 909987262-2556327735
    • Opcode ID: 34f10128ab795aa3e870e1e1ebeb1efd4ab204c09952fc1c5237b698fa0eaccc
    • Instruction ID: fb8fe2d0648d5e2cd59adcf60e0104ec6c801f3dd3adff2eb89921b707143e8e
    • Opcode Fuzzy Hash: 34f10128ab795aa3e870e1e1ebeb1efd4ab204c09952fc1c5237b698fa0eaccc
    • Instruction Fuzzy Hash: 53215C763147708BD7359E5CF440966F7E8EFA2714B10192FE5A2EB6C2C7B29804C7A1
    Function 00E24320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00E243D5
    • std::_Xinvalid_argument.LIBCPMT ref: 00E243DF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_
    • String ID: string too long
    • API String ID: 909987262-2556327735
    • Opcode ID: 0b333499b39667639d60825085b490279672b6fee3f1d273909eb99a30096ff0
    • Instruction ID: 5c90ea91b3467ce90a9942403bc4be215581b2ade52b303a886d8479efea0dff
    • Opcode Fuzzy Hash: 0b333499b39667639d60825085b490279672b6fee3f1d273909eb99a30096ff0
    • Instruction Fuzzy Hash: 5E21D672304770DBC731DE5CB40066AFBE8EBA6721B10191FE5D1AB2D2C7729444C7A1
    Function 00E3E016 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00E3E271,00000000,00000050,?,?,?,?,?), ref: 00E3E0F1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID:
    • String ID: ACP$OCP
    • API String ID: 0-711371036
    • Opcode ID: 730dcafd7c3b3de89dcb7358a6dfde90c9573bb44a399b6fbd6543b1226111db
    • Instruction ID: 9b5057f6861a1c86be905a9beed5e9b3898dd3fd42352c0408fbfcdb6a4655d1
    • Opcode Fuzzy Hash: 730dcafd7c3b3de89dcb7358a6dfde90c9573bb44a399b6fbd6543b1226111db
    • Instruction Fuzzy Hash: 9821F862A00100A6EB3C8F65D909BA77BA6DF94B58F565424F909FB380FB73DD41CB50
    Function 00E36061 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: _free
    • String ID: D$H
    • API String ID: 269201875-841036128
    • Opcode ID: de43f3b3b7ce29269c3c83244770b84b786dff8682f1770c113f26df813d5ea6
    • Instruction ID: b8ae9e541cc2b8b3312bfd8d41acd905c177473e104de35e4d01fac4aa1028ce
    • Opcode Fuzzy Hash: de43f3b3b7ce29269c3c83244770b84b786dff8682f1770c113f26df813d5ea6
    • Instruction Fuzzy Hash: F811B771105302AFDB349F39D45AB577BE4EF54358F20A42DF54DA7242DB719841CB50
    Function 00E24B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42registryCOMMON
    Download Yara Rule
    APIs
    • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\ReSound\Aventa3,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 00E24B70
    • RegCloseKey.ADVAPI32(00000000), ref: 00E24B83
      • Part of subcall function 00E24A90: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,00E24B57,?,?,?,?,00000000,?), ref: 00E24AA0
      • Part of subcall function 00E24A90: GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00E24AB0
    Strings
    • SOFTWARE\ReSound\Aventa3, xrefs: 00E24B66
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: AddressCloseCreateHandleModuleProc
    • String ID: SOFTWARE\ReSound\Aventa3
    • API String ID: 1765684683-2604720436
    • Opcode ID: 5d107290dfad4a887e2a747d4d9ad972cfb58a371e1a8a18c8524d639f988365
    • Instruction ID: 49de5245303fd16a3843f0ca24205c3abee7fe6593c25d0888d24ef8c142e5e3
    • Opcode Fuzzy Hash: 5d107290dfad4a887e2a747d4d9ad972cfb58a371e1a8a18c8524d639f988365
    • Instruction Fuzzy Hash: 9201A4B5740315ABE734DF69EC06F96B7ECAB08700F20406DAA45F32C1EB70E9049B65
    Function 00E24E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: String$AllocFree
    • String ID: `<u
    • API String ID: 344208780-3367579956
    • Opcode ID: 982c3f8f64e8f9afcc2e653fd93bccb929132a299779e6c7ec6c617ab1236f93
    • Instruction ID: 7fcd5c19d9078cd4a0bd205e55f9e87d79a60dffa9c34412b3be6d2a65f5a93d
    • Opcode Fuzzy Hash: 982c3f8f64e8f9afcc2e653fd93bccb929132a299779e6c7ec6c617ab1236f93
    • Instruction Fuzzy Hash: FAE086B520071A9BCB245FB9E80454277D8EB16758B104435BB44EBA11E671D8108792
    Function 00E12A28 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxW.USER32(00000000,Could not create log file.,Setup,00000030), ref: 00E12A36
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: Message
    • String ID: Could not create log file.$Setup
    • API String ID: 2030045667-1997299431
    • Opcode ID: d18691a758cf0bce94b7e1b9edf6ddbf76e08022d8e31ffc48924c847f1701b8
    • Instruction ID: 5900867e96007c3cab3854bc46d0ca398b3adf3618ecaff6c223404b13d84c35
    • Opcode Fuzzy Hash: d18691a758cf0bce94b7e1b9edf6ddbf76e08022d8e31ffc48924c847f1701b8
    • Instruction Fuzzy Hash: CAB012383C23023ED11413902C27F0424006743F03FA02548BB00BD1E062D01248C40F
    Function 00E39C8C Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,F9744ECF,00000000,00000000,00000000,00000000,00E22B1F,00E22B1F,00000000,00000000,00000000,F9744ECF,008CEF00), ref: 00E39D22
    • GetLastError.KERNEL32 ref: 00E39D30
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,F9744ECF,00000000), ref: 00E39D8B
    Memory Dump Source
    • Source File: 00000000.00000002.1779433342.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
    • Associated: 00000000.00000002.1779418342.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779458961.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779477317.0000000000E5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779491698.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1779505912.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e10000_Setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide$ErrorLast
    • String ID:
    • API String ID: 1717984340-0
    • Opcode ID: 812b67e1dfd4ab1cedf5e7e308bdf43eb0a594e2eca65766e7496ca29f8439be
    • Instruction ID: 8fe61a8031dcd3aecc674a87869f289354cb2e34390a91ae86f7862287ded865
    • Opcode Fuzzy Hash: 812b67e1dfd4ab1cedf5e7e308bdf43eb0a594e2eca65766e7496ca29f8439be
    • Instruction Fuzzy Hash: 77410731A00255AFCF219F75C849BAE7FB4EF42314F645159E8597B2A3DBB18C01C750