Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1546095
MD5:	95486d6342dc7b14023e3b355807ef1e
SHA1:	913bf386c7c926dc759bcf3230e76cebef095edd
SHA256:	3cee2515ce1a3a44978470ae310fa56b1dafa4ef767064dbae6a924753f30b5d
Tags:	exeuser-Bacn
Infos:

Detection

Score:	9
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

Queries keyboard layouts

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Setup.exe (PID: 5284 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 95486D6342DC7B14023E3B355807EF1E)

Setup.tmp (PID: 1532 cmdline: "C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp" /SL5="$2046C,4323117,283648,C:\Users\user\Desktop\Setup.exe" MD5: A0E7A0F9F7BDA34FD5C17A6F7D69B1CB)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T14:03:16.459842+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	49704	TCP
2024-10-31T14:03:56.432778+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	50969	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:

Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: Setup.tmp, 00000001.00000002.3285496717.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmp, idp.dll.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032A3A90 FtpSetCurrentDirectoryW,FtpFindFirstFileW,InternetFindNextFileW,InternetFindNextFileW,InternetCloseHandle,		1_2_032A3A90
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E6D24 FindFirstFileA,		1_2_032E6D24

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 4x nop then cmp dword ptr [ebp-08h], 00000000h

1_2_03343D38

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:50969

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032A2A20 GetTickCount,GetTickCount,GetTickCount,InternetReadFile,_fwrite,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,

1_2_032A2A20

Source: Setup.tmp, 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmp, Setup.tmp, 00000001.00000002.3283452223.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3285496717.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr	String found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: Setup.tmp, 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmp, Setup.tmp, 00000001.00000002.3283452223.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3285496717.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr	String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	String found in binary or memory: http://restools.hanzify.org/
Source: Setup.exe, 00000000.00000002.3283746507.00000000022B3000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2020688693.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000003.2023643872.0000000003260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3283987069.00000000022A6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: Setup.tmp, 00000001.00000002.3285167977.00000000034E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/16/release/vc_redist.x64.exe

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E6570 SetWindowLongA,GetWindowLongA,NtdllDefWindowProc_A,	1_2_032E6570
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E95BC CallWindowProcA,NtdllDefWindowProc_A,	1_2_032E95BC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F197C NtQueryInformationFile,WideCharToMultiByte,RtlExitUserThread,	1_2_032F197C
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F197A NtQueryInformationFile,WideCharToMultiByte,RtlExitUserThread,	1_2_032F197A
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F1944 NtQuerySystemInformation,	1_2_032F1944

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C8B05	1_2_032C8B05
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C227D	1_2_032C227D
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C2AA9	1_2_032C2AA9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BD927	1_2_032BD927
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C91C9	1_2_032C91C9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C19D6	1_2_032C19D6
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C8081	1_2_032C8081
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BB0D0	1_2_032BB0D0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C1EA9	1_2_032C1EA9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C2689	1_2_032C2689
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C9EC2	1_2_032C9EC2
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C85C3	1_2_032C85C3
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BBCE7	1_2_032BBCE7
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330C360	1_2_0330C360
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03341220	1_2_03341220
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332E2D8	1_2_0332E2D8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330E1F0	1_2_0330E1F0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_033360E4	1_2_033360E4
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330C720	1_2_0330C720
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03340798	1_2_03340798
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332D5B5	1_2_0332D5B5
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330E590	1_2_0330E590
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0331A46A	1_2_0331A46A
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03342B49	1_2_03342B49
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332FB98	1_2_0332FB98
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03308AFA	1_2_03308AFA
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03341918	1_2_03341918
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332B808	1_2_0332B808
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03343FC8	1_2_03343FC8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332BE28	1_2_0332BE28
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330CED0	1_2_0330CED0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03342DE8	1_2_03342DE8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03340CDC	1_2_03340CDC

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: String function: 032BB074 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: String function: 033366AC appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: String function: 032EEC74 appears 49 times

Source: Setup.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: Setup.exe, 00000000.00000003.2021421161.0000000002606000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2021667783.000000007FE42000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean9.winEXE@3/9@0/0

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_034410C4 EnumWindows,CoCreateInstance,

1_2_034410C4

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp "C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp" /SL5="$2046C,4323117,283648,C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp "C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp" /SL5="$2046C,4323117,283648,C:\Users\user\Desktop\Setup.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: explorerframe.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Setup.exe

Static file information: File size 4938818 > 1048576

Source:

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032C6912 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

1_2_032C6912

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BB0B9 push ecx; ret	1_2_032BB0CC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032B7775 push ecx; ret	1_2_032B7788
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E9364 push dword ptr [eax+7Fh]; ret	1_2_032E9398
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332B378 push esi; mov dword ptr [esp], ecx	1_2_0332B379
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E9360 push dword ptr [eax+7Fh]; ret	1_2_032E9363
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032EB340 push 032EB36Ch; ret	1_2_032EB364
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F8354 push 032F83ACh; ret	1_2_032F83A4
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332B398 push eax; mov dword ptr [esp], edi	1_2_0332B57A
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332F388 push eax; mov dword ptr [esp], ecx	1_2_0332FAAB
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E5390 push 032E53E1h; ret	1_2_032E53D9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4204 push 032F4230h; ret	1_2_032F4228
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4264 push 032F4290h; ret	1_2_032F4288
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4262 push 032F4290h; ret	1_2_032F4288
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F411C push 032F4148h; ret	1_2_032F4140
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F415C push 032F4188h; ret	1_2_032F4180
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F415A push 032F4188h; ret	1_2_032F4180
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F0158 push 032F0184h; ret	1_2_032F017C
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4194 push 032F41C0h; ret	1_2_032F41B8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F41CC push 032F41F8h; ret	1_2_032F41F0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332F028 push eax; mov dword ptr [esp], esi	1_2_0332F1BF
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F5064 push 032F5090h; ret	1_2_032F5088
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F509C push 032F50C8h; ret	1_2_032F50C0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4098 push 032F40C4h; ret	1_2_032F40BC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032FF098 push 032FF0C4h; ret	1_2_032FF0BC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F40E4 push 032F4110h; ret	1_2_032F4108
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F50D4 push 032F5100h; ret	1_2_032F50F8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032EA764 push 032EA7BAh; ret	1_2_032EA7B2
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332E778 push eax; mov dword ptr [esp], edi	1_2_0332ECE6
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332E778 push eax; mov dword ptr [esp], ecx	1_2_0332EF07
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032EA7BC push 032EA7E9h; ret	1_2_032EA7E1
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E564C push 032E5678h; ret	1_2_032E5670

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\ISDone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\WinTB.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032EA7EC GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_032EA7EC

Source: C:\Users\user\Desktop\Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\ISDone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\WinTB.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

API coverage: 2.2 %

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032A3A90 FtpSetCurrentDirectoryW,FtpFindFirstFileW,InternetFindNextFileW,InternetFindNextFileW,InternetCloseHandle,		1_2_032A3A90
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E6D24 FindFirstFileA,		1_2_032E6D24

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	API call chain: ExitProcess graph end node			graph_1-50274
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	API call chain: ExitProcess graph end node			graph_1-49950

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032B610F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_032B610F

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

1_2_032C6912

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032BAB50 GetProcessHeap,

1_2_032BAB50

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032B610F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_032B610F
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032B5D38 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_032B5D38
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032B9C57 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_032B9C57
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BF4AF __decode_pointer,SetUnhandledExceptionFilter,	1_2_032BF4AF
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BF48D SetUnhandledExceptionFilter,__encode_pointer,	1_2_032BF48D

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032C68A5 cpuid

1_2_032C68A5

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,	1_2_032C12D9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	1_2_032C17F3
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,	1_2_032C13BB
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,	1_2_032C63ED
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	1_2_032C0BF4
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,	1_2_032C62B2
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,	1_2_032C3160
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	1_2_032B7808
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	1_2_032C6709
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_032C1752
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_032C17B7
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,_xtoa_s@20,	1_2_032B8FF8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	1_2_032C0E45
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	1_2_032C1693
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_032C6565
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_032C0598
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	1_2_032C6428
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,	1_2_032C0434
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	1_2_032C1451
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	1_2_032C14C3
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,	1_2_032E531C

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032BF38D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_032BF38D

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032B6F7F GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,

1_2_032B6F7F

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 System Owner/User Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\ISDone.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\WinTB.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\idp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	3%	ReversingLabs

Source	Detection	Scanner	Label
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.dk-soft.org/	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	false	URL Reputation: safe	unknown
http://restools.hanzify.org/	Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	false		unknown
http://bitbucket.org/mitrich_k/inno-download-plugin	Setup.tmp, 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmp, Setup.tmp, 00000001.00000002.3283452223.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3285496717.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr	false		unknown
http://www.remobjects.com/ps	Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	false	URL Reputation: safe	unknown
https://aka.ms/vs/16/release/vc_redist.x64.exe	Setup.tmp, 00000001.00000002.3285167977.00000000034E8000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://mitrichsoftware.wordpress.comB	Setup.tmp, 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmp, Setup.tmp, 00000001.00000002.3283452223.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3285496717.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr	false		unknown
http://www.dk-soft.org/	Setup.exe, 00000000.00000002.3283746507.00000000022B3000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2020688693.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000003.2023643872.0000000003260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3283987069.00000000022A6000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546095
Start date and time:	2024-10-31 14:02:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	CLEAN
Classification:	clean9.winEXE@3/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 124
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: Setup.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_setup64.tmp	iv2Mm5SEJF.exe	Get hash	malicious	Socks5Systemz	Browse
	R3Tb6f1QFD.exe	Get hash	malicious	Socks5Systemz	Browse
	FrYYvqvO2s.exe	Get hash	malicious	Socks5Systemz	Browse
	urHdxJtF4p.exe	Get hash	malicious	Socks5Systemz	Browse
	gi5qOqqypd.exe	Get hash	malicious	Socks5Systemz	Browse
	rXoyCPba6O.exe	Get hash	malicious	Socks5Systemz	Browse
	M4.1vserup-Setup_Install.exe	Get hash	malicious	Unknown	Browse
	M4.1vserup-Setup_Install.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.GenericKD.71608900.20864.14305.exe	Get hash	malicious	Unknown	Browse
	1314-PCPS_OEM_4-2-0-301_setup (1).exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_shfoldr.dll	chica-pc-shield-1-75-0-1300-en-win.exe	Get hash	malicious	GhostRat, Xtreme RAT	Browse
	chica-pc-shield-1-75-0-1300-en-win.exe	Get hash	malicious	GhostRat, KillMBR, Xtreme RAT	Browse
	veraport-g3-x64.exe	Get hash	malicious	Unknown	Browse
	veraport-g3-x64.exe	Get hash	malicious	Unknown	Browse
	VgTEzAer6E.exe	Get hash	malicious	Socks5Systemz	Browse
	iv2Mm5SEJF.exe	Get hash	malicious	Socks5Systemz	Browse
	R3Tb6f1QFD.exe	Get hash	malicious	Socks5Systemz	Browse
	FrYYvqvO2s.exe	Get hash	malicious	Socks5Systemz	Browse
	urHdxJtF4p.exe	Get hash	malicious	Socks5Systemz	Browse
	gi5qOqqypd.exe	Get hash	malicious	Socks5Systemz	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\ISDone.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	463360
Entropy (8bit):	6.425896288176112
Encrypted:	false
SSDEEP:	6144:QdFS9nBbvESTi3qakl6j+vn+nLE4FZZHYnf9ketkqOGzgsgmInbAKf3:R9BUqmvLE4FZKf6eDOG8sgmInk4
MD5:	4FEAFA8B5E8CDB349125C8AF0AC43974
SHA1:	7F17E5E1B088FC73690888B215962FBCD395C9BD
SHA-256:	BB8A0245DCC5C10A1C7181BAD509B65959855009A8105863EF14F2BB5B38AC71
SHA-512:	D63984EE385B4F1EBA8E590D6DE4F082FB0121689295EC6E496539209459152465F6DB09E6D8F92EEC996A89FC40432077CBFA807BEB2DE7F375154FEF6554BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..................... ....................@..........................p.......................................0..9.......t....`.......................@......................................................................................CODE................................ ..`DATA................................@...BSS.....)"...............................idata..t...........................@....edata..9....0......................@..P.reloc.......@... ..................@..P.rsrc........`......................@..P.............p......................@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\QIcon.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp
File Type:	MS Windows icon resource - 5 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	20890
Entropy (8bit):	6.413736197450338
Encrypted:	false
SSDEEP:	384:KjGnEgOed2lllllzFFFYrQx/ONKfp7qSsv/lPlN:KjwEg3w/E
MD5:	C51102DACF0506D628911D37D8AEA2C9
SHA1:	706186C19E415539EB74D9F98CDD759B6F833BE8
SHA-256:	5F8D6210FEBCA3B6780249912872CF3E9CB0D9B5E7A59A88F80F68392BB34789
SHA-512:	14BF97620CA3E03B4C5A2B428ADB06020F594D78C5047E9E6CA73D04136FAE269E9315262714BF762887794CA96CE4BFEFBA3AE0631299223FC379641D565D1F
Malicious:	false
Reputation:	low
Preview:	............ .....V...00.... ..%..Z... .... ......3........ ......C........ .h...2M...PNG........IHDR.............\r.f....IDATx...k.\u........Kw..e....P.E.`...m....4A......PyA..... ...i .......4Q.h.....%.n....mvggvf.9...sL.f...~.>s9;.>s.....s............]x.}....Q?..u...).).'<w..=....'...t.y..#7.. to...>...s.T..g...&........F...Q..a..`....F........K~Q....V.g....w..{..:\|g...l"Ty>....^.W...T.Xm.....~.rY...._.y?.y...s.)9.....\|/v....Q..a..`....F...Q..a..`.E?.p.....oX.....~..W..u.u..u.....Ty./.....FsI...(........'N..r.....=..O..\].o..q...F...Q..a..`....F...Q..a+~...;.r...\....#y=..+z.T.n`...ce..........M8x.{Y.A..D..J.._...8.......(..0..0........(...e..x...T^.=.I/.~\|..#O&Rm..;Zs..;r.e........^..3......S...O....(..0..0........(..0..0L.......6....l{Z...K.......;...1.F...T.2_\.d..\|>~&!?.BN.Qd....>.....M..3{L.....L..p(..p..&&o.g..a..`....F...Q..a..`......2..7.:T.yM.{._.=...w..&.._.P...V.:....._>V...O......$..zS....U.e(]Sy.WF.~:...V.#.G.}...ZY..M.........s\..

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\UIcon.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp
File Type:	MS Windows icon resource - 5 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	6.147288511776296
Encrypted:	false
SSDEEP:	384:BcejyTps3TbPsQQJ8zxtt/3SUzBAAAAAAAAAzVLbZCUGAAAAAA:BcoyBx8dttKUebZrS
MD5:	014ECE6712E7098FC0BC69675FCABE5C
SHA1:	78A9C65AFD148714E9D7DE1394D982848A77869F
SHA-256:	46346CC016EDBBFB2F52C3C5EAAF6550BFAAE8263E8F9C959F628569CF692BAA
SHA-512:	65A2F67ADBDC76D6BF1C44A28542126B5AF3D9816D7C668C1452180E091B48D6860BCB0DC2E2D22452C4309CEC784A962DCE0772F3A44673D9E7BE89379A0E41
Malicious:	false
Reputation:	low
Preview:	............ .....V...00.... ..%...... .... ......T........ .....0e........ .h....n...PNG........IHDR.............\r.f.. .IDATx..y.$.].?.YYU]..............V...c!d.Z...V.L.p....P..C...;V..............XK..B.@B.b.c....:.......r.fz....}......W...}..;@Q.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ.EQ......H.O?5....c&.....Q........B.<e...MQ.[..`.y...k..O.3..~.)'-.=V..:.{?.`.Wv..>..E....v.M..Z.^s.3.ns,..U...vsN....X6.Us,..9VA..N..&..(w....&o...}.a...ty...z...xn.....#..P....P.....\g.b..U..;p.Q..()&s.S.;..]....q...C...........=...).l..P\)..\|.2...._..s.eNL..X.r.P..()F}...M^.........@.~.S./}$..[.9=..;....2.....x1.......s2%....<.`^0o.e.]....EI1....$.@?.......X......<..e..w.S...l.....S...K.2n./..m...7U...U...b..p.lZ.[..0@.F...u.~...^.E...85..qz....>l[".'.W...].0..w_.].....x...y..9......U...b..p.4...X...S{#..X..G.K..S0k.[~.....;N.7&..Jk2.a.5..8.9.6kP..=..@QR....d...f...Da.*......x..rU...f.<...v.B.Y.+3...>..Z.`z..c...

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\WinTB.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.515048839873666
Encrypted:	false
SSDEEP:	48:aaiGRUzwegkZ3Zc2cNUKAhWRzRXgluglO2w3Pfci+M:P6zwUZPKAhWd32w3P0dM
MD5:	348F5C9651B979191373EBA950D0EDC3
SHA1:	7C2AF0023C6D07BFCEE4FE9BB0D82C58C3259B49
SHA-256:	6922915886745D1B59320DEE9A87311AADD57F924FFB73CAC1D27573E75BCECC
SHA-512:	57712CA55E65F66974492BA4E209B8E97BC559978A510E48BAC521441D3123AEF812CBB71990C5BAA0446818A6CDA7902D5B9B601AF7FFC2C8C9ECAE98B15082
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.4...Z...Z...Z.......Z...[...Z.......Z.$.....Z.$.....Z.$.....Z.Rich..Z.........................PE..L....a._...........!......................... ...............................P.......................................!......t ..P............................@..L.................................................... ..8............................text...\|........................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: iv2Mm5SEJF.exe, Detection: malicious, Browse Filename: R3Tb6f1QFD.exe, Detection: malicious, Browse Filename: FrYYvqvO2s.exe, Detection: malicious, Browse Filename: urHdxJtF4p.exe, Detection: malicious, Browse Filename: gi5qOqqypd.exe, Detection: malicious, Browse Filename: rXoyCPba6O.exe, Detection: malicious, Browse Filename: M4.1vserup-Setup_Install.exe, Detection: malicious, Browse Filename: M4.1vserup-Setup_Install.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.71608900.20864.14305.exe, Detection: malicious, Browse Filename: 1314-PCPS_OEM_4-2-0-301_setup (1).exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: chica-pc-shield-1-75-0-1300-en-win.exe, Detection: malicious, Browse Filename: chica-pc-shield-1-75-0-1300-en-win.exe, Detection: malicious, Browse Filename: veraport-g3-x64.exe, Detection: malicious, Browse Filename: veraport-g3-x64.exe, Detection: malicious, Browse Filename: VgTEzAer6E.exe, Detection: malicious, Browse Filename: iv2Mm5SEJF.exe, Detection: malicious, Browse Filename: R3Tb6f1QFD.exe, Detection: malicious, Browse Filename: FrYYvqvO2s.exe, Detection: malicious, Browse Filename: urHdxJtF4p.exe, Detection: malicious, Browse Filename: gi5qOqqypd.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\idp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	237568
Entropy (8bit):	6.42067568634536
Encrypted:	false
SSDEEP:	3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
MD5:	55C310C0319260D798757557AB3BF636
SHA1:	0892EB7ED31D8BB20A56C6835990749011A2D8DE
SHA-256:	54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
SHA-512:	E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\image.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp
File Type:	PC bitmap, Windows 3.x format, 600 x 300 x 24, image size 540002, resolution 11811 x 11811 px/m, cbSize 540056, bits offset 54
Category:	dropped
Size (bytes):	540056
Entropy (8bit):	5.587684743011669
Encrypted:	false
SSDEEP:	6144:sbvw0qyjsweEX0W49ML0kAmay9JG2+VF/dPBy60YylTBC:av3nwhEk1CP9JG7VFr3
MD5:	18E94109A59E4F0ABFD021984483A0C6
SHA1:	C9A8A4F3392847B85FA060372A7005DE41D1CCE2
SHA-256:	107FCE3B0425889A555F623D1F1690C0A5B18C6FCC74ECCDCDC9CE1DFD60F984
SHA-512:	831114B60C3CB06FF5DA49A27C7DEDE2E6C1C4501F0BBD0844B904B90FBE3E20B0514296DC1844D3B8DBF17C78EF4470876B20B47F77E107F218C2999BCD4057
Malicious:	false
Preview:	BM.=......6...(...X...,...........b=..#...#................r..w..}..}..V..D..B..F..F..E..E..E..F..F..G..I..Y.....z..y..y..v..w..x..z..z..~....................{..s..s..v..{..y..{..z..z..w..w..y..y..z..~.....~..{..}.....x..t..}.....~............................................................................................S..=..:..;..=..=..=..>..>..;..G..k..l..`..V..R..T.._..p....................................................................................................................................................................j..e..h..g..f..f..e..h..i..e..f..g..a..]..Z..Z..^..g..g..k..m..n..n..l..m..n..o..r..s..x..z..{..~.........................................m24w%K(+J48T38R59P48N..0..'.. .. .........................................#. +#(4-4@5>N-9J%3E.)=.= /E9Jd;PmC]uGYg....................)5BZ)8X%4S.(8#+9...........................................................................................................................(*4LSl_n.q..{..p..l..Zs.Ol.Bd.Fk.Qo.Da.q...(:.

C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1636352
Entropy (8bit):	6.552826760020946
Encrypted:	false
SSDEEP:	24576:yH9/gqpQYze0XKvc4BYCsCS3D4kjiIUjyeyXEDq8UbVlc3GYgl4KvjK11DHexL5w:qIEJxCWluyZ8UbMf1De+
MD5:	A0E7A0F9F7BDA34FD5C17A6F7D69B1CB
SHA1:	1769E29CE13CAB7EDD8F8CD2E2A0C27A2377D5D4
SHA-256:	6F43690DF1173E353CBEA3457D1D18C9FFFF5ADEC49C2B9959A77D27B1BFE3E0
SHA-512:	83D2C2A2BF13D774CFF174094359CE043C90F7A85C2599AC0E3B27BC3FAB46DBE3D31418A173047131506A3BAC72A80563ADF0588A07A44E26DC3D3E3A5CDE66
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....ujP.....................D....................@..............................................@..............................`;......X............................................................................................................text............................... ..`.itext.............................. ..`.data....4.......6..................@....bss.....a...............................idata..`;.......<..................@....tls....<............&...................rdata...............&..............@..@.rsrc...X............(..............@..@....................................@..@........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.987573298412715
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Setup.exe
File size:	4'938'818 bytes
MD5:	95486d6342dc7b14023e3b355807ef1e
SHA1:	913bf386c7c926dc759bcf3230e76cebef095edd
SHA256:	3cee2515ce1a3a44978470ae310fa56b1dafa4ef767064dbae6a924753f30b5d
SHA512:	4b977a58f4ca6e88a674cd2dffdcf9986faa35e617811b1fc0b529205432ee81f6bef980af020d5101fda0590616253f9cd8f11dec5d87494b70aef2f48c389c
SSDEEP:	98304:o1KhvmSEKetrMak8fG+mHztViLAeN7nUgxqzpdhamlHYkSRFOMLTACvaV:o8R2KeGa4+mHXiLAeN7nyzpTlHYkgFOr
TLSH:	02363312B39B4431DB145ABC852694D82E323EB93CE924137CFEEA0F06B73D94477996
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0b39766c7e74551d

Static PE Info

General

Entrypoint:	0x416478
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x506A75C4 [Tue Oct 2 05:04:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	483f0c4259a9148c34961abbda6146c1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004152B8h
call 00007F1EB501E091h
xor eax, eax
push ebp
push 00416B45h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00416B01h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0041AB48h]
call 00007F1EB502C93Bh
call 00007F1EB502C4E2h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F1EB5026164h
mov edx, dword ptr [ebp-14h]
mov eax, 0041D6ECh
call 00007F1EB501C6C7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0041D6ECh]
mov dl, 01h
mov eax, dword ptr [0040F080h]
call 00007F1EB5026A4Fh
mov dword ptr [0041D6F0h], eax
xor edx, edx
push ebp
push 00416AADh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F1EB502C9C3h
mov dword ptr [0041D6F8h], eax
mov eax, dword ptr [0041D6F8h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F1EB502DD2Ah
mov eax, dword ptr [0041D6F8h]
mov edx, 00000028h
call 00007F1EB5026F18h
mov edx, dword ptr [0041D6F8h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e000	0xf9e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0x2df6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x20000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e350	0x24c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x143f8	0x14400	345db2b6911addc85b53f32245f969a0	False	0.5487316743827161	data	6.482204165609409	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x16000	0xbe8	0xc00	2e74d968caedeb2d71b9505530d43907	False	0.6243489583333334	data	6.0151573487586	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x17000	0xd9c	0xe00	d5b22eff9e08edaa95f493c1a71158c0	False	0.2924107142857143	data	2.669288666959085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x18000	0x5750	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1e000	0xf9e	0x1000	b47eaca4c149ee829de76a342b5560d5	False	0.35595703125	data	4.9677831942996935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1f000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x20000	0x18	0x200	3746f5876803f8f30db5bb2deb8772ae	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0x2df6c	0x2e000	fc6033f666471b0c0fb567d6618f5396	False	0.7127420176630435	data	7.0759575988301915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x215cc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.592741935483871
RT_ICON	0x218b4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.6216216216216216
RT_ICON	0x219dc	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.7065565031982942
RT_ICON	0x22884	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.8167870036101083
RT_ICON	0x2312c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.8041907514450867
RT_ICON	0x23694	0x17526	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.000345455687457
RT_ICON	0x3abbc	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.548063297118564
RT_ICON	0x3ede4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5930497925311203
RT_ICON	0x4138c	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	English	United States	0.6276627218934911
RT_ICON	0x42df4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.675891181988743
RT_ICON	0x43e9c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.7434426229508196
RT_ICON	0x44824	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	English	United States	0.775
RT_ICON	0x44edc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8342198581560284
RT_STRING	0x45344	0xc4	data			0.5969387755102041
RT_STRING	0x45408	0xcc	data			0.6225490196078431
RT_STRING	0x454d4	0x174	data			0.5510752688172043
RT_STRING	0x45648	0x39c	data			0.34523809523809523
RT_STRING	0x459e4	0x34c	data			0.4218009478672986
RT_STRING	0x45d30	0x294	data			0.4106060606060606
RT_RCDATA	0x45fc4	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x4e2ac	0x10	data			1.5
RT_RCDATA	0x4e2bc	0x1b0	data			0.8194444444444444
RT_RCDATA	0x4e46c	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x4e498	0xbc	data	English	United States	0.6648936170212766
RT_VERSION	0x4e554	0x4b8	COM executable for DOS	English	United States	0.28228476821192056
RT_MANIFEST	0x4ea0c	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.42877906976744184

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 14:03:30.517318964 CET	53	55557	1.1.1.1	192.168.2.5

Target ID:	0
Start time:	09:02:57
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	4'938'818 bytes
MD5 hash:	95486D6342DC7B14023E3B355807EF1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	09:02:57
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp" /SL5="$2046C,4323117,283648,C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	1'636'352 bytes
MD5 hash:	A0E7A0F9F7BDA34FD5C17A6F7D69B1CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	31.2%
Total number of Nodes:	256
Total number of Limit Nodes:	19

Executed Functions

Function 034410C4 Relevance: 3.0, APIs: 2, Instructions: 18
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(0344105C,00000000), ref: 034410CB
CoCreateInstance.OLE32(03442038,00000000,00000001,03442064,03443010), ref: 034410E4

Memory Dump Source

Source File: 00000001.00000002.3285141160.0000000003441000.00000020.00000001.01000000.00000008.sdmp, Offset: 03440000, based on PE: true

Associated: 00000001.00000002.3285127498.0000000003440000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.3285154439.0000000003442000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3440000_Setup.jbxd

Similarity

API ID: CreateEnumInstanceWindows
String ID:
API String ID: 175703651-0
Opcode ID: e9a878105e26793d990d2661a1d9a5881ba9ffd52cb9f48c03bbcacfc5e9315b
Instruction ID: 86f5c66adbb16633ff3797c6747971ff70bb0d233ecce926a8a94d7815280730
Opcode Fuzzy Hash: e9a878105e26793d990d2661a1d9a5881ba9ffd52cb9f48c03bbcacfc5e9315b
Instruction Fuzzy Hash: 58D012383903406FFE34DF658D0AF0976E06B04F01F21487AB351AE599C7D2A440C618

Function 032E3A98 Relevance: 3.1, APIs: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983bf99a28b748abee4c294b61608ed6f885602859115b46ae1e4e435937dbea
Instruction ID: bfa91d7e2cbed8b52b67468727c08b265cc4d06fce82d9aa4c661d5406fc00fe
Opcode Fuzzy Hash: 983bf99a28b748abee4c294b61608ed6f885602859115b46ae1e4e435937dbea
Instruction Fuzzy Hash: 4641E67CA203459FDB24EF65D0C6795B7E8FB49312F98445DE9048B245CB78E8C0CB65

Function 032BD175 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,032B7033,00000001,?,?,00000001,?,?,032B71B1,00000001,?,?,032D0AF0,0000000C), ref: 032BD186
HeapDestroy.KERNEL32(?,?,00000001,?,?,032B71B1,00000001,?,?,032D0AF0,0000000C,032B726B,?), ref: 032BD1BC

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: a184a14f9c58fd47d17a9937e10304a0056bcd8c71c6d46753d44cb66a29786e
Instruction ID: f0aa4caa39c4eab576e6b18eddd1f1efcbc8f0a2a4d0eb1b24a167d4215e8f37
Opcode Fuzzy Hash: a184a14f9c58fd47d17a9937e10304a0056bcd8c71c6d46753d44cb66a29786e
Instruction Fuzzy Hash: BFE06D75A363029EEB10FF30B90C3EA36B8E702B82F24D875E400CD088EBE480D19A01

Function 032E148C Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,032E1795), ref: 032E14BB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,032E1795), ref: 032E14E2

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 35eb711965e5f62c73f077904373bdfd28d759459279dfa4f0975f7441c7b8d9
Instruction ID: 3b099dec2cc72e0cb8354d479d24f6d1776aadb076dc9eb0651036183206cbce
Opcode Fuzzy Hash: 35eb711965e5f62c73f077904373bdfd28d759459279dfa4f0975f7441c7b8d9
Instruction Fuzzy Hash: 0CF08977B2072016EB20D6A98C82F5756D89B857A0F5541B1FA48EF7C8D6B158914290

Function 034411CA Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTaskBarProgressValue.WINTB ref: 034411F8

Memory Dump Source

Source File: 00000001.00000002.3285141160.0000000003441000.00000020.00000001.01000000.00000008.sdmp, Offset: 03440000, based on PE: true

Associated: 00000001.00000002.3285127498.0000000003440000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.3285154439.0000000003442000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3440000_Setup.jbxd

Similarity

API ID: ProgressTaskValue
String ID:
API String ID: 2728912186-0
Opcode ID: 061518f9c1c1435d2053797172ce5ada7b9f120f31cefd52c283372ecc3bf54d
Instruction ID: 7fb8a36fd29cd4f6879d456936a7378d1ad9eb9870ead5eb3627f6e1ed64c801
Opcode Fuzzy Hash: 061518f9c1c1435d2053797172ce5ada7b9f120f31cefd52c283372ecc3bf54d
Instruction Fuzzy Hash: E1F0E93A8001209BDB30FF58E444AA6BBA5BB056167094237D5A5FF214C32098D0C798

Function 032E44BC Relevance: 1.5, APIs: 1, Instructions: 14
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(088B90C3), ref: 032E448E
SysReAllocStringLen.OLEAUT32(-00000008,088B90C3,?), ref: 032E44D2

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0f9bc3dc18368edb7bb7c40742738a1ab8b73d8df76f40c03f717166c02b4480
Instruction ID: 7ef459784458d74db55a28e8b8fafbd7652cc30c94bbc82aa10365dbe0d1a80f
Opcode Fuzzy Hash: 0f9bc3dc18368edb7bb7c40742738a1ab8b73d8df76f40c03f717166c02b4480
Instruction Fuzzy Hash: 8AC08CBA73028359A919F616AA1793BD16D9AC01043CE861CA8038A140E974E4C08260

Function 03441240 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,?), ref: 03441250

Memory Dump Source

Source File: 00000001.00000002.3285141160.0000000003441000.00000020.00000001.01000000.00000008.sdmp, Offset: 03440000, based on PE: true

Associated: 00000001.00000002.3285127498.0000000003440000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.3285154439.0000000003442000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3440000_Setup.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 4eeac4cd87325fbfcc7547b4610a3eaeeeeefd8887f78f4df3117323120f288d
Instruction ID: a02011d0e27cbbd182fddcc27fb1fb9ee375195df376c8f08d57ff5ccca5536b
Opcode Fuzzy Hash: 4eeac4cd87325fbfcc7547b4610a3eaeeeeefd8887f78f4df3117323120f288d
Instruction Fuzzy Hash: F9C04C79500208979B14AFA5A8449567BECAB54A817044431B705EA214D771E560D679

Non-executed Functions

Function 032C0598 Relevance: 66.4, APIs: 44, Instructions: 431
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___getlocaleinfo.LIBCMT ref: 032C05CD
___getlocaleinfo.LIBCMT ref: 032C05E2
___getlocaleinfo.LIBCMT ref: 032C05F7
___getlocaleinfo.LIBCMT ref: 032C060C
___getlocaleinfo.LIBCMT ref: 032C0624
___getlocaleinfo.LIBCMT ref: 032C0639
___getlocaleinfo.LIBCMT ref: 032C064B
___getlocaleinfo.LIBCMT ref: 032C0660
___getlocaleinfo.LIBCMT ref: 032C0678
___getlocaleinfo.LIBCMT ref: 032C068D

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: cb070a9089c2bf068264277ddf36e8c6a173ac74e458a66ae43c8b30df18aaeb
Instruction ID: dd6af1e118b0919a1c5188f9c3f7e03d4e3ab118f9ee3b57a5ec1dcece9e14bb
Opcode Fuzzy Hash: cb070a9089c2bf068264277ddf36e8c6a173ac74e458a66ae43c8b30df18aaeb
Instruction Fuzzy Hash: 00E1DFB291024DFEEF11DAE1CC80EFF77BDFB44744F04492AB219D6041EAB0AA459B60

Function 032EA7EC Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,032EAA73,00000000,00000000,032EAF81,00000000,032EB08A,?,00000000,00000000,00000000,?,032FAFF4), ref: 032EA800
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 032EA818
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 032EA82A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 032EA83C
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 032EA84E
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 032EA860
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 032EA872
GetProcAddress.KERNEL32(00000000,Process32First), ref: 032EA884
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 032EA896
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 032EA8A8
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 032EA8BA
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 032EA8CC
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 032EA8DE
GetProcAddress.KERNEL32(00000000,Module32First), ref: 032EA8F0
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 032EA902
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 032EA914
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 032EA926

Strings

kernel32.dll, xrefs: 032EA7FB
Toolhelp32ReadProcessMemory, xrefs: 032EA86A
Heap32Next, xrefs: 032EA858
CreateToolhelp32Snapshot, xrefs: 032EA810
Heap32First, xrefs: 032EA846
Thread32Next, xrefs: 032EA8D6
Process32Next, xrefs: 032EA88E
Heap32ListFirst, xrefs: 032EA822
Process32First, xrefs: 032EA87C
Thread32First, xrefs: 032EA8C4
Module32NextW, xrefs: 032EA91E
Process32FirstW, xrefs: 032EA8A0
Module32First, xrefs: 032EA8E8
Module32FirstW, xrefs: 032EA90C
Heap32ListNext, xrefs: 032EA834
Module32Next, xrefs: 032EA8FA
Process32NextW, xrefs: 032EA8B2

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 203df6658762346f086f4d50451b1f51b6a935d5d9d9b52863e608679ce0a5c7
Instruction ID: a2a75c63ff1a616e16c152530487099b734f9d4b73555d33fa09048b3f0171c4
Opcode Fuzzy Hash: 203df6658762346f086f4d50451b1f51b6a935d5d9d9b52863e608679ce0a5c7
Instruction Fuzzy Hash: F53186BCA70750EFDB00EBB4D8C7A2D37ACBB07704B914565A510CF609DBB4E8909B16

Function 032A2A20 Relevance: 26.8, APIs: 8, Strings: 7, Instructions: 560filenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 032A4CC0: _memcpy_s.LIBCMT ref: 032A4D43

GetTickCount.KERNEL32 ref: 032A2DD6
GetTickCount.KERNEL32 ref: 032A2DE2
InternetReadFile.WININET(?,?,?,?), ref: 032A2EBF
_fwrite.LIBCMT ref: 032A2EED
GetTickCount.KERNEL32 ref: 032A2EFB
GetTickCount.KERNEL32 ref: 032A2F55
GetTickCount.KERNEL32 ref: 032A2F76
GetTickCount.KERNEL32 ref: 032A2F8E

Part of subcall function 032A5580: std::_String_base::_Xlen.LIBCPMT ref: 032A55D9
Part of subcall function 032A5580: _memcpy_s.LIBCMT ref: 032A5621

Part of subcall function 032B15A0: GetWindowLongW.USER32(?,000000F0), ref: 032B15A4
Part of subcall function 032B15A0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 032B15BA
Part of subcall function 032B15A0: SendMessageW.USER32(?,0000040A,00000001,0000001E), ref: 032B15CA

Part of subcall function 032A32D0: GetTickCount.KERNEL32 ref: 032A32E7

Part of subcall function 032A3460: GetTickCount.KERNEL32 ref: 032A3469

Part of subcall function 032A3550: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 032A356F
Part of subcall function 032A3550: TranslateMessage.USER32(?), ref: 032A3584
Part of subcall function 032A3550: DispatchMessageW.USER32(?), ref: 032A3587
Part of subcall function 032A3550: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 032A3592

Strings

Cannot connect, xrefs: 032A2BAD
Downloading..., xrefs: 032A2E04
Download complete, xrefs: 032A30D3
Cannot create file, xrefs: 032A2C8F
FileProgressBar, xrefs: 032A2ADE, 032A2E44
Download failed, xrefs: 032A3056
Connecting..., xrefs: 032A2AAF

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: CountTick$Message$LongPeekWindow_memcpy_s$DispatchFileInternetReadSendString_base::_TranslateXlen_fwritestd::_
String ID: Cannot connect$Cannot create file$Connecting...$Download complete$Download failed$Downloading...$FileProgressBar
API String ID: 1917477955-3550608020
Opcode ID: 2ba501513a9a806757a6db326578b827cb6640df412c800c2534ae4f867a129c
Instruction ID: 5937939342bb04d943cf3fa9b877dbc71496e4b9e17720fdf84682396612b729
Opcode Fuzzy Hash: 2ba501513a9a806757a6db326578b827cb6640df412c800c2534ae4f867a129c
Instruction Fuzzy Hash: 2A22D375E20704AFDF14EFACC88079EBBB5AF44300F18456DE419AF241DBB5A985CBA1

Function 0332FB98 Relevance: 22.1, APIs: 14, Instructions: 1080COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0332FC53
__CxxThrowException@8.LIBCMT ref: 03330019
_memmove_s.LIBCMT ref: 03330216
_memmove_s.LIBCMT ref: 0333024B
std::exception::exception.LIBCMT ref: 03330007

Part of subcall function 033340D2: _strlen.LIBCMT ref: 033340EC
Part of subcall function 033340D2: _malloc.LIBCMT ref: 033340F5
Part of subcall function 033340D2: _strcpy_s.LIBCMT ref: 03334107

_memmove_s.LIBCMT ref: 03330080
_memmove_s.LIBCMT ref: 033300B2

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: _memmove_s$Exception@8Throw__fread_nolock_malloc_strcpy_s_strlenstd::exception::exception
String ID:
API String ID: 1798315270-0
Opcode ID: 94a893a323a12499f097c20723d90605163d59e506e83cab23a3a48759dbbe3d
Instruction ID: 93b55ca0d6d9f66d4d9a506b4e13a5afa7d843ffc69f14d25ee4f3f6ac08336f
Opcode Fuzzy Hash: 94a893a323a12499f097c20723d90605163d59e506e83cab23a3a48759dbbe3d
Instruction Fuzzy Hash: 0D927D75A143129FD718CF18C8C0A6AB7E6FBC9310F18CA2DE89A9B755D770E941CB81

Function 0332E2D8 Relevance: 10.9, APIs: 7, Instructions: 411COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 0332E37C

Part of subcall function 03330918: std::_String_base::_Xlen.LIBCPMT ref: 03330A29
Part of subcall function 03330918: __CxxThrowException@8.LIBCMT ref: 03330A64

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Exception@8String_base::_ThrowXlen_memmove_sstd::_
String ID:
API String ID: 782425775-0
Opcode ID: 6ac9b8f6481b40f0b245784bc4207b6ddd3812b441259bb65293af38cc27a96a
Instruction ID: 9fbc6c46f8affbd528882cce74c1a6472404ed3c16ac1222546a51424a007ab7
Opcode Fuzzy Hash: 6ac9b8f6481b40f0b245784bc4207b6ddd3812b441259bb65293af38cc27a96a
Instruction Fuzzy Hash: E9E1B2B5A143229FD714CF68C8C156EFBA5FB89310F188A2DED969B341E370E845CB91

Function 032A3A90 Relevance: 8.3, APIs: 5, Instructions: 759networkfileCOMMON

Download Yara Rule

APIs

FtpSetCurrentDirectoryW.WININET(?,?), ref: 032A3BCE
FtpFindFirstFileW.WININET(?,?,?,00000000,00000000), ref: 032A3C0E
InternetFindNextFileW.WININET(?,?), ref: 032A3E58

Part of subcall function 032A56E0: std::_String_base::_Xlen.LIBCPMT ref: 032A5715
Part of subcall function 032A56E0: _memcpy_s.LIBCMT ref: 032A5764

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: FileFind$CurrentDirectoryFirstInternetNextString_base::_Xlen_memcpy_sstd::_
String ID:
API String ID: 857861402-0
Opcode ID: 5f57b44eb5c350989c6e2e981eb4237a1656746c66d400eba1448fd9ef76b10f
Instruction ID: 7c2d9584e3e197d4aea17305d8ec1d8241446d3cfcf315e1f7fee15f4f6dca7e
Opcode Fuzzy Hash: 5f57b44eb5c350989c6e2e981eb4237a1656746c66d400eba1448fd9ef76b10f
Instruction Fuzzy Hash: 2762AE758287809FC720EF6DC840B9BBBE8AF85314F544A1DE5984B391D7B0D985CBA3

Function 032B5D38 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 032B9E03
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 032B9E18
UnhandledExceptionFilter.KERNEL32(032CDC98), ref: 032B9E23
GetCurrentProcess.KERNEL32(C0000409), ref: 032B9E3F
TerminateProcess.KERNEL32(00000000), ref: 032B9E46

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 82989f8bee6ae0f51f14169db4e6e86957ee1f5df58f1371bb29429a874af023
Instruction ID: 2cd7f93c60ec5d413f6247d1d864932d9bc778facb50601d85cf023b51881ad7
Opcode Fuzzy Hash: 82989f8bee6ae0f51f14169db4e6e86957ee1f5df58f1371bb29429a874af023
Instruction Fuzzy Hash: 8A219AB4C263059FC710FF69F18C6987BB4BB1A341F60C06AE5099A358EBF059A98F45

Function 0332B808 Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 0332BAA7
_raise.LIBCMT ref: 0332BAAE
_fprintf.LIBCMT ref: 0332BAD8
_raise.LIBCMT ref: 0332BADF

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: _fprintf_raise
String ID:
API String ID: 1988439158-0
Opcode ID: 6be06dd30dd9f8f10a10d06cedcaf4faac02a892605a91ab4b332ac7193a2fbf
Instruction ID: 790f94f22619e6973c453234355d2a6b7ea62a3cbbd29440656c62ea30430c42
Opcode Fuzzy Hash: 6be06dd30dd9f8f10a10d06cedcaf4faac02a892605a91ab4b332ac7193a2fbf
Instruction Fuzzy Hash: 1B81F576A183518BC704CF1DC8C065AFFE5AFD9304F088A6EE895AB346D670D945CBD2

Function 032E6570 Relevance: 4.6, APIs: 3, Instructions: 61nativeCOMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000EB,00000000), ref: 032E65B7
GetWindowLongA.USER32(?,000000EB), ref: 032E65C8
NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 032E6601

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Window$Long$NtdllProc_
String ID:
API String ID: 3674618424-0
Opcode ID: b89aac389721b2c35ebec74bffdd6e41e6feddc969d935d65c8148bc08732958
Instruction ID: dfe19550c3748f0c0199082759479d7a6d906628a4eb8c790fac529f0946d7bb
Opcode Fuzzy Hash: b89aac389721b2c35ebec74bffdd6e41e6feddc969d935d65c8148bc08732958
Instruction Fuzzy Hash: 3D117979A2021A9FCB10DF59D8819ABB7F8FB99711F80456AEC11A7254CB70E944CFE0

Function 032F197A Relevance: 4.5, APIs: 3, Instructions: 44filenativethreadCOMMON

Download Yara Rule

APIs

NtQueryInformationFile.NTDLL ref: 032F19AF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000,?,?,?,00000208,00000009), ref: 032F19DE
RtlExitUserThread.KERNEL32(00000000,?,?,?,00000208,00000009), ref: 032F19E4

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: ByteCharExitFileInformationMultiQueryThreadUserWide
String ID:
API String ID: 3030682188-0
Opcode ID: a0c9ad3472a2c3b676b1838f1fc27fa314422636220e6409a0dd6efbb36b74e2
Instruction ID: 9ba482950641931ae9c09e113253eec6ce9725ec661d65a9bee451e501c4966e
Opcode Fuzzy Hash: a0c9ad3472a2c3b676b1838f1fc27fa314422636220e6409a0dd6efbb36b74e2
Instruction Fuzzy Hash: FD01E67665021C6BD750DA94DC85FDA73AC9B15750F5001B1BB48DF181E5B0EE8087F5

Function 032F197C Relevance: 4.5, APIs: 3, Instructions: 43filenativethreadCOMMON

Download Yara Rule

APIs

NtQueryInformationFile.NTDLL ref: 032F19AF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000,?,?,?,00000208,00000009), ref: 032F19DE
RtlExitUserThread.KERNEL32(00000000,?,?,?,00000208,00000009), ref: 032F19E4

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: ByteCharExitFileInformationMultiQueryThreadUserWide
String ID:
API String ID: 3030682188-0
Opcode ID: 678ebffbc916289fb158f3ae1e25c170b6de1745eb117627b88aff89f71270af
Instruction ID: bfad1aa4945d396ee29189036f68fe268d3eae1ed72c2053f3ffc112ab21404c
Opcode Fuzzy Hash: 678ebffbc916289fb158f3ae1e25c170b6de1745eb117627b88aff89f71270af
Instruction Fuzzy Hash: 3801F97665031C6BD750DA94DC85FDA73AC9B15750F5001B1BB48DF181E5B0EE8087F5

Function 0330C360 Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

h, xrefs: 0330C431
Z, xrefs: 0330C426
B, xrefs: 0330C41B

Memory Dump Source

Source File: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID: B$Z$h
API String ID: 0-418080759
Opcode ID: c27393b6f348023b7e16e259a93b5ca4510ad509f101e6baa7235d5ed6adb14d
Instruction ID: f49dafdb74afa1496141faa9de8dcc5392c3dcd307f2bb2bed2282371cd4343d
Opcode Fuzzy Hash: c27393b6f348023b7e16e259a93b5ca4510ad509f101e6baa7235d5ed6adb14d
Instruction Fuzzy Hash: 86A1D4756047058FC724DF78C8E0AABF7E5AF84304F444A2DE5AA8B281DB35F949CB91

Function 03343D38 Relevance: 3.9, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

ntel, xrefs: 03343DA8
Genu, xrefs: 03343D96
ineI, xrefs: 03343D9F

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID: Genu$ineI$ntel
API String ID: 0-3389352399
Opcode ID: da9897711e08c397540f416d1fe7822c864d174e1610fed037d1d5dd969eea96
Instruction ID: 9e0e36d4b41d05d8f2ad96c8411f7bed5f64f71340785d632763c7cc1440b90f
Opcode Fuzzy Hash: da9897711e08c397540f416d1fe7822c864d174e1610fed037d1d5dd969eea96
Instruction Fuzzy Hash: C5419076E063058BFB14CB99D8C13BEF6F5EB48320F18803ADA15E7791D6399990CB54

Function 032E95BC Relevance: 3.0, APIs: 2, Instructions: 12nativeCOMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 032E95CE
NtdllDefWindowProc_A.USER32(?,?,?,?,032E7868), ref: 032E95D6

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Window$CallNtdllProcProc_
String ID:
API String ID: 1646280189-0
Opcode ID: 4c40af52daaa73c50abbab119a099a96a2d77437599a3cfbbdd37e60e5f896d2
Instruction ID: c5e74ef59566428b76b5f0cd4911d290f4bf08c59d66b04109b74fc02962ef0d
Opcode Fuzzy Hash: 4c40af52daaa73c50abbab119a099a96a2d77437599a3cfbbdd37e60e5f896d2
Instruction Fuzzy Hash: B3D0C97D030111AF8E46BF50C911C01FB22BF492143C5D3C8E1040E132CB66C8E4EB40

Function 032BF4AF Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

__decode_pointer.LIBCMT ref: 032BF4BD

Part of subcall function 032BA5B8: TlsGetValue.KERNEL32(?,032BB4ED,032BA31C,032B636D,?,032B636D,?,?,?,00000000), ref: 032BA5C5
Part of subcall function 032BA5B8: TlsGetValue.KERNEL32(00000007,?,00000000), ref: 032BA5DC

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 032BF4C4

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: 22405f7b998864b3d7a233d6507d006d3eaf2adc34680fa9a9f62538718eb5e1
Instruction ID: 233eff026d5e6e5f274557930cb2d64c7143a68a955a0a190208b4365e0d2924
Opcode Fuzzy Hash: 22405f7b998864b3d7a233d6507d006d3eaf2adc34680fa9a9f62538718eb5e1
Instruction Fuzzy Hash: 03C08C4AC382860ED701E778781C3483B18A712A0AFC044A8C48084383C794C1808221

Function 0332D5B5 Relevance: 2.4, APIs: 1, Instructions: 936COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0332D957

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: e8f9f365efddf86d0973846727ccfcd6b640314821b526ec5fdfe392c49cc04a
Instruction ID: d1d70c98cb2b893b8717879d150eea1e0c8eb007f59eb48de0ebd4a3ee4eecbd
Opcode Fuzzy Hash: e8f9f365efddf86d0973846727ccfcd6b640314821b526ec5fdfe392c49cc04a
Instruction Fuzzy Hash: 50927D75A047618FD728CF18C9D0A5ABBF2FBC8310F158A6DE8A987365D774E841CB81

Function 0330C720 Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

2, xrefs: 0330CAB7

Memory Dump Source

Source File: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: c87a45ea28f097745ea66c56af8c2029bf2259a3b24a3ddb3543ca426f309422
Instruction ID: f01ec18b40476ba38516bdc06276d749e92be7fcebc25cd0d132d73f80224862
Opcode Fuzzy Hash: c87a45ea28f097745ea66c56af8c2029bf2259a3b24a3ddb3543ca426f309422
Instruction Fuzzy Hash: E402A071A043418BC718DE2CC4E026AFBE6EFC8304F155A3DD99ADB391D634E946CB86

Function 03308AFA Relevance: 1.7, APIs: 1, Instructions: 246COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 03308AFF

Memory Dump Source

Source File: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 25ecc50d394abdcc0fcf7ab1efeaa986671c7175bf53c5d128e70a27f0833d94
Instruction ID: f8efb16baea508df5424e3cf1586b917872aa1a0d6df0a7d2e7bd4291f56bfa5
Opcode Fuzzy Hash: 25ecc50d394abdcc0fcf7ab1efeaa986671c7175bf53c5d128e70a27f0833d94
Instruction Fuzzy Hash: 57A10E75E00609DFCF18DF59C8E09AEB7B6FF94310F288469D9259F291DB34A942CB90

Function 032E531C Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,032E5382), ref: 032E5342

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5f78acbbf972f2596bd7084c9c0e68fc398ae3894c24debd5b65c42faaedf0e7
Instruction ID: 2cc378129662958a91f0d8944c912c65326a24f94120af6667b38002d13b8e67
Opcode Fuzzy Hash: 5f78acbbf972f2596bd7084c9c0e68fc398ae3894c24debd5b65c42faaedf0e7
Instruction Fuzzy Hash: 9EF0FC35A14309AFE714EF91CC52AEEF3BAFB85710FD08974912097590E7F46A84C6C0

Function 032F1944 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000010,?,00010000,00000000), ref: 032F1967

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: ebd5e80dc8d05592f33633688796ec85cd6e06f8625760d2109bc27f8fcbb92f
Instruction ID: 53fc9e01667794622f11096a7a1bbd6029d1fe23b7c2c165fc906497fe2ad25d
Opcode Fuzzy Hash: ebd5e80dc8d05592f33633688796ec85cd6e06f8625760d2109bc27f8fcbb92f
Instruction Fuzzy Hash: A2E0C2A1329300AFD310EA6C9CC0BEBB3CC9B4C260F504939F289C3200C5A49CC042A5

Function 032E6D24 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,?,00000000,032EABCC,00000000,032EAD23,?,?,032FB1F9,00000000,?,00000001,00000000,00000001), ref: 032E6D34

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 857d75d0194f31b5f10527de68ca37367c242183b48b38a3fa08ef1f42d9cb04
Instruction ID: 3f6d7a76c9076efa3437008f11e75f242033c85ba590c0bd6e3176d7919f0648
Opcode Fuzzy Hash: 857d75d0194f31b5f10527de68ca37367c242183b48b38a3fa08ef1f42d9cb04
Instruction Fuzzy Hash: 84D012AB721720178610B5AF1CC58EFD6DD8ACA1B17990276F928EB2D1D5544D8252B0

Function 0332BE28 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2efa8e23e586e35cda5ee34fbb758643643bce1875c9c449d15101014120a2
Instruction ID: cb18cb589fd4c13dd6ff06c75319ee49efe237bcc8c5c8bf3f134c68811d0301
Opcode Fuzzy Hash: ac2efa8e23e586e35cda5ee34fbb758643643bce1875c9c449d15101014120a2
Instruction Fuzzy Hash: A1129477B483194BD718CE99DCD05DAB3A3BBC4314F0B853D9D45D3305EAB9AA0A8AC4

Function 0330E590 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc7d113712a2c7c4ca287bd5f86d1b65b630f6e2a9aaf6122b69370c3b5f4f6
Instruction ID: 0d7416761a1998e4bcfe5022b425b78c10f6a82a375d126f21eacb973a5f589b
Opcode Fuzzy Hash: ebc7d113712a2c7c4ca287bd5f86d1b65b630f6e2a9aaf6122b69370c3b5f4f6
Instruction Fuzzy Hash: 5A029E35718F429BC718CF28C8E0669FBE1BB88314F184A6ED89A87781D735F855CB91

Function 032C2AA9 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 9e795f95d28a9cfc2a2904b6092cbe5311dae1b7b45b5f8572d8bcc5bb4d1bfb
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 0BD16273C3AAF34A8B35C12E416863AEE626FC154131FCBE99CD43F28999275D9096D0

Function 032C2689 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: c2bd686f4599ed6fcfcf72643e9f9752d9673d9f885da4ede4a23f01159d0e1d
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: FED19173C3AAF34A8B36C12E415813AEE626FC195031FC7E9CCD43F289DA266D9495D0

Function 032C227D Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 1a321630992c0c6a07d0e49ff324b3b3151783117b30f3ac0c217d66546dd38d
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 2EC17173C7AAF3468B36C12E416853BEE626FC155131FC7E98CD43F28ADA265D9085D0

Function 032C1EA9 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 80db8e9e93a867a81c506dd2944f6ce8ce65a544977e12d80d318987c29c0cf1
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 28C19473D3A6F34ACB35C12E455453BEE626FC154031EC7E98CD43F28AD626AD9095D0

Function 03343FC8 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90794ae074867909e332ecb05fa826755915f16513b7c56ab6c1f741722ef2b0
Instruction ID: b90c6fc2d27efdb0a2fefe986da5d7dd093b5494e967d95526b959b0c6907f62
Opcode Fuzzy Hash: 90794ae074867909e332ecb05fa826755915f16513b7c56ab6c1f741722ef2b0
Instruction Fuzzy Hash: 9AD119B5D046198FEB18CF4AD9802ADFBF6FB88310F14857AD859E7350E3B4A9518F90

Function 03342DE8 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151d8eb828b63eef1c8527265e29e73aea9d78f848bedddb93348b6f2f740518
Instruction ID: ce84fb2992a1a1590cdf7b5b14dd97c5515e602d6539d0612bda3926f775df83
Opcode Fuzzy Hash: 151d8eb828b63eef1c8527265e29e73aea9d78f848bedddb93348b6f2f740518
Instruction Fuzzy Hash: 77C1B275914F8286E765DF2CC840279F3E4FF86220F145BA9DDC6A6D50EB39E985C380

Function 0330E1F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56e9f775ee9cd96b41f118f553f7bf26bef5efb7cdbd4191ab952dacb7d0ea6
Instruction ID: 203fa66b1f741ad61a90ad011a9a1b58fdf63c8c614c837d7f6cdfc9d845cab8
Opcode Fuzzy Hash: b56e9f775ee9cd96b41f118f553f7bf26bef5efb7cdbd4191ab952dacb7d0ea6
Instruction Fuzzy Hash: 2DA148367047444BDF38CE68D8A03EEB7D2EBC5304F54483EDA8A8B781DA3965498751

Function 0331A46A Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 5d896c2e606553dfdbd216e9f2bb9fb33f5138a5430a4a173d777a4e8dd9df54
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 43B19D75A0120ADFDB19CF04C5D0AA8FBB5BF48319F18C19DD85A5B346C731EA66CB90

Function 0330CED0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54400c4377fa072b7fd941a355daa1c8dceca83206a4cafe17bf7eebcc7188b8
Instruction ID: 40d49cfc80f7f9ab1437e517728a8ba8ea9c916338e5d6e242e95837b9cef0ac
Opcode Fuzzy Hash: 54400c4377fa072b7fd941a355daa1c8dceca83206a4cafe17bf7eebcc7188b8
Instruction Fuzzy Hash: 82217375704A458FD728DE19DCA042AF7D5EFC9600B14872DE55AC7385E630E905CB92

Function 032A81D0 Relevance: 51.1, APIs: 24, Strings: 5, Instructions: 314windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,?,00000001), ref: 032A8222
GetDlgItem.USER32(?,000003EC), ref: 032A8233
SendMessageW.USER32(00000000,?,000003EC,00000030), ref: 032A823A
GetDlgItem.USER32(?,000003ED), ref: 032A824B
SendMessageW.USER32(00000000,?,000003ED,00000030), ref: 032A8252
GetDlgItem.USER32(00000000,000003E9), ref: 032A8263
SendMessageW.USER32(00000000,?,00000001), ref: 032A826A
GetDlgItem.USER32(?,00000005), ref: 032A8278
SendMessageW.USER32(00000000,?,00000005,00000030), ref: 032A827F
GetDlgItem.USER32(?,00000004), ref: 032A828D
SendMessageW.USER32(00000000,?,00000004,00000030), ref: 032A8294
GetDlgItem.USER32(00000000,00000003), ref: 032A82A2
SendMessageW.USER32(00000000,?,00000001), ref: 032A82A9
SetWindowTextW.USER32(?,-00000004), ref: 032A82FC
GetDlgItem.USER32(?,00000004), ref: 032A835A
SetWindowTextW.USER32(00000000), ref: 032A8361
GetDlgItem.USER32(?,00000005), ref: 032A83BF
SetWindowTextW.USER32(00000000), ref: 032A83C6
GetDlgItem.USER32(?,00000003), ref: 032A8424
SetWindowTextW.USER32(00000000), ref: 032A842B
GetDlgItem.USER32(?,000003EC), ref: 032A84C5
SetWindowTextW.USER32(00000000), ref: 032A84CC
GetDlgItem.USER32(?,000003ED), ref: 032A8581
SetWindowTextW.USER32(00000000), ref: 032A8588

Strings

Ignore, xrefs: 032A838F
The following files were not downloaded:, xrefs: 032A854F
Cancel, xrefs: 032A83F4
Download failed, xrefs: 032A82C4, 032A845B
Retry, xrefs: 032A832A

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Item$MessageSend$TextWindow
String ID: Cancel$Download failed$Ignore$Retry$The following files were not downloaded:
API String ID: 2645603783-2260887806
Opcode ID: 3d15eaa95adb3456d9df363f87e4d7921397a43b036eade63563dc2f50c3ba4b
Instruction ID: 76413bad2e72b4f7b80c3189ff766cc6e9c879383cceead96dded706459e3b12
Opcode Fuzzy Hash: 3d15eaa95adb3456d9df363f87e4d7921397a43b036eade63563dc2f50c3ba4b
Instruction Fuzzy Hash: 55C193B6924340AFD710EF68C885F5BBBE9BF84B00F50891DF6455B280C7B5D545CB92

Function 032BA998 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,032B7041,?,?,00000001,?,?,032B71B1,00000001,?,?,032D0AF0,0000000C,032B726B,?), ref: 032BA99E
__mtterm.LIBCMT ref: 032BA9AA

Part of subcall function 032BA682: __decode_pointer.LIBCMT ref: 032BA693
Part of subcall function 032BA682: TlsFree.KERNEL32(00000020,032B70DD,?,?,00000001,?,?,032B71B1,00000001,?,?,032D0AF0,0000000C,032B726B,?), ref: 032BA6AD
Part of subcall function 032BA682: DeleteCriticalSection.KERNEL32(00000000,00000000,?,00000001,032B70DD,?,?,00000001,?,?,032B71B1,00000001,?,?,032D0AF0,0000000C), ref: 032BD2A7
Part of subcall function 032BA682: DeleteCriticalSection.KERNEL32(00000020,?,00000001,032B70DD,?,?,00000001,?,?,032B71B1,00000001,?,?,032D0AF0,0000000C,032B726B), ref: 032BD2D1

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 032BA9C0
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 032BA9CD
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 032BA9DA
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 032BA9E7
TlsAlloc.KERNEL32(?,?,00000001,?,?,032B71B1,00000001,?,?,032D0AF0,0000000C,032B726B,?), ref: 032BAA37
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,032B71B1,00000001,?,?,032D0AF0,0000000C,032B726B,?), ref: 032BAA52
__init_pointers.LIBCMT ref: 032BAA5C
__encode_pointer.LIBCMT ref: 032BAA67
__encode_pointer.LIBCMT ref: 032BAA77
__encode_pointer.LIBCMT ref: 032BAA87
__encode_pointer.LIBCMT ref: 032BAA97
__decode_pointer.LIBCMT ref: 032BAAB8
__calloc_crt.LIBCMT ref: 032BAAD1
__decode_pointer.LIBCMT ref: 032BAAEB
GetCurrentThreadId.KERNEL32 ref: 032BAB01

Strings

FlsGetValue, xrefs: 032BA9C2
FlsAlloc, xrefs: 032BA9BA
FlsSetValue, xrefs: 032BA9CF
KERNEL32.DLL, xrefs: 032BA999
FlsFree, xrefs: 032BA9DC

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4287529916-3819984048
Opcode ID: d4c6edf1def741d68bf77c7442512ee2149a25103098006d67f54df772de268f
Instruction ID: ad895ca87593b66530b4a4b70a3311f7fcbb6ea690e611b55e883e9caaa14736
Opcode Fuzzy Hash: d4c6edf1def741d68bf77c7442512ee2149a25103098006d67f54df772de268f
Instruction Fuzzy Hash: 8731A771D323419ECB10FF75BD0CA993AB5AB427D4B68863AE42096188DBF1C5D0DF94

Function 032B4BC0 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 358networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 032B4A60: InternetConnectW.WININET(?,?,?,?,?,?,?,00000000), ref: 032B4B94

InternetQueryOptionW.WININET(?,0000001F,?,?), ref: 032B4EDB
InternetSetOptionW.WININET(?,0000001F,?,00000004), ref: 032B4EF9
HttpQueryInfoW.WININET(?,20000013,?,?,?), ref: 032B4F2B
InternetSetOptionW.WININET(?,0000002B,?,?), ref: 032B4F8F
InternetSetOptionW.WININET(?,0000002C,?,?), ref: 032B4FB8
GetDesktopWindow.USER32 ref: 032B4FCD
InternetErrorDlg.WININET(00000000,?,00002EEE,00000007,00000000), ref: 032B4FE3
__CxxThrowException@8.LIBCMT ref: 032B502C
__CxxThrowException@8.LIBCMT ref: 032B50A1
__CxxThrowException@8.LIBCMT ref: 032B4EB2

Part of subcall function 032B72FB: RaiseException.KERNEL32(?,?,032B63B9,?,?,?,?,?,032B63B9,?,032D1154,032D5B80), ref: 032B733B

FtpOpenFileW.WININET(?,?,80000000,80000002,00000000), ref: 032B4CDC

Part of subcall function 032B5230: InternetCloseHandle.WININET(?), ref: 032B5242
Part of subcall function 032B5230: InternetCloseHandle.WININET(?), ref: 032B5259

HttpOpenRequestW.WININET(?,HEAD,?,00000000,00000000,?,84400000,00000000), ref: 032B4DE4
HttpSendRequestW.WININET(?,00000000,00000000,00000000,00000000), ref: 032B4E09
GetLastError.KERNEL32(?,?,?,?,?), ref: 032B4E17
GetDesktopWindow.USER32 ref: 032B4E4B
InternetErrorDlg.WININET(00000000,?,00000000,00000007,00000000), ref: 032B4E5E
__CxxThrowException@8.LIBCMT ref: 032B50E5

Strings

HEAD, xrefs: 032B4DE2
407, xrefs: 032B4FF7, 032B506C
Download cancelled, xrefs: 032B4E7D

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Internet$Exception@8OptionThrow$ErrorHttp$CloseDesktopHandleOpenQueryRequestWindow$ConnectExceptionFileInfoLastRaiseSend
String ID: 407$Download cancelled$HEAD
API String ID: 2927758202-88966343
Opcode ID: 5fd4d5cc8d1229de1c2e9aadb557974126878810c7e325889aa8f2be7463018a
Instruction ID: d4b7783bf1646d9f58afc593e8206ecdcb69af7a95a7f1ddd13b5efee7f28f22
Opcode Fuzzy Hash: 5fd4d5cc8d1229de1c2e9aadb557974126878810c7e325889aa8f2be7463018a
Instruction Fuzzy Hash: 4ED1B371624342AFD724EB65C884FEBF3F8BF88780F444A1DE59997241D770A984CB92

Function 032AF420 Relevance: 31.9, APIs: 1, Strings: 17, Instructions: 400COMMON

Download Yara Rule

APIs

Part of subcall function 032A5580: std::_String_base::_Xlen.LIBCPMT ref: 032A55D9
Part of subcall function 032A5580: _memcpy_s.LIBCMT ref: 032A5621

__wsetlocale.LIBCMT ref: 032AF9E0

Strings

TotalProgressBar, xrefs: 032AF4D1
WizardPage, xrefs: 032AF847
GINextButton, xrefs: 032AF8DB
FileProgressBar, xrefs: 032AF51A
ElapsedTime, xrefs: 032AF6D5
WizardForm, xrefs: 032AF7FD
FileName, xrefs: 032AF5F7
LabelFont, xrefs: 032AF891
InvisibleButton, xrefs: 032AF96E
GIBackButton, xrefs: 032AF925
NextButton, xrefs: 032AF769
TotalDownloaded, xrefs: 032AF563
RemainingTime, xrefs: 032AF71F
Speed, xrefs: 032AF641
BackButton, xrefs: 032AF7B3
FileDownloaded, xrefs: 032AF5AD
Status, xrefs: 032AF68B

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: String_base::_Xlen__wsetlocale_memcpy_sstd::_
String ID: BackButton$ElapsedTime$FileDownloaded$FileName$FileProgressBar$GIBackButton$GINextButton$InvisibleButton$LabelFont$NextButton$RemainingTime$Speed$Status$TotalDownloaded$TotalProgressBar$WizardForm$WizardPage
API String ID: 2284071742-1600669
Opcode ID: 667b41e9dd10534e6ed46d454027cc6f6332a541a94937beaecb6bcf1a6d2a6a
Instruction ID: 967a8d609d158b9e64f0700f47f88aba0231ec73bca341e6770408ca96da004f
Opcode Fuzzy Hash: 667b41e9dd10534e6ed46d454027cc6f6332a541a94937beaecb6bcf1a6d2a6a
Instruction Fuzzy Hash: 11023AB1829380AFC341DF29D494A4FFBE4AF99744F84491EF1998B251D7B8C588CB63

Function 032FD108 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 339filestringsynchronizationCOMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,00000000,032FD51C,?,00000000,032FD56E), ref: 032FD16D

Part of subcall function 032F98B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032F9A9D), ref: 032F9902
Part of subcall function 032F98B0: GetTickCount.KERNEL32 ref: 032F996D
Part of subcall function 032F98B0: WaitForSingleObject.KERNEL32(00000000,00000001,033005EC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,032F9A9D), ref: 032F9A52
Part of subcall function 032F98B0: CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 032F9A6A

SetCurrentDirectoryA.KERNEL32(00000000,00000000,032FD51C,?,00000000,032FD56E), ref: 032FD17C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000001,ISSrepExtract,00000000,00000000,032FD51C,?,00000000,032FD56E), ref: 032FD23A
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,ISSrepExtract,00000000,00000000,032FD51C,?,00000000,032FD56E), ref: 032FD49A

Part of subcall function 032EA0F4: GetFileAttributesA.KERNEL32(00000000,032EF0F5,?,032E0000), ref: 032EA0FA

DeleteFileA.KERNEL32(00000000,?,?,0334EDD4,?,?,?,00000000,00000000,00000000,00000000,00000001,ISSrepExtract,00000000,00000000,032FD51C), ref: 032FD2CD
GetTickCount.KERNEL32 ref: 032FD368
GetTickCount.KERNEL32 ref: 032FD376

Part of subcall function 032EEC74: MessageBoxW.USER32(00000000,00000000,?,ISDone.dll), ref: 032EECCD

WaitForSingleObject.KERNEL32(00000000,00000001,033005EC,00000000,00000000,?,?,0334EDD4,?,?,?,00000000,00000000,00000000,00000000,00000001), ref: 032FD43A
DeleteFileA.KERNEL32(00000000,00000000,00000001,033005EC,00000000,00000000,?,?,0334EDD4,?,?,?,00000000,00000000,00000000,00000000), ref: 032FD462
CloseHandle.KERNEL32(00000000,00000001,ISSrepExtract,00000000,00000000,032FD51C,?,00000000,032FD56E), ref: 032FD4CB
lstrcpy.KERNEL32(00000000,00000000), ref: 032FD4E0
lstrcat.KERNEL32(00000000,srep-virtual-memory.tmp), ref: 032FD4F2
DeleteFileA.KERNEL32(00000000,00000000,srep-virtual-memory.tmp,00000000,00000000,00000000,00000001,ISSrepExtract,00000000,00000000,032FD51C,?,00000000,032FD56E), ref: 032FD4FF
SetCurrentDirectoryA.KERNEL32(00000000,00000001,ISSrepExtract,00000000,00000000,032FD51C,?,00000000,032FD56E), ref: 032FD50D

Strings

ERROR_ISSREP_ACCESS_TO_OUTFILE, xrefs: 032FD2DE
srep-virtual-memory.tmp, xrefs: 032FD4E5
srep-virtual-memory.tmp, xrefs: 032FD4B4
ISSrepExtract, xrefs: 032FD1DA

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: File$CloseCountCurrentDeleteDirectoryHandleTick$CreateEventObjectSingleWait$AttributesMessagelstrcatlstrcpy
String ID: ERROR_ISSREP_ACCESS_TO_OUTFILE$ISSrepExtract$srep-virtual-memory.tmp$srep-virtual-memory.tmp
API String ID: 3793150573-1118996337
Opcode ID: 9ec7a45dc63bde166180682a1d80f83e34355561b3e44133a10c63fd31010f6b
Instruction ID: 103c67df300e4dd4e5718109be0b71bd5b1a58c7c8bac6ee330dbbeee79949df
Opcode Fuzzy Hash: 9ec7a45dc63bde166180682a1d80f83e34355561b3e44133a10c63fd31010f6b
Instruction Fuzzy Hash: DCD1D878A20245DFDB01EFA8D981B5AB7F9EF4A304F548461E904DB359DBB4ED80CB60

Function 032FDE00 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 338libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 032F98B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032F9A9D), ref: 032F9902
Part of subcall function 032F98B0: GetTickCount.KERNEL32 ref: 032F996D
Part of subcall function 032F98B0: WaitForSingleObject.KERNEL32(00000000,00000001,033005EC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,032F9A9D), ref: 032F9A52
Part of subcall function 032F98B0: CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 032F9A6A

LoadLibraryA.KERNEL32(00000000,00000001,ISxDeltaExtract,00000000,032FE216,?,00000000,032FE268,?,?,?,?,00000006,00000000,00000000), ref: 032FDF12

Part of subcall function 032EEC74: MessageBoxW.USER32(00000000,00000000,?,ISDone.dll), ref: 032EECCD

Strings

xdelta3.dll, xrefs: 032FDEFF, 032FDF29
ERROR_XDELTA_CANT_GET_MEM, xrefs: 032FDED3
ERROR_XDELTA_ACCESS_TO_OUTFILE, xrefs: 032FE05D
ERROR_XDELTA_DLL_NOT_FOUND, xrefs: 032FDF33
XDeltaExtract, xrefs: 032FDF42
ISxDeltaExtract, xrefs: 032FDEA0

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CloseCountCreateEventHandleLibraryLoadMessageObjectSingleTickWait
String ID: ERROR_XDELTA_ACCESS_TO_OUTFILE$ERROR_XDELTA_CANT_GET_MEM$ERROR_XDELTA_DLL_NOT_FOUND$ISxDeltaExtract$XDeltaExtract$xdelta3.dll
API String ID: 937500686-4092649639
Opcode ID: 36abf72174f9f4d03babeddfa5d02963ba0816bbcdb4cac156e2f8513cab389f
Instruction ID: c4816405b80e039abf82cfb08cffc6954feb7405554daea3916ece5ff32d4e94
Opcode Fuzzy Hash: 36abf72174f9f4d03babeddfa5d02963ba0816bbcdb4cac156e2f8513cab389f
Instruction Fuzzy Hash: 7BD14B78620245DFDB01EFA8D981B9AB7F9EF4A300F518561EA10DB365DBB0EC80CB51

Function 032F88C8 Relevance: 27.7, Strings: 22, Instructions: 163COMMON

Download Yara Rule

Strings

GENERAL_ENDING, xrefs: 032F8AF1
TIME_MIN_SHORT, xrefs: 032F8902
TIME_SEC_FULL1, xrefs: 032F89F8
TIME_TYPE4, xrefs: 032F8AA0
GENERAL_DELETING, xrefs: 032F8B0B
TIME_HOUR_SHORT, xrefs: 032F88E8
TIME_HOUR_FULL2, xrefs: 032F896A
GENERAL_SCANNING, xrefs: 032F8B25
TIME_TYPE2, xrefs: 032F8A66
TIME_SEC_FULL2, xrefs: 032F8A12
TIME_HOUR_FULL1, xrefs: 032F8950
TIME_MIN_FULL2, xrefs: 032F89BE
TIME_INFINITE, xrefs: 032F8ABD
TIME_HOUR_FULL3, xrefs: 032F8987
TIME_MIN_FULL3, xrefs: 032F89DB
TIME_TEST, xrefs: 032F8AD7
TIME_SEC_SHORT2, xrefs: 032F8936
TIME_TYPE1, xrefs: 032F8A4C
TIME_SEC_SHORT1, xrefs: 032F891C
TIME_SEC_FULL3, xrefs: 032F8A2F
TIME_TYPE3, xrefs: 032F8A83
TIME_MIN_FULL1, xrefs: 032F89A4

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: String$AllocFree
String ID: GENERAL_DELETING$GENERAL_ENDING$GENERAL_SCANNING$TIME_HOUR_FULL1$TIME_HOUR_FULL2$TIME_HOUR_FULL3$TIME_HOUR_SHORT$TIME_INFINITE$TIME_MIN_FULL1$TIME_MIN_FULL2$TIME_MIN_FULL3$TIME_MIN_SHORT$TIME_SEC_FULL1$TIME_SEC_FULL2$TIME_SEC_FULL3$TIME_SEC_SHORT1$TIME_SEC_SHORT2$TIME_TEST$TIME_TYPE1$TIME_TYPE2$TIME_TYPE3$TIME_TYPE4
API String ID: 344208780-3276255491
Opcode ID: 8347b02029dc2073e4696748d88901ba790cc408f6f029a48ccb3bb235f45f88
Instruction ID: d62ceb12f91f5d763228a5f233e2033961fd2cb824e67fd52b2e1d1c06434255
Opcode Fuzzy Hash: 8347b02029dc2073e4696748d88901ba790cc408f6f029a48ccb3bb235f45f88
Instruction Fuzzy Hash: 9A61447D7202599FC704FBD9D491A8DF3F5EF85300B908924DA14AF309DBB4AD858BA2

Function 032FF74C Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 303processsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 032FF848
SetCurrentDirectoryA.KERNEL32(00000000,?,FFFFFFFF,?,?,00000000,00000000,00000000,00000000), ref: 032FF889
CreateProcessA.KERNEL32(00000000,00000000,0000000C,00000000,000000FF,00000010,00000000,00000000,00000044,?,0000000C,032FFB64,?,032FFB58,?,FFFFFFFF), ref: 032FF8CC
GetTickCount.KERNEL32 ref: 032FF911
WaitForSingleObject.KERNEL32(00000000,00000001,00000000,00000000,0000000C,00000000,000000FF,00000010,00000000,00000000,00000044,?,0000000C,032FFB64,?,032FFB58), ref: 032FFA59
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000001,00000000,00000000,0000000C,00000000,000000FF,00000010,00000000,00000000,00000044,?,0000000C), ref: 032FFAB6
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000001,00000000,00000000,0000000C,00000000,000000FF,00000010,00000000,00000000,00000044,?), ref: 032FFABF
CloseHandle.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000001,00000000,00000000,0000000C,00000000,000000FF,00000010,00000000,00000000,00000044), ref: 032FFACC
SetCurrentDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,0000000C,00000000,000000FF,00000010,00000000,00000000,00000044,?,0000000C), ref: 032FFB0C

Strings

ERROR_EXEC_LAUNCH_PROC, xrefs: 032FF8DD
D, xrefs: 032FF80F

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CloseHandle$CreateCurrentDirectory$CountEventObjectProcessSingleTickWait
String ID: D$ERROR_EXEC_LAUNCH_PROC
API String ID: 4162529157-528195254
Opcode ID: 812327cb787179b6af1e37935a0dc674a50a069e1fe983cb9f9f85305a4f8de0
Instruction ID: 4f41007b8251f1d98d1d508b04a694897c5bd266a6c2aec526e5fff0f995ce58
Opcode Fuzzy Hash: 812327cb787179b6af1e37935a0dc674a50a069e1fe983cb9f9f85305a4f8de0
Instruction Fuzzy Hash: 4EC16E78A24309EFDB11EFA8D981B9DB7F8EB09300F554565EA14DB391DBB0AD80CB50

Function 032F1DC4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,00000000), ref: 032F1F4F
lstrcpy.KERNEL32(00000000,00000000), ref: 032F1F9C
lstrcat.KERNEL32(00000000,CLS.ini), ref: 032F1FAE
WritePrivateProfileStringA.KERNEL32(Precomp,Memory,00000000,00000000), ref: 032F1FDD
WritePrivateProfileStringA.KERNEL32(Precomp,TempPath,00000000,00000000), ref: 032F2008

Strings

precomp038.exe, xrefs: 032F1E33
Memory, xrefs: 032F1FD3
TempPath, xrefs: 032F1FFE
CLS.ini, xrefs: 032F1FA1
precomp041.exe, xrefs: 032F1EAD
ERROR_INIT_PRECOMP_BAD_PARAM, xrefs: 032F1F05
precomp042.exe, xrefs: 032F1EE7
Precomp, xrefs: 032F1FD8, 032F2003
precomp040.exe, xrefs: 032F1E70

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpy$lstrcat
String ID: CLS.ini$ERROR_INIT_PRECOMP_BAD_PARAM$Memory$Precomp$TempPath$precomp038.exe$precomp040.exe$precomp041.exe$precomp042.exe
API String ID: 2017939648-2088180009
Opcode ID: df0ffe8001a911b3daa7ea3f4dedfc926cf44e93a7433364bd2131a1bee76f92
Instruction ID: d6856a7ff4a6020e8a2a895c3a539fb3806269adc6529da818aadf6d8718a91d
Opcode Fuzzy Hash: df0ffe8001a911b3daa7ea3f4dedfc926cf44e93a7433364bd2131a1bee76f92
Instruction Fuzzy Hash: 6661A43C624345DFD711EF58E984A597BB8FB4B700F8445A0EA908B35AC7B0B8A1CF90

Function 032F5B2C Relevance: 22.8, APIs: 15, Instructions: 305windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00000000), ref: 032F5BE9
FillRect.USER32(?,?,00000000), ref: 032F5BF9
DeleteObject.GDI32(00000000), ref: 032F5BFF
SetBkMode.GDI32(?,00000001), ref: 032F5C5E
DrawTextA.USER32(?,00000000,000000FF,?,00008C04), ref: 032F5CB9
CreateSolidBrush.GDI32(00000000), ref: 032F5D02
FillRect.USER32(?,?,00000000), ref: 032F5D12
DrawFocusRect.USER32(?,?), ref: 032F5D30
DeleteObject.GDI32(00000000), ref: 032F5D36
SetTextColor.GDI32(?,00000000), ref: 032F5D4B
DrawTextA.USER32(?,00000000,000000FF,?,00008804), ref: 032F5D7E
SetTextColor.GDI32(?,00000000), ref: 032F5D92
DrawTextA.USER32(?,00000000,000000FF,?,00008806), ref: 032F5DFF
DrawTextA.USER32(?,00000000,000000FF,?,00008804), ref: 032F5E2B
DrawTextA.USER32(?,00000000,?,?,000000FF), ref: 032F5E76

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Text$Draw$Rect$BrushColorCreateDeleteFillObjectSolid$FocusMode
String ID:
API String ID: 1332867553-0
Opcode ID: d1da3fb5514f80b2cb86a497e5c8bd2f47f6c8a090150489198c77c3df46cc1c
Instruction ID: a82a285b9b6bf5f8e3ace3cc3e794897c298ad04eb27cf725840dd6fb4a13953
Opcode Fuzzy Hash: d1da3fb5514f80b2cb86a497e5c8bd2f47f6c8a090150489198c77c3df46cc1c
Instruction Fuzzy Hash: 90C11578E202199FDB00EFA8C881EAEBBF9BF09314F644565E914EB251D770ED85CB50

Function 032B2020 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 269windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,0000000A,BackButton,0000000A,?,?,?,?,?,?,?,?,0000000A), ref: 032B20F5
EnableWindow.USER32(?), ref: 032B21D5

Part of subcall function 032A5580: std::_String_base::_Xlen.LIBCPMT ref: 032A55D9
Part of subcall function 032A5580: _memcpy_s.LIBCMT ref: 032A5621

EnableWindow.USER32(?,00000001), ref: 032B211B
ShowWindow.USER32(?,00000005,0000000A,GIBackButton,0000000C,0000000A,GIBackButton,0000000C,0000000A,NextButton,0000000A), ref: 032B2296
EnableWindow.USER32(?,00000001), ref: 032B22BC
EnableWindow.USER32(?), ref: 032B2376
SendMessageW.USER32(?,0000040A,00000000,00000000), ref: 032B23D4

Strings

TotalProgressBar, xrefs: 032B2398
GINextButton, xrefs: 032B22DF, 032B233A
GIBackButton, xrefs: 032B21F8, 032B226D
NextButton, xrefs: 032B213E, 032B2199
BackButton, xrefs: 032B2050, 032B20D0

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Window$Enable$Show$MessageSendString_base::_Xlen_memcpy_sstd::_
String ID: BackButton$GIBackButton$GINextButton$NextButton$TotalProgressBar
API String ID: 1812101747-114455261
Opcode ID: 3236ac0a5f74a0dd484c3f92d154472a774869997f9c9a9ee1172c5777b9a69d
Instruction ID: 4cf46f9f2a40422cb526f054caa993e58a37a5360e1986aead1c50eeba65030b
Opcode Fuzzy Hash: 3236ac0a5f74a0dd484c3f92d154472a774869997f9c9a9ee1172c5777b9a69d
Instruction Fuzzy Hash: 26B148B1528381AFD310EF58D494A5BFBF9AF89740F404E1DF1A54B290DBB89588CF62

Function 032F1C10 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 109stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,00000000), ref: 032F1C93
lstrcpy.KERNEL32(00000000,?), ref: 032F1CA3
lstrlen.KERNEL32(00000000,00000000,?,00000000,032F1D6A,?,?,00000000), ref: 032F1CB0
lstrcpy.KERNEL32(00000000,00000000), ref: 032F1CE1
lstrcat.KERNEL32(00000000,CLS.ini), ref: 032F1CF3
WritePrivateProfileStringA.KERNEL32(Srep,Memory,00000000,00000000), ref: 032F1D22
WritePrivateProfileStringA.KERNEL32(Srep,TempPath,00000000,00000000), ref: 032F1D4D

Strings

CLS.ini, xrefs: 032F1CE6
TempPath, xrefs: 032F1D43
Memory, xrefs: 032F1D18
WARNING_INIT_SREP_BAD_PARAM, xrefs: 032F1C70
Srep, xrefs: 032F1D1D, 032F1D48

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: lstrcpy$PrivateProfileStringWrite$lstrcatlstrlen
String ID: CLS.ini$Memory$Srep$TempPath$WARNING_INIT_SREP_BAD_PARAM
API String ID: 3938562962-3597753376
Opcode ID: c46aba02ac25bdd811ce1d261c9071e3785b56eb82094022765348e8f42c6da7
Instruction ID: 9bd2601d1975922bcff57f52e11cdce2ca6838f2115747835746c1d1a1efe716
Opcode Fuzzy Hash: c46aba02ac25bdd811ce1d261c9071e3785b56eb82094022765348e8f42c6da7
Instruction Fuzzy Hash: F241E578620245EFD701EB68D9D2E59B7E9EF4A300B944060E910CB36ACBB4BC95CB61

Function 032F8418 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,032F84FA,?,00000000,00000000,?,032FDA20,00000001,ISRarExtract,00000000,032FDC7C,?,00000000,032FDCC4), ref: 032F845F
GetProcAddress.KERNEL32(00000000,RAROpenArchive), ref: 032F8482
GetProcAddress.KERNEL32(00000000,RARCloseArchive), ref: 032F8497
GetProcAddress.KERNEL32(00000000,RARReadHeader), ref: 032F84AC
GetProcAddress.KERNEL32(00000000,RARProcessFile), ref: 032F84C1
GetProcAddress.KERNEL32(00000000,RARSetCallback), ref: 032F84D6

Strings

RARReadHeader, xrefs: 032F84A1
unrar.dll, xrefs: 032F844C
RARSetCallback, xrefs: 032F84CB
RARCloseArchive, xrefs: 032F848C
RARProcessFile, xrefs: 032F84B6
RAROpenArchive, xrefs: 032F8477

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: RARCloseArchive$RAROpenArchive$RARProcessFile$RARReadHeader$RARSetCallback$unrar.dll
API String ID: 2238633743-2008009192
Opcode ID: 1937aacdc79d969af67183f9a152b54e866c4c3ec635978b8f8a1e84758da059
Instruction ID: e0427c653c794ddb56f6812786cd5b283fb3d13ed9919c6bfe70543c72fc0d50
Opcode Fuzzy Hash: 1937aacdc79d969af67183f9a152b54e866c4c3ec635978b8f8a1e84758da059
Instruction Fuzzy Hash: 482130B9A70744EFD710FB60D99293DF7ACFB05704F95053AEA008BA09DB78A990DB14

Function 032B1CA0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 240COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,0000000A,BackButton,0000000A,?,?,?,?,?,?,?,?,0000000A), ref: 032B1D74
EnableWindow.USER32(?,00000000), ref: 032B1E4D

Part of subcall function 032A5580: std::_String_base::_Xlen.LIBCPMT ref: 032A55D9
Part of subcall function 032A5580: _memcpy_s.LIBCMT ref: 032A5621

EnableWindow.USER32(?,00000000), ref: 032B1D99
ShowWindow.USER32(?,00000000,0000000A,GIBackButton,0000000C,0000000A,GIBackButton,0000000C,0000000A,NextButton,0000000A), ref: 032B1F0D
EnableWindow.USER32(?,00000000), ref: 032B1F32
EnableWindow.USER32(?,00000000), ref: 032B1FE6

Strings

GINextButton, xrefs: 032B1F55, 032B1FB0
GIBackButton, xrefs: 032B1E70, 032B1EE5
NextButton, xrefs: 032B1DBC, 032B1E17
BackButton, xrefs: 032B1CD0, 032B1D50

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Window$Enable$Show$String_base::_Xlen_memcpy_sstd::_
String ID: BackButton$GIBackButton$GINextButton$NextButton
API String ID: 3471100403-2299138808
Opcode ID: e6f6b23c37cbda4c55e8a0d7ff189db604368babd83623bf9f882bdcf5fb5ecf
Instruction ID: 203b48877060b10faf46bd7341c9c63757b7aaf9897b4308d7ed25d1efc3660e
Opcode Fuzzy Hash: e6f6b23c37cbda4c55e8a0d7ff189db604368babd83623bf9f882bdcf5fb5ecf
Instruction Fuzzy Hash: 72A158B1528381AFD310EF58D494A5FFBF9AF88740F404A1DF1A54B291DBB89588CF92

Function 032EA3E0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 166registrywindowCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(?,00007F00), ref: 032EA427
GetClassInfoA.USER32(?,?,?), ref: 032EA4D6
GetClassInfoA.USER32(?,00000000), ref: 032EA520
RegisterClassA.USER32(?), ref: 032EA544
CreateWindowExA.USER32(?), ref: 032EA553
SendMessageA.USER32(00000000,00000128,00010002,00000000), ref: 032EA570
GetWindowLongA.USER32(00000000,00000128), ref: 032EA575
SetWindowLongA.USER32(00000000,000000EB), ref: 032EA589

Strings

@, xrefs: 032EA503
, xrefs: 032EA4A6

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: ClassWindow$InfoLong$CreateCursorLoadMessageRegisterSend
String ID: $@
API String ID: 3716724952-1077428164
Opcode ID: b9e22c8428a60e5348ce17bc031725c533ea6e9b4559cd7784ec7d8906e327b7
Instruction ID: f4f22dc47d708556e15ddb1f29c6eee74dd5c3b57141e2f6dcc7f3ed63d97985
Opcode Fuzzy Hash: b9e22c8428a60e5348ce17bc031725c533ea6e9b4559cd7784ec7d8906e327b7
Instruction Fuzzy Hash: 0D51B1B56243016FDB14EF28CC86F66379CAB44214F9405BDFD55CF286EBB5E8848B60

Function 032EA41B Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 143registrywindowCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(?,00007F00), ref: 032EA427
GetClassInfoA.USER32(?,?,?), ref: 032EA4D6
GetClassInfoA.USER32(?,00000000), ref: 032EA520
RegisterClassA.USER32(?), ref: 032EA544
CreateWindowExA.USER32(?), ref: 032EA553
SendMessageA.USER32(00000000,00000128,00010002,00000000), ref: 032EA570
GetWindowLongA.USER32(00000000,00000128), ref: 032EA575
SetWindowLongA.USER32(00000000,000000EB), ref: 032EA589

Strings

@, xrefs: 032EA503
, xrefs: 032EA4A6

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: ClassWindow$InfoLong$CreateCursorLoadMessageRegisterSend
String ID: $@
API String ID: 3716724952-1077428164
Opcode ID: 6bfe1b04b4db5331d1f0aa4d9a912845b39553eeb74425a65737e1ab0717f261
Instruction ID: 6f2d30edad84e37b339d71616886cb33ab4515db2d3682cece05443ea45c3121
Opcode Fuzzy Hash: 6bfe1b04b4db5331d1f0aa4d9a912845b39553eeb74425a65737e1ab0717f261
Instruction Fuzzy Hash: CD41B0B5624301AFDB14DF28CC86F6637ECAB44314F94066DFD55CE286EBB5E8848B60

Function 032F8D68 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 113filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 032EA0F4: GetFileAttributesA.KERNEL32(00000000,032EF0F5,?,032E0000), ref: 032EA0FA

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,.ini,?,?,00000000,032F8EB2), ref: 032F8DDF
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000003,00000000,00000003,00000080,00000000,.ini,?,?,00000000,032F8EB2), ref: 032F8DE9
ReadFile.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,80000000,00000003,00000000,00000003,00000080,00000000,.ini,?), ref: 032F8E06
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000,80000000,00000003,00000000,00000003,00000080,00000000,.ini), ref: 032F8E1B
MessageBoxA.USER32(00000000,00000000,ISDone.dll,00000010), ref: 032F8E57
MessageBoxA.USER32(00000000,00000000,ISDone.dll,00000010), ref: 032F8E80

Strings

Error reading language file:, xrefs: 032F8E42
Language file not found:, xrefs: 032F8E6B
.ini, xrefs: 032F8DA2
ISDone.dll, xrefs: 032F8E37, 032F8E60

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: File$Message$AttributesCloseCreateHandleReadSize
String ID: .ini$Error reading language file:$ISDone.dll$Language file not found:
API String ID: 2808008008-1449693759
Opcode ID: c19ae9d449d01c0eb48ceb0705d84477c16c3dd66377b3ef9c4c6a2eb6a322e6
Instruction ID: a609815becc052b22b185cddfb5dad7cc9c8ac8e020404ff9d73d9cf6eca43a6
Opcode Fuzzy Hash: c19ae9d449d01c0eb48ceb0705d84477c16c3dd66377b3ef9c4c6a2eb6a322e6
Instruction Fuzzy Hash: D4311539660309AEDB10FB91CC52FBEF7A99F45604F944075B604AB280DBB0AE8586A1

Function 032FB764 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 311filesynchronizationCOMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,00000001,IS7zipExtract,00000000,032FBB1B,?,00000000,032FBB80), ref: 032FB85D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,032FBB80), ref: 032FB8AD
GetTickCount.KERNEL32 ref: 032FB95F
GetTickCount.KERNEL32 ref: 032FB96D
WaitForSingleObject.KERNEL32(00000000,00000001,033005EC,00000000,00000000,?,?,?,00000000,032FBB80), ref: 032FBA67
DeleteFileA.KERNEL32(00000000), ref: 032FBAA9

Part of subcall function 032F2448: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 032F2465

CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,032FBB80), ref: 032FBAE1
SetCurrentDirectoryA.KERNEL32(00000000,00000001,IS7zipExtract,00000000,032FBB1B,?,00000000,032FBB80), ref: 032FBB0C

Strings

IS7zipExtract, xrefs: 032FB813

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CountCurrentDirectoryTick$CloseCreateDeleteEventFileHandleMessageObjectPeekSingleWait
String ID: IS7zipExtract
API String ID: 3498615599-2930274208
Opcode ID: 7b749940d31db6618d4dcd17d11435f8c5751503d108352c935bb99a801b1a78
Instruction ID: b0955f45c431af61a00c064687d4b73b67dcc2f064795683b01f54b1a0134e93
Opcode Fuzzy Hash: 7b749940d31db6618d4dcd17d11435f8c5751503d108352c935bb99a801b1a78
Instruction Fuzzy Hash: 96C1E778620245DFDB41EFA8D881B9DBBF8AF4A300F548161E914DB365CBB5ED84CB50

Function 032FD948 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 265filesynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000001,ISRarExtract,00000000,032FDC7C,?,00000000,032FDCC4), ref: 032FDA79
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,ISRarExtract,00000000,032FDC7C,?,00000000,032FDCC4), ref: 032FDC55

Part of subcall function 032E3DBC: CreateThread.KERNEL32(0000000C,00000000,032E3D84,00000000,FFFFFFFF,?), ref: 032E3DF2

GetTickCount.KERNEL32 ref: 032FDAED
GetTickCount.KERNEL32 ref: 032FDAFB
WaitForSingleObject.KERNEL32(00000000,00000001,033005EC,00000000,00000000,?,FFFFFFFF,00000000,00000000,00000000,00000000,00000001,ISRarExtract,00000000,032FDC7C), ref: 032FDBF5
DeleteFileA.KERNEL32(00000000,00000000,00000001), ref: 032FDC1D

Strings

unrar.dll, xrefs: 032FDA29
ISRarExtract, xrefs: 032FD9E3
ERROR_ISRAR_DLL_NOT_FOUND, xrefs: 032FDA2E

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CountCreateTick$CloseDeleteEventFileHandleObjectSingleThreadWait
String ID: ERROR_ISRAR_DLL_NOT_FOUND$ISRarExtract$unrar.dll
API String ID: 492114766-3340379088
Opcode ID: ba0b460cbb3d6976a8af668449e3c64c583747c31736a3e6ca4328c5f8c5511d
Instruction ID: ef945401a89cd5f67b8d270eb810acbfa82dabb21574ee7c77a1e6bb4656bd57
Opcode Fuzzy Hash: ba0b460cbb3d6976a8af668449e3c64c583747c31736a3e6ca4328c5f8c5511d
Instruction Fuzzy Hash: 07A11878624285DFD701EF68D9C1B59B7F9EF4A300F5485A0EA40DB36ACBB4AC80CB50

Function 032FF0D0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 122processsynchronizationthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,0000000C,00000000,000000FF,00000020,00000000,00000000,00000044,?,?,032FF27C,?,032FF270,00000000,032FF258), ref: 032FF1A4
TerminateProcess.KERNEL32(?,00000000,?,?,?,00000001,00000000,00000000,0000000C,00000000,000000FF,00000020,00000000,00000000,00000044,?), ref: 032FF1C9
WaitForSingleObject.KERNEL32(?,00000001,00000000,00000000,0000000C,00000000,000000FF,00000020,00000000,00000000,00000044,?,?,032FF27C,?,032FF270), ref: 032FF1D6
GetExitCodeProcess.KERNEL32(?,?), ref: 032FF1EA
SetEvent.KERNEL32(00000000,00000000,00000000,0000000C,00000000,000000FF,00000020,00000000,00000000,00000044,?,?,032FF27C,?,032FF270,00000000), ref: 032FF20E
CloseHandle.KERNEL32(?,00000000,00000000,00000000,0000000C,00000000,000000FF,00000020,00000000,00000000,00000044,?,?,032FF27C,?,032FF270), ref: 032FF220
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,0000000C,00000000,000000FF,00000020,00000000,00000000,00000044,?,?,032FF27C,?), ref: 032FF229
RtlExitUserThread.KERNEL32(00000000,?,?,00000000,00000000,00000000,0000000C,00000000,000000FF,00000020,00000000,00000000,00000044,?,?,032FF27C), ref: 032FF230

Strings

D, xrefs: 032FF111

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Process$CloseExitHandle$CodeCreateEventObjectSingleTerminateThreadUserWait
String ID: D
API String ID: 3480772335-2746444292
Opcode ID: 4d6cc75c9acd246bb1ab40b3c41040fd412170a5d22e405b422c5b2c64fd4876
Instruction ID: 315f79338c04b123d36e0cd4c338bcbd4bf0885f85cd47f17ac16c4d5ef3345f
Opcode Fuzzy Hash: 4d6cc75c9acd246bb1ab40b3c41040fd412170a5d22e405b422c5b2c64fd4876
Instruction Fuzzy Hash: 99414079A24309EFDB00EBA4CD41BDEB7F8AF49700F604165E614EB295DBB4E980CB54

Function 032B1610 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 032B1642
SelectObject.GDI32(00000000), ref: 032B1685
GetTextExtentPoint32W.GDI32(00000000,?,?,?), ref: 032B16BE
ReleaseDC.USER32(0000000F,00000000), ref: 032B16C6
GetWindowRect.USER32(0000000F,9449D6F8), ref: 032B16D2
GetParent.USER32(0000000F), ref: 032B16E0
MapWindowPoints.USER32(00000000,00000000,?,?), ref: 032B16E9
MoveWindow.USER32(0000000F,?,0000000F,?,?,00000000,?,?,LabelFont,00000009), ref: 032B170A

Strings

LabelFont, xrefs: 032B164A

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Window$ExtentMoveObjectParentPoint32PointsRectReleaseSelectText
String ID: LabelFont
API String ID: 2456833781-2346607873
Opcode ID: 0a5604b76ec70684ebf8a0ed3b881765041e067d7cf0ffba5fd570a2995cee23
Instruction ID: ef80117ffcffd7e29ca6ae501d2a73fb73fa8282a94bf9f0ac2c0d9a9da536f3
Opcode Fuzzy Hash: 0a5604b76ec70684ebf8a0ed3b881765041e067d7cf0ffba5fd570a2995cee23
Instruction Fuzzy Hash: 1D312FB6128340AFD304DF54D849F6BBBF9EB89740F00892DF69586280D7B5A945CB62

Function 032BA6BF Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,032D0BA8,0000000C,032BA7D1,00000000,00000000,?,00000000), ref: 032BA6D0
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 032BA6F9
GetProcAddress.KERNEL32(EC83EC8B,DecodePointer), ref: 032BA709
InterlockedIncrement.KERNEL32(032D47F8), ref: 032BA72B
__lock.LIBCMT ref: 032BA733
___addlocaleref.LIBCMT ref: 032BA752

Strings

DecodePointer, xrefs: 032BA701
KERNEL32.DLL, xrefs: 032BA6CB
EncodePointer, xrefs: 032BA6ED

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: 5387834dbcb1645a14c3aaabe2a8d642ce0eb2fea0f1700666a7fd1781420376
Instruction ID: e009b17c387ff6b3d41b144ef58ed00823fe9c9a152fb67df14d6d62c3b5a554
Opcode Fuzzy Hash: 5387834dbcb1645a14c3aaabe2a8d642ce0eb2fea0f1700666a7fd1781420376
Instruction Fuzzy Hash: 46117C74964741AFD720EF3AE844B9EBBF4AF04744F10892DD4A996650DBB4A9808F50

Function 032E2994 Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 032E2A1C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 032E2A40
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 032E2A5C
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 032E2A7D
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 032E2AA6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 032E2AB4
GetStdHandle.KERNEL32(000000F5), ref: 032E2AEF
GetFileType.KERNEL32(?,000000F5), ref: 032E2B05
CloseHandle.KERNEL32(?,?,000000F5), ref: 032E2B20
GetLastError.KERNEL32(000000F5), ref: 032E2B38

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9343704c6abddec5391d652b6898923e5105363f1cf6d1b1b50ae36af8a5f490
Instruction ID: 039c47234fe81841e577ac1ee2858051dd039dc77d25fcc99ecf33f8dc58f5ca
Opcode Fuzzy Hash: 9343704c6abddec5391d652b6898923e5105363f1cf6d1b1b50ae36af8a5f490
Instruction Fuzzy Hash: AC417038130712EAE730FF24C907B62B5EDEB05710FE89E2D90D78A6D4D6B5A8C18751

Function 032B8A19 Relevance: 15.1, APIs: 10, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 032B8A2F

Part of subcall function 032B9173: __calloc_impl.LIBCMT ref: 032B9181
Part of subcall function 032B9173: Sleep.KERNEL32(00000000,00000000,032BA7A8,00000001,00000214,?,00000000), ref: 032B9198

__calloc_crt.LIBCMT ref: 032B8A52
__calloc_crt.LIBCMT ref: 032B8A6E
__copytlocinfo_nolock.LIBCMT ref: 032B8A93
__setlocale_nolock.LIBCMT ref: 032B8AA2
___removelocaleref.LIBCMT ref: 032B8AAE
___freetlocinfo.LIBCMT ref: 032B8AB5
__setmbcp_nolock.LIBCMT ref: 032B8ACD
___removelocaleref.LIBCMT ref: 032B8AE2
___freetlocinfo.LIBCMT ref: 032B8AE9

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 2969281212-0
Opcode ID: 55e71dc99191ce9820305bbda8bd3af736d063a201043261bb0bd002b8ad3b5d
Instruction ID: 42ab2c600ca2dbafc29e399837ef7fd012701f2b8dcaa954739c0fa2a01acc89
Opcode Fuzzy Hash: 55e71dc99191ce9820305bbda8bd3af736d063a201043261bb0bd002b8ad3b5d
Instruction Fuzzy Hash: 4B219779134742DFEA21FF24D804A9AFBF9DF807D0F18441DE5899E190EFB198C08655

Function 032B19E0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 193windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,?,BackButton,0000000A), ref: 032B1AA5
ShowWindow.USER32(?,00000000,?,GIBackButton,0000000C,?,00000000,?,BackButton,0000000A), ref: 032B1AFB
EnableWindow.USER32(?,00000001), ref: 032B1BAE

Part of subcall function 032A5580: std::_String_base::_Xlen.LIBCPMT ref: 032A55D9
Part of subcall function 032A5580: _memcpy_s.LIBCMT ref: 032A5621

SendMessageW.USER32(0000000C,00000111,00000000), ref: 032B1C41

Strings

GIBackButton, xrefs: 032B1A15, 032B1AC9
NextButton, xrefs: 032B1B1F, 032B1B7B, 032B1BD2
BackButton, xrefs: 032B1A73
WizardForm, xrefs: 032B1BF6

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Window$Show$EnableMessageSendString_base::_Xlen_memcpy_sstd::_
String ID: BackButton$GIBackButton$NextButton$WizardForm
API String ID: 1250478854-632213285
Opcode ID: 36b884c3bd87e8d0e39b7e7c7b2868bc04ef85abc152e82416dced3849fe559f
Instruction ID: a4988982d60245a01c40a71710cf238c1c0adefe4f8156f8bb2bb1d30c26465b
Opcode Fuzzy Hash: 36b884c3bd87e8d0e39b7e7c7b2868bc04ef85abc152e82416dced3849fe559f
Instruction Fuzzy Hash: BC714AB5928380AFD310DF68C490A5BFBF9AB99740F504A1DF2A1472A0D7B4D484CF53

Function 032FA340 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,-00000002), ref: 032FA38A
OemToCharA.USER32(?,00000000), ref: 032FA3BD

Strings

password?, xrefs: 032FA36F
write, xrefs: 032FA474
error, xrefs: 032FA4C3
ERROR_ISARC_UNKNOWN, xrefs: 032FA53A
filename, xrefs: 032FA3A1
origsize, xrefs: 032FA44E

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Charlstrcpy
String ID: ERROR_ISARC_UNKNOWN$error$filename$origsize$password?$write
API String ID: 63126397-1645465059
Opcode ID: 62f900b6446dc5d541bdc523541cd471d914f9987db5ce01601b991cf63916be
Instruction ID: d5d329a466f3d224c65f9fe3ce168d36c1e57b5d80b748d452688dc4fc3acbb2
Opcode Fuzzy Hash: 62f900b6446dc5d541bdc523541cd471d914f9987db5ce01601b991cf63916be
Instruction Fuzzy Hash: 68714E7CA202499FCB00EF68D585AA9B3B9EB49310F948061EA149B355CBB4EDC1CF21

Function 0332F028 Relevance: 13.8, APIs: 9, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 0332F0F5
std::exception::exception.LIBCMT ref: 0332F1A7

Part of subcall function 033340D2: _strlen.LIBCMT ref: 033340EC
Part of subcall function 033340D2: _malloc.LIBCMT ref: 033340F5
Part of subcall function 033340D2: _strcpy_s.LIBCMT ref: 03334107

__CxxThrowException@8.LIBCMT ref: 0332F1B9
std::_String_base::_Xlen.LIBCPMT ref: 0332F069

Part of subcall function 03344799: __EH_prolog3.LIBCMT ref: 033447A0
Part of subcall function 03344799: std::bad_exception::bad_exception.LIBCMT ref: 033447BD
Part of subcall function 03344799: __CxxThrowException@8.LIBCMT ref: 033447CB

std::_String_base::_Xlen.LIBCPMT ref: 0332F097

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Exception@8String_base::_ThrowXlenstd::_$H_prolog3_malloc_memcpy_s_strcpy_s_strlenstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1069385958-0
Opcode ID: b8d154489d6d1312c8d8dc826f59ed662170ecd02565bb381dade210b7776bc4
Instruction ID: 9699141127ae5b54a9a8ed8c67c29e4d7cbe401666c6ed3c243776a2956105ba
Opcode Fuzzy Hash: b8d154489d6d1312c8d8dc826f59ed662170ecd02565bb381dade210b7776bc4
Instruction Fuzzy Hash: FBA17C79E00214DFDB08CF98C9C4AAEBBB6EF49310F558269E8166B395D730ED40CB91

Function 032E90BC Relevance: 13.7, APIs: 9, Instructions: 186windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 032E9125
SetWindowLongA.USER32(?,000000EB,00000000), ref: 032E9152

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: LongMessagePostQuitWindow
String ID:
API String ID: 2279192769-0
Opcode ID: b9a2ef5621a5e18fe06c18e2d9a9205f2edec86ab2e2174e6a025797b5075dcc
Instruction ID: 7419a456517c29e3c36f0b34085f211c6663fa74ebf05457ecbe8f4626878ece
Opcode Fuzzy Hash: b9a2ef5621a5e18fe06c18e2d9a9205f2edec86ab2e2174e6a025797b5075dcc
Instruction Fuzzy Hash: 6B5117387347129BDF21F729C8477A9B396AB01B10FE88557D055CB2D1DBACE8C28B91

Function 032F64A0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 292COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 032F64FC

Part of subcall function 032E9330: SetWindowLongA.USER32(?,000000F0,?), ref: 032E934C
Part of subcall function 032E9330: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,00000000,032F663B,?,00000000,032F691D,?,?,00000000,00000000), ref: 032E9351

Part of subcall function 032E9B60: GetSystemMetrics.USER32(00000001), ref: 032E9B6F
Part of subcall function 032E9B60: GetSystemMetrics.USER32(00000000), ref: 032E9B77

Part of subcall function 032E9784: DeleteObject.GDI32(00000000), ref: 032E97C5

Part of subcall function 032E9364: SendMessageA.USER32(?,0000000C,00000000,?), ref: 032E9381

Part of subcall function 032E3DBC: CreateThread.KERNEL32(0000000C,00000000,032E3D84,00000000,FFFFFFFF,?), ref: 032E3DF2

GetTickCount.KERNEL32 ref: 032F68A2

Part of subcall function 032E4480: SysFreeString.OLEAUT32(088B90C3), ref: 032E448E

Strings

BUTTON_CANCEL, xrefs: 032F67C3
CHANGE_DISK_TITLE, xrefs: 032F65A5
MS Sans Serif, xrefs: 032F6605
BUTTON_BROWSE, xrefs: 032F6761
CHANGE_DISK_LABEL, xrefs: 032F66BE

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CountMetricsSystemTickWindow$CreateDeleteFreeLongMessageObjectSendStringThread
String ID: BUTTON_BROWSE$BUTTON_CANCEL$CHANGE_DISK_LABEL$CHANGE_DISK_TITLE$MS Sans Serif
API String ID: 3567485605-521435440
Opcode ID: d20ba28155fcccd92d2f2367ad52bcc2d867bfda2d350221fb19d0599f83a98b
Instruction ID: 043e79337f2ea153c83bb83a1356831ad9e378b1b7881279cc0c0849f104108e
Opcode Fuzzy Hash: d20ba28155fcccd92d2f2367ad52bcc2d867bfda2d350221fb19d0599f83a98b
Instruction Fuzzy Hash: D3C15D38A202499FDB00FB68D481A9DB7EAFF89300F958125D5109F394DFB5ACC68B64

Function 032E8F72 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 032E8F98
DestroyCursor.USER32(?), ref: 032E8FE1
IsWindow.USER32(?), ref: 032E8FE9
SetWindowLongA.USER32(?,000000EB,00000000), ref: 032E8FF9
73A15CF0.USER32(?,?,000000EB,00000000,?), ref: 032E9001
DeleteObject.GDI32(00000000), ref: 032E9035

Strings

, xrefs: 032E900D

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Window$CursorDeleteDestroyLongObjectShow
String ID:
API String ID: 4291195375-3916222277
Opcode ID: a256461e15513a06332087f24d2c2cdf33c715cbd907f1210fb96925ffa50600
Instruction ID: e29b1f552af4e7e36626c7fcf0238dcba5b2d7cdd6640c5d28f50f591b9c1f08
Opcode Fuzzy Hash: a256461e15513a06332087f24d2c2cdf33c715cbd907f1210fb96925ffa50600
Instruction Fuzzy Hash: 24319F392303019ACB29FF24D882B663796EF00715FD444BE9A45DF187DBB9D8C68A54

Function 032AC740 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 032AC78D

Part of subcall function 032B72FB: RaiseException.KERNEL32(?,?,032B63B9,?,?,?,?,?,032B63B9,?,032D1154,032D5B80), ref: 032B733B

__CxxThrowException@8.LIBCMT ref: 032AC7D1
__CxxThrowException@8.LIBCMT ref: 032AC815
__CxxThrowException@8.LIBCMT ref: 032AC854

Strings

ios_base::eofbit set, xrefs: 032AC81A
ios_base::failbit set, xrefs: 032AC7DB
ios_base::badbit set, xrefs: 032AC797

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3476068407-1866435925
Opcode ID: 9fad7d1424024311133149c9b79492c655553da86748f227b89b829ff431aabc
Instruction ID: 9f7301a0875415739614c7cf56b688297265e67a517232b934f819462b271ae4
Opcode Fuzzy Hash: 9fad7d1424024311133149c9b79492c655553da86748f227b89b829ff431aabc
Instruction Fuzzy Hash: 42318475178784AFC315DB58DC41F9BB7E4BF88700F448A1CB1A98A581DBB4A185CB52

Function 032B604E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 032B6081
__calloc_crt.LIBCMT ref: 032B608D
CreateThread.KERNEL32(00000000,?,`F,00000000,00000004,00000000), ref: 032B60C0
ResumeThread.KERNEL32(00000000,?,?,?,?,?,032AA016,032A1EE0,00000000,032D6680), ref: 032B60D0
GetLastError.KERNEL32(?,?,?,?,?,032AA016,032A1EE0,00000000,032D6680), ref: 032B60DB
__dosmaperr.LIBCMT ref: 032B60F3

Part of subcall function 032B77C4: __getptd_noexit.LIBCMT ref: 032B77C4

Part of subcall function 032B620B: __decode_pointer.LIBCMT ref: 032B6214

Strings

`F, xrefs: 032B60B1

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd_noexit
String ID: `F
API String ID: 4018905736-510860190
Opcode ID: 84705a95a60a51137dae77fbd10236e3fe9492bbe0b4667c1396e4baa053ecb6
Instruction ID: 2db8c8606dd8bf9b0da44c91b02e572a4ebdfd6f773ef4c2ed3f00388b4da32e
Opcode Fuzzy Hash: 84705a95a60a51137dae77fbd10236e3fe9492bbe0b4667c1396e4baa053ecb6
Instruction Fuzzy Hash: 3D1104B5931300AFDB20FF799C848DEBBB8FF403B4B20462AE5159B1C0DBB185808560

Function 032E3C08 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032E3CD6,?,?,?,00000001,032E3D76,032E26EB,032E2733,?,00000000), ref: 032E3C41
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032E3CD6,?,?,?,00000001,032E3D76,032E26EB,032E2733,?), ref: 032E3C47
GetStdHandle.KERNEL32(000000F5,032E3C90,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032E3CD6), ref: 032E3C5C
WriteFile.KERNEL32(00000000,000000F5,032E3C90,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,032E3CD6), ref: 032E3C62
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 032E3C80

Strings

Runtime error at 00000000, xrefs: 032E3C3A, 032E3C79
Error, xrefs: 032E3C74

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 2ca457757740b008fd21242cf9739552f95c850fd0e4c6a6d3d4bfc7214ca13a
Instruction ID: f44acedda54439066fe8922a40aab1908b3289998506d0a9589e2b8505714e75
Opcode Fuzzy Hash: 2ca457757740b008fd21242cf9739552f95c850fd0e4c6a6d3d4bfc7214ca13a
Instruction Fuzzy Hash: 96F06DAC7A435978E624F3549E8BF9E225C6745F12FD44659F3246E0C68BF8B0C49322

Function 0332B398 Relevance: 12.2, APIs: 8, Instructions: 246COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0332B3D6

Part of subcall function 03334142: _strlen.LIBCMT ref: 03334167
Part of subcall function 03334142: _malloc.LIBCMT ref: 03334170
Part of subcall function 03334142: _strcpy_s.LIBCMT ref: 03334183

std::_String_base::_Xlen.LIBCPMT ref: 0332B42A

Part of subcall function 0334464D: __EH_prolog3.LIBCMT ref: 03344654
Part of subcall function 0334464D: std::bad_exception::bad_exception.LIBCMT ref: 03344671
Part of subcall function 0334464D: __CxxThrowException@8.LIBCMT ref: 0334467F
Part of subcall function 0334464D: std::_String_base::_Xlen.LIBCPMT ref: 03344693

std::_String_base::_Xlen.LIBCPMT ref: 0332B650
_memmove_s.LIBCMT ref: 0332B6A1

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: String_base::_Xlenstd::_$Exception@8H_prolog3Throw_malloc_memmove_s_strcpy_s_strlenstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 2522624989-0
Opcode ID: fe8e75c277d2ea1da79e49261b579d00df3cd4d9762c9e58963531edccd901d1
Instruction ID: 1ab3b9bdfb199e249ee4de3c0399a8c7ea0d0b4cf575e9c2fa532ba11580088c
Opcode Fuzzy Hash: fe8e75c277d2ea1da79e49261b579d00df3cd4d9762c9e58963531edccd901d1
Instruction Fuzzy Hash: C5A189B1D01624DFDB14CF99C9C06ADFBB5FF49310F24862AD825AB791D370A981CB91

Function 033324F8 Relevance: 12.2, APIs: 8, Instructions: 246COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 03332536

Part of subcall function 03334142: _strlen.LIBCMT ref: 03334167
Part of subcall function 03334142: _malloc.LIBCMT ref: 03334170
Part of subcall function 03334142: _strcpy_s.LIBCMT ref: 03334183

std::_String_base::_Xlen.LIBCPMT ref: 0333258A

Part of subcall function 0334464D: __EH_prolog3.LIBCMT ref: 03344654
Part of subcall function 0334464D: std::bad_exception::bad_exception.LIBCMT ref: 03344671
Part of subcall function 0334464D: __CxxThrowException@8.LIBCMT ref: 0334467F
Part of subcall function 0334464D: std::_String_base::_Xlen.LIBCPMT ref: 03344693

std::_String_base::_Xlen.LIBCPMT ref: 033327B0
_memmove_s.LIBCMT ref: 03332801

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: String_base::_Xlenstd::_$Exception@8H_prolog3Throw_malloc_memmove_s_strcpy_s_strlenstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 2522624989-0
Opcode ID: c87e9bfbf445b2889df612498e064b3cab1a95bf9bb2b03ba29958dbb9ad3a83
Instruction ID: 606b5f76a7262a4c500ee62d858742e761d5b85804cfdb824ec3dbb4b3d68699
Opcode Fuzzy Hash: c87e9bfbf445b2889df612498e064b3cab1a95bf9bb2b03ba29958dbb9ad3a83
Instruction Fuzzy Hash: 1FA18CB5D00608DFDB14CF99C9C06AEFBB5FF4A310F158A19E825AB795C370AA41CB91

Function 03332878 Relevance: 12.2, APIs: 8, Instructions: 244COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 033328B3

Part of subcall function 03334142: _strlen.LIBCMT ref: 03334167
Part of subcall function 03334142: _malloc.LIBCMT ref: 03334170
Part of subcall function 03334142: _strcpy_s.LIBCMT ref: 03334183

std::_String_base::_Xlen.LIBCPMT ref: 03332907

Part of subcall function 0334464D: __EH_prolog3.LIBCMT ref: 03344654
Part of subcall function 0334464D: std::bad_exception::bad_exception.LIBCMT ref: 03344671
Part of subcall function 0334464D: __CxxThrowException@8.LIBCMT ref: 0334467F
Part of subcall function 0334464D: std::_String_base::_Xlen.LIBCPMT ref: 03344693

std::_String_base::_Xlen.LIBCPMT ref: 03332B24
_memmove_s.LIBCMT ref: 03332B75

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: String_base::_Xlenstd::_$Exception@8H_prolog3Throw_malloc_memmove_s_strcpy_s_strlenstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 2522624989-0
Opcode ID: 17ab6ec55b1381511fdeecb981a6c949840359bed8370a787b6c81133726ba2f
Instruction ID: d02bb65842b124a7dab43e1cbe438fda6929787f5a0f0ac72982801823df1e0c
Opcode Fuzzy Hash: 17ab6ec55b1381511fdeecb981a6c949840359bed8370a787b6c81133726ba2f
Instruction Fuzzy Hash: 37A1BDB1D00608DFDB14CF98C9C06AEFBB5FF4A310F248A19D825AB781C770A941CB91

Function 032A32D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 249COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 032A32E7

Strings

RemainingTime, xrefs: 032B04A4
Speed, xrefs: 032B0536
Unknown, xrefs: 032B04DF
MB/s, xrefs: 032B057E
KB/s, xrefs: 032B05BD

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: CountTick
String ID: KB/s$MB/s$RemainingTime$Speed$Unknown
API String ID: 536389180-3641574352
Opcode ID: dbc71091fbeee7694be0a7a6359b72351a3324dfc584fce13c41c878ec44f6b7
Instruction ID: ccd32182abdd32456313fbcbfc6b83b0e7a77d166f2533a52f1e5ed03b8f28ae
Opcode Fuzzy Hash: dbc71091fbeee7694be0a7a6359b72351a3324dfc584fce13c41c878ec44f6b7
Instruction Fuzzy Hash: 4DA1E075928780AFC310EF28C84574BFBF4FB89750F148A6DE59487291DB75E448CBA2

Function 03334E6B Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 03334ECD
_memcpy_s.LIBCMT ref: 03334F42
__fileno.LIBCMT ref: 03334FA2
__read.LIBCMT ref: 03334FA9
__filbuf.LIBCMT ref: 03334FCD
_memset.LIBCMT ref: 03335013
_memset.LIBCMT ref: 0333503E

Part of subcall function 03336B5E: __getptd_noexit.LIBCMT ref: 03336B5E

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: 29b7815f290794bf8614741f0df8be23acd1fd0c42835c38043041d4e8a94126
Instruction ID: b570a87e514d4f0152098cebfff4348dfd3aad3d2bffe1c5793e11886700789c
Opcode Fuzzy Hash: 29b7815f290794bf8614741f0df8be23acd1fd0c42835c38043041d4e8a94126
Instruction Fuzzy Hash: 08518071901305EFDB20DFAA8CC45AEBBB9EF83320F18C669F42596190D7759A51CB90

Function 032B5AA3 Relevance: 10.6, APIs: 7, Instructions: 137COMMON

Download Yara Rule

APIs

____lc_handle_func.LIBCMT ref: 032B5AD4
____lc_codepage_func.LIBCMT ref: 032B5ADC
__GetLocaleForCP.LIBCPMT ref: 032B5B05
MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,?,00000000), ref: 032B5B3A
___pctype_func.LIBCMT ref: 032B5B6D
MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,00000000), ref: 032B5BD0
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 032B5C01

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
String ID:
API String ID: 291276006-0
Opcode ID: 31ec7feee80d33d9b3756002b8128e9e6467401e2a483f67b065fc0e02a26a79
Instruction ID: 5bdc634e4cf1abdbbc2032708ce8107489e82557550f07186426f4737d11a72b
Opcode Fuzzy Hash: 31ec7feee80d33d9b3756002b8128e9e6467401e2a483f67b065fc0e02a26a79
Instruction Fuzzy Hash: D8418E71134346EEDB21DF349C84BEA7BB8AF02391F28846AF8559E191EBB0D5D1CB50

Function 032AF010 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 032AF03B
std::_Lockit::_Lockit.LIBCPMT ref: 032AF061
__CxxThrowException@8.LIBCMT ref: 032AF0F5
std::_Lockit::_Lockit.LIBCPMT ref: 032AF10A
std::locale::facet::facet_Register.LIBCPMT ref: 032AF127

Strings

bad cast, xrefs: 032AF0DD

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::locale::facet::facet_
String ID: bad cast
API String ID: 1988240374-3145022300
Opcode ID: b17e89dddcc53d76e46e6eda2913290d26a2be38034078fa371cf5b1196d6e24
Instruction ID: c1c4e43500309dc1aa9dd411097effeb39d0e3183d1631793a5a5c109db2de2f
Opcode Fuzzy Hash: b17e89dddcc53d76e46e6eda2913290d26a2be38034078fa371cf5b1196d6e24
Instruction Fuzzy Hash: 06310535925B009FC710EF18E940B9AB3F4FF45720F64865DE4669B280DBB4A8C5CF82

Function 032FF280 Relevance: 10.6, APIs: 7, Instructions: 93synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032FF3A1), ref: 032FF2E8
SetCurrentDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,032FF3A1), ref: 032FF30D

Part of subcall function 032E3DBC: CreateThread.KERNEL32(0000000C,00000000,032E3D84,00000000,FFFFFFFF,?), ref: 032E3DF2

GetTickCount.KERNEL32 ref: 032FF329
GetTickCount.KERNEL32 ref: 032FF33A
WaitForSingleObject.KERNEL32(0334EDAA,00000001,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,032FF3A1), ref: 032FF354
CloseHandle.KERNEL32(00000000,00000000,00000001,0334EDAA,00000001,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,032FF3A1), ref: 032FF363
SetCurrentDirectoryA.KERNEL32(00000000,00000000,00000000,00000001,0334EDAA,00000001,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,032FF3A1), ref: 032FF379

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CountCreateCurrentDirectoryTick$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 1408681843-0
Opcode ID: 7593c2b6caa53ec22af4d006f3b99f3c3e3580d5602a33620ee611ca87d34356
Instruction ID: 8cd14801a1fce90c37369ecf2b1aaa15204f2e9d15d0455725a351e464f059db
Opcode Fuzzy Hash: 7593c2b6caa53ec22af4d006f3b99f3c3e3580d5602a33620ee611ca87d34356
Instruction Fuzzy Hash: A631857CA243499FDB00EFB4C982B9DB7F8EF49300F904465E614DB355DBB4A9818B60

Function 032A8710 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 032A8733
LoadIconW.USER32(00000000,00007F03), ref: 032A8751
GetDlgItem.USER32(?,000003EB), ref: 032A876D
SendMessageW.USER32(00000000), ref: 032A8770
GetDlgItem.USER32(?,00000005), ref: 032A878B
ShowWindow.USER32(00000000), ref: 032A878E
GetDlgItem.USER32(?,000003E9), ref: 032A87A2

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Item$DialogIconLoadMessageSendShowWindow
String ID:
API String ID: 1615092200-0
Opcode ID: cc10a0687271e971a675c6c62f494eca2fd07849f39c699c3b936e8bbeef2f06
Instruction ID: 2aee0d108ba8a070ad36a8ba68103a48d0b40732ec0b5a9504b4c7147f50def1
Opcode Fuzzy Hash: cc10a0687271e971a675c6c62f494eca2fd07849f39c699c3b936e8bbeef2f06
Instruction Fuzzy Hash: A9118EB9A50711AFE701EF28EC4DF6B7BA9EB84B02F048559F540972C4C7B49841CA60

Function 032EEDAC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

ERROR_INIT_LOW_MEM, xrefs: 032EEE0F
ERROR_INIT_CANT_GET_MEM, xrefs: 032EEE4D

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Message
String ID: ERROR_INIT_CANT_GET_MEM$ERROR_INIT_LOW_MEM
API String ID: 2030045667-2903222832
Opcode ID: efb909bf8a49cc3c34a05a3bf57baaa78d6297b158ab202aacdda5215a3bcdb9
Instruction ID: ae5d4f93e3122ec2b3fd802be2f2c6590a1b8b0674e1509b64e4cd98657ca91c
Opcode Fuzzy Hash: efb909bf8a49cc3c34a05a3bf57baaa78d6297b158ab202aacdda5215a3bcdb9
Instruction Fuzzy Hash: BA027979A243498FD710FF68E88278A7BF9FB09300F4545A9D404DB354EBB4AAC58B91

Function 032E1A38 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0334E5B8,00000000,032E1B0E), ref: 032E1A65
LocalFree.KERNEL32(00903A88,00000000,032E1B0E), ref: 032E1A77
VirtualFree.KERNEL32(?,00000000,00008000,00903A88,00000000,032E1B0E), ref: 032E1A96
LocalFree.KERNEL32(00904A88,?,00000000,00008000,00903A88,00000000,032E1B0E), ref: 032E1AD5
RtlLeaveCriticalSection.KERNEL32(0334E5B8,032E1B15,00903A88,00000000,032E1B0E), ref: 032E1AFE
RtlDeleteCriticalSection.KERNEL32(0334E5B8,032E1B15,00903A88,00000000,032E1B0E), ref: 032E1B08

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: ea8303839f7e6fc3a7974f41ba9c08519209e5c3fb6565bc1ee3c4318735b949
Instruction ID: f77ecfa572b02f928ace20e0e9f7f55b29bfb0a949bd1dc5038c1fbbec9343a2
Opcode Fuzzy Hash: ea8303839f7e6fc3a7974f41ba9c08519209e5c3fb6565bc1ee3c4318735b949
Instruction Fuzzy Hash: 7A115B7C3243509EE712EBA8E8C2F2A7799B785700FC844B4E110CAA45EBB4F4E0C764

Function 0333B063 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 0333B08B

Part of subcall function 03334722: __getptd.LIBCMT ref: 03334730
Part of subcall function 03334722: __getptd.LIBCMT ref: 0333473E

__getptd.LIBCMT ref: 0333B095

Part of subcall function 033379EB: __getptd_noexit.LIBCMT ref: 033379EE
Part of subcall function 033379EB: __amsg_exit.LIBCMT ref: 033379FB

__getptd.LIBCMT ref: 0333B0A3
__getptd.LIBCMT ref: 0333B0B1
__getptd.LIBCMT ref: 0333B0BC
_CallCatchBlock2.LIBCMT ref: 0333B0E2

Part of subcall function 033347C7: __CallSettingFrame@12.LIBCMT ref: 03334813

Part of subcall function 0333B189: __getptd.LIBCMT ref: 0333B198
Part of subcall function 0333B189: __getptd.LIBCMT ref: 0333B1A6

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 06ad7a965adb6f883dee5109cdba05eab2519535018c520ffd6577e0b79d518e
Instruction ID: 5008d65dcbd9ab7062112307ff933054ff17fee754492ed937cebb526f0a9436
Opcode Fuzzy Hash: 06ad7a965adb6f883dee5109cdba05eab2519535018c520ffd6577e0b79d518e
Instruction Fuzzy Hash: 9911D4B5D11309EFDB00EFA5D885AEDBBB0FF0A310F10C169E855AB260DB399A119F50

Function 032B1440 Relevance: 9.0, APIs: 6, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 032B1458
GetParent.USER32(?), ref: 032B146C
MapWindowPoints.USER32(00000000,00000000), ref: 032B1471
GetParent.USER32(?), ref: 032B1484
RedrawWindow.USER32(00000000), ref: 032B1487
SendMessageW.USER32(?,0000000C,00000000,?), ref: 032B14A2

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Window$Parent$MessagePointsRectRedrawSend
String ID:
API String ID: 4113075923-0
Opcode ID: 59b3bd022349275bb7c84882bc54a6e2abc01d15054e61a7a07f609b6f4c923f
Instruction ID: d5e7b482220c3fe41c84811dca485b88cfe610393720e3ec3f7e58a85c486ce2
Opcode Fuzzy Hash: 59b3bd022349275bb7c84882bc54a6e2abc01d15054e61a7a07f609b6f4c923f
Instruction Fuzzy Hash: 63019E72524300BFE300EB14DC4DFAFBBB8EB85B41F848518F64456090C3B4A694CBA2

Function 032E53E5 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 032E3174: GetKeyboardType.USER32(00000000), ref: 032E3179
Part of subcall function 032E3174: GetKeyboardType.USER32(00000001), ref: 032E3185

GetCommandLineA.KERNEL32 ref: 032E544B
GetVersion.KERNEL32 ref: 032E545F
GetVersion.KERNEL32 ref: 032E5470
GetCurrentThreadId.KERNEL32 ref: 032E54AC

Part of subcall function 032E31A4: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032E31C6
Part of subcall function 032E31A4: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,032E3215,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032E31F9
Part of subcall function 032E31A4: RegCloseKey.ADVAPI32(?,032E321C,00000000,?,00000004,00000000,032E3215,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032E320F

GetThreadLocale.KERNEL32 ref: 032E548C

Part of subcall function 032E531C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,032E5382), ref: 032E5342

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: 2c4c6291b4ab47bdc2caef7b9c5e8fb214321fbc9dd88ad4b25edaa0f9ba5c86
Instruction ID: 6d3e881cd4a8d0ced1ebdbe08dbab12034da7ac9b3862b226ebf7073fb039d37
Opcode Fuzzy Hash: 2c4c6291b4ab47bdc2caef7b9c5e8fb214321fbc9dd88ad4b25edaa0f9ba5c86
Instruction Fuzzy Hash: F801E1AD83039299EB10FFB2E5873583AA4BF02309FD44469C1504F259EFBCB1D48B66

Function 032B15A0 Relevance: 9.0, APIs: 6, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 032B15A4
SetWindowLongW.USER32(?,000000F0,00000000), ref: 032B15BA
SendMessageW.USER32(?,0000040A,00000001,0000001E), ref: 032B15CA
SendMessageW.USER32(?,0000040A,00000000,00000000), ref: 032B15DE
SetWindowLongW.USER32(?,000000F0,00000000), ref: 032B15EB
RedrawWindow.USER32(?,00000000,00000000,00000301), ref: 032B15FB

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Window$Long$MessageSend$Redraw
String ID:
API String ID: 3943020483-0
Opcode ID: 3e5fd54bf440ce1e0ddd48f1be8c31d034bc0538bcb97b1e9a1542d7df6b093b
Instruction ID: 3a21c0d0d946689c35d0e079a0f438aee62ece77d68eea5f7e466edd90cb1bb9
Opcode Fuzzy Hash: 3e5fd54bf440ce1e0ddd48f1be8c31d034bc0538bcb97b1e9a1542d7df6b093b
Instruction Fuzzy Hash: 07F0A7715D822076E72162157C8DFEB6E259F56F73F228224F715780C8CBE424429269

Function 032F270C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 140COMMON

Download Yara Rule

Strings

SREP, xrefs: 032F2783, 032F27D4
-mem, xrefs: 032F2822
[EXTERNAL COMPRESSOR:, xrefs: 032F276E, 032F2868
UNPACKCMD, xrefs: 032F27C0

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: FileSize
String ID: -mem$SREP$UNPACKCMD$[EXTERNAL COMPRESSOR:
API String ID: 3433856609-1097106456
Opcode ID: 98f75b9aa57309aceb04a1ca295efd327687592f31e4b31580934f6728ac560d
Instruction ID: 209c04f52b05d1826de10708346aa0fd1bd4011989922b940b8bed387b575106
Opcode Fuzzy Hash: 98f75b9aa57309aceb04a1ca295efd327687592f31e4b31580934f6728ac560d
Instruction Fuzzy Hash: 4A41303CE20349EFDB04EBA9D88199DF7B9EF56204FA444B1D500AB214D7B0AEC68760

Function 032E31A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032E31C6
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,032E3215,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032E31F9
RegCloseKey.ADVAPI32(?,032E321C,00000000,?,00000004,00000000,032E3215,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 032E320F

Strings

FPUMaskValue, xrefs: 032E31F0
SOFTWARE\Borland\Delphi\RTL, xrefs: 032E31BC

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: d751d60c18bcb966fd5390743ab0ff5d22dc8cedc18e4eb43cc801de68bdd96a
Instruction ID: 2c8caf6117aa824271cf28556279420572c994ed6d5a7a10757c922531368fa4
Opcode Fuzzy Hash: d751d60c18bcb966fd5390743ab0ff5d22dc8cedc18e4eb43cc801de68bdd96a
Instruction Fuzzy Hash: D701F57DA50319BDDB10EBA0DD43BED73ACDB04700F9000A1BA14D7980E2B49A50C764

Function 032E2774 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,032EB245,032FA8FB,00000000,032FB374,?,00000000,032FB41A,?,?,?,?,0000000E), ref: 032E27A6
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,032EB245,032FA8FB,00000000,032FB374,?,00000000,032FB41A), ref: 032E27AC
GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,032EB245,032FA8FB,00000000,032FB374,?,00000000,032FB41A,?,?,?,?,0000000E), ref: 032E27BB
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,032EB245,032FA8FB,00000000,032FB374,?,00000000,032FB41A), ref: 032E27CC

Strings

:, xrefs: 032E278F

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: c627e86cb2ec5ea083eff430f5e1f8d58ab591babd4287b9326feab0596f6461
Instruction ID: 757b124dd517b721681b3738f4e404ed707f5787f452088fd56c043f6008aaed
Opcode Fuzzy Hash: c627e86cb2ec5ea083eff430f5e1f8d58ab591babd4287b9326feab0596f6461
Instruction Fuzzy Hash: B8F0966A2547815ED310F668C852BDB72DC8F55300F884839AAD8CB381E6F495945763

Function 0333ADB2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0333ADCC

Part of subcall function 033379EB: __getptd_noexit.LIBCMT ref: 033379EE
Part of subcall function 033379EB: __amsg_exit.LIBCMT ref: 033379FB

__getptd.LIBCMT ref: 0333ADDD
__getptd.LIBCMT ref: 0333ADEB

Strings

csm, xrefs: 0333ADC5
MOC, xrefs: 0333ADBE

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 055a1f1dfd3ed6d90cc8dfbc9d8aab609767594ae75624c8f107fbb13f58b35e
Instruction ID: 236f4aa4288cb48469d8a9659c0f5781bca955ed18776b495c0c0db3ee4bfaa3
Opcode Fuzzy Hash: 055a1f1dfd3ed6d90cc8dfbc9d8aab609767594ae75624c8f107fbb13f58b35e
Instruction Fuzzy Hash: 27E04F755212048FC710EB65C4D5FA93398EF4B315F1982A1D44CCF632DB34D8909B42

Function 032F98B0 Relevance: 7.7, APIs: 5, Instructions: 159synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,032F9A9D), ref: 032F9902

Part of subcall function 032E3DBC: CreateThread.KERNEL32(0000000C,00000000,032E3D84,00000000,FFFFFFFF,?), ref: 032E3DF2

GetTickCount.KERNEL32 ref: 032F996D
GetTickCount.KERNEL32 ref: 032F998D
WaitForSingleObject.KERNEL32(00000000,00000001,033005EC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,032F9A9D), ref: 032F9A52
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 032F9A6A

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CountCreateTick$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3294806482-0
Opcode ID: 1416c6ec59492750e78a6e272bc4ec52fc6cbc151e6f5f8a87a17a20169a1965
Instruction ID: 1481354c8b713f5d79ede7b56f86431b1ef2bd9bb41e27b90b59e8401d844e35
Opcode Fuzzy Hash: 1416c6ec59492750e78a6e272bc4ec52fc6cbc151e6f5f8a87a17a20169a1965
Instruction Fuzzy Hash: 5451F478720245DFD705EFA8D9C1B5AB7E9AB8E300F508565EA04DB3A5CBB0BD80CB50

Function 032E98E2 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 032E876C: GetSysColor.USER32(80000008), ref: 032E8776

SetTextColor.GDI32(?), ref: 032E9909
SetBkMode.GDI32(?,00000001), ref: 032E9919
GetStockObject.GDI32(00000005), ref: 032E9920
SetBkMode.GDI32(?,00000002), ref: 032E9938
SetBkColor.GDI32(?), ref: 032E9941

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Color$Mode$ObjectStockText
String ID:
API String ID: 2759950171-0
Opcode ID: c725ca9b60b0037b8a5a6ad6ef8977c35c86672448e2dc7870fa9522d4f2c83a
Instruction ID: 40ab85c434897a65c74e5174e647c5085e8c0934c765eb5362561b458cd7ad8b
Opcode Fuzzy Hash: c725ca9b60b0037b8a5a6ad6ef8977c35c86672448e2dc7870fa9522d4f2c83a
Instruction Fuzzy Hash: B731D3352242029FC724EF29DC82BAAB795EF45714FC8447BE4498F652D7A8E8C4C7A0

Function 032F19F4 Relevance: 7.5, APIs: 5, Instructions: 49threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,032F197C,?,00000000,00000000), ref: 032F1A2B
WaitForSingleObject.KERNEL32(00000000,00000064,00000000,?,032F1B52,00000000,NUL,80000000,00000000,00000000,00000003,00000000,00000000,00000000,032F1B94), ref: 032F1A39
GetExitCodeThread.KERNEL32(00000000,?,00000000,00000064,00000000,?,032F1B52,00000000,NUL,80000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 032F1A4E
TerminateThread.KERNEL32(00000000,00000000,00000000,00000064,00000000,?,032F1B52,00000000,NUL,80000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 032F1A6E
CloseHandle.KERNEL32(00000000,00000000,?,00000000,00000064,00000000,?,032F1B52,00000000,NUL,80000000,00000000,00000000,00000003,00000000,00000000), ref: 032F1A74

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Thread$CloseCodeCreateExitHandleObjectSingleTerminateWait
String ID:
API String ID: 2622483971-0
Opcode ID: 164b191f6472822cf98e3c33b7427829b3f5468637186e980b76c5b4875854b5
Instruction ID: 4fbaa1d7a0ec9fb98ebd87b5aec3f22f1bdd1cd707725e4a5dbb3b57715d89c8
Opcode Fuzzy Hash: 164b191f6472822cf98e3c33b7427829b3f5468637186e980b76c5b4875854b5
Instruction Fuzzy Hash: 2001D679734305BEE210F6748C92BAAA18C8F41714F904635B7459E2C1D9F4DAE082A6

Function 032B6997 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 032B69B5

Part of subcall function 032BD3B9: __mtinitlocknum.LIBCMT ref: 032BD3CD
Part of subcall function 032BD3B9: __amsg_exit.LIBCMT ref: 032BD3D9
Part of subcall function 032BD3B9: EnterCriticalSection.KERNEL32(80BE00F4,80BE00F4,032B636D,032C33DA,00000004,032D0F18,0000000C,032B9186,00000000,00000000,00000000,00000000,00000000,032BA7A8,00000001,00000214), ref: 032BD3E1

___sbh_find_block.LIBCMT ref: 032B69C0
___sbh_free_block.LIBCMT ref: 032B69CF
HeapFree.KERNEL32(00000000,032BA7A8,032D0AB0,0000000C,032BD39A,00000000,032D0D18,0000000C,032BD3D2,032BA7A8,80BE00F4,032B636D,032C33DA,00000004,032D0F18,0000000C), ref: 032B69FF
GetLastError.KERNEL32(?,00000000), ref: 032B6A10

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 77adc7cba6dcd1db3aaa348ffe81e027c09b7cd8fb0a1bb4d8cc609c4d0114ec
Instruction ID: de452716fa9a6b40b40b70513f4d1fd0e1bc0af4ceeabdd165ce44ba0a259a3f
Opcode Fuzzy Hash: 77adc7cba6dcd1db3aaa348ffe81e027c09b7cd8fb0a1bb4d8cc609c4d0114ec
Instruction Fuzzy Hash: 97016235921352EADF20FFB5A809BDDBBB4AF017E0F24C165E514AE080DBB499C0CA64

Function 032E8C4F Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000002), ref: 032E8C6B

Part of subcall function 032E876C: GetSysColor.USER32(80000008), ref: 032E8776

SetBkColor.GDI32(?,00000000), ref: 032E8C7D
SetBrushOrgEx.GDI32(?,00000000,00000000,00000000,?,00000000,?,00000002), ref: 032E8C88
GetClientRect.USER32(?), ref: 032E8C94
FillRect.USER32(?,?,00000000), ref: 032E8CA6

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: ColorRect$BrushClientFillMode
String ID:
API String ID: 3196769796-0
Opcode ID: 1f2132cb4dd6715a134208097379451d51e09ead2c14e08053c28ddede7d9fbd
Instruction ID: 6a9c0e1bf03cd7f79f584b8df7f4e7b8239bcc0e26eda85f8d9e2831e03dc2be
Opcode Fuzzy Hash: 1f2132cb4dd6715a134208097379451d51e09ead2c14e08053c28ddede7d9fbd
Instruction Fuzzy Hash: 38F030786313042AFB15F6389CC2A7B666DDB83614F9444A8F9008D156DAA5CCC65172

Function 032A1F10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 227COMMON

Download Yara Rule

Strings

HEAD, xrefs: 032A20E9
Initializing..., xrefs: 032A1F83
Getting file information..., xrefs: 032A202C

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Message$Peek$DispatchErrorInternetLastOpenTranslate
String ID: Getting file information...$HEAD$Initializing...
API String ID: 112184695-2928475931
Opcode ID: c35646d914628e87f6a9d5096f91975e8f7ed25650f6452816152b198b857cbd
Instruction ID: 66eb29b3061bcdf497ecfc554422b51c2ab73edf7bd064f30bbfc643b94a730a
Opcode Fuzzy Hash: c35646d914628e87f6a9d5096f91975e8f7ed25650f6452816152b198b857cbd
Instruction Fuzzy Hash: 2591DE35920B45DFCB14EF6CC88079ABBB1EF44320F18869DD9249B282DB75E985CBD1

Function 032AFF00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 182windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000402,?,00000000), ref: 032B0038
PostMessageW.USER32(?,00000402,?,00000000), ref: 032B0165

Strings

TotalProgressBar, xrefs: 032AFFCF
FileProgressBar, xrefs: 032B00F8

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: MessagePost
String ID: FileProgressBar$TotalProgressBar
API String ID: 410705778-679699356
Opcode ID: 8d3d8744790dabe6c43141826a73c966b1eeb67462514947791ed69facfd1221
Instruction ID: 709c9716feec62a6fc92a742fa302efdb1ade27e4a0cfd4c459d63b20b05c79d
Opcode Fuzzy Hash: 8d3d8744790dabe6c43141826a73c966b1eeb67462514947791ed69facfd1221
Instruction Fuzzy Hash: 607148B1928780DBC304DFA5D99565BFBE5FB84750F108D2DF8A1863A0DBB9D884CB42

Function 032FA65C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 159threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 032FA7EB
RtlExitUserThread.KERNEL32(00000000,00000000), ref: 032FA7FB

Strings

-dp, xrefs: 032FA728
-o+, xrefs: 032FA7C7

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: EventExitThreadUser
String ID: -dp$-o+
API String ID: 1637606900-145574227
Opcode ID: 1c0d416c9f18127f1018f7a7760b95cd9d8c3f8ab2f1ebde8adc68b2b20431b9
Instruction ID: 8c66ab49efc38f15c985547d6700712cc40ec3eb3ac691b5128c468c506b17d6
Opcode Fuzzy Hash: 1c0d416c9f18127f1018f7a7760b95cd9d8c3f8ab2f1ebde8adc68b2b20431b9
Instruction Fuzzy Hash: FC51DA78A202099FDB00DFA9D981ADDB7F9EF49300F544065EA14EB315DBB4AD85CF50

Function 032AA0B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000111,00000000), ref: 032B24FE
idpReportError.IDP ref: 032B254F

Strings

InvisibleButton, xrefs: 032B2441, 032B2495
WizardForm, xrefs: 032B24B9

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: ErrorMessageReportSend
String ID: InvisibleButton$WizardForm
API String ID: 832656352-3077912615
Opcode ID: b94b48a910c2739150ae475fa42510aaaa0610bbade700e5f380895f900d9f09
Instruction ID: a0284cc160966b1b78e5c5a83bfe819d8d4ac418dfa772f3d84ca5d12ac32191
Opcode Fuzzy Hash: b94b48a910c2739150ae475fa42510aaaa0610bbade700e5f380895f900d9f09
Instruction Fuzzy Hash: E841A272528380AFD314DF19C490A5FFBF8EB85B50F440A2EF19147750DBB59484CB92

Function 032B1850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32(00000030), ref: 032B1976
GetDesktopWindow.USER32 ref: 032B1985
DialogBoxParamW.USER32(?,00000065,00000000,032A8710,00000000), ref: 032B199C

Strings

LabelFont, xrefs: 032B18A1

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: BeepDesktopDialogMessageParamWindow
String ID: LabelFont
API String ID: 2847301737-2346607873
Opcode ID: e61bf066f41be7bbbd9188fbabab0567981072234a7dace591c902a545942c1a
Instruction ID: 9a19b191dc5347bc781bd33e8b039d6c4207c23bf97209a22ce3632be4f2d4c9
Opcode Fuzzy Hash: e61bf066f41be7bbbd9188fbabab0567981072234a7dace591c902a545942c1a
Instruction Fuzzy Hash: 1E417F755287809FD320EB68D895B9BBBE8EF89740F40891DF19987241EBB49448CB62

Function 032F1A84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000,00000000,032F1B94), ref: 032F1AC8

Part of subcall function 032F1944: NtQuerySystemInformation.NTDLL(00000010,?,00010000,00000000), ref: 032F1967

GetCurrentProcessId.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000,00000000,032F1B94), ref: 032F1AEC
CloseHandle.KERNEL32(00000000,NUL,80000000,00000000,00000000,00000003,00000000,00000000,00000000,032F1B94), ref: 032F1B22

Strings

NUL, xrefs: 032F1AC3

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CloseCreateCurrentFileHandleInformationProcessQuerySystem
String ID: NUL
API String ID: 1181397567-1038343538
Opcode ID: 442f77ce436021310744dcde7fb3fdcb4824fad510382814ecc1241a53cdedb4
Instruction ID: f3751254b0e5752a87f552e9645ca12bda7db302f827f528568510a385ce24b5
Opcode Fuzzy Hash: 442f77ce436021310744dcde7fb3fdcb4824fad510382814ecc1241a53cdedb4
Instruction Fuzzy Hash: CA31C434620609DFDB21DB64C991BAEF7B5EF45310FE44671D650EB291E370B9A0C7A0

Function 032F9768 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000,00000000,032F985B,?,?,00000000,00000000,00000000), ref: 032F982B
RtlExitUserThread.KERNEL32(00000000,00000000,00000000,032F985B,?,?,00000000,00000000,00000000), ref: 032F983B

Part of subcall function 032EEC74: MessageBoxW.USER32(00000000,00000000,?,ISDone.dll), ref: 032EECCD

Strings

ERROR_PARSE_OUTPUTPATH, xrefs: 032F9814
ERROR_PARSE_FILENOTFOUND, xrefs: 032F97D5

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: EventExitMessageThreadUser
String ID: ERROR_PARSE_FILENOTFOUND$ERROR_PARSE_OUTPUTPATH
API String ID: 1341493344-2761232906
Opcode ID: 3fbef423580136e57e7e0e2c3bde8479fbc031a4394df67c5501fba7fe69748e
Instruction ID: 22a259ae770281a37442cef10a845f71e4feda1e28c3deb5f908b50f8df9cb27
Opcode Fuzzy Hash: 3fbef423580136e57e7e0e2c3bde8479fbc031a4394df67c5501fba7fe69748e
Instruction Fuzzy Hash: 38213D3C624244AFD711EB68E491B59B7F9EB8A700F9441A1EA019F399CBB0BDC1CB51

Function 032ABD60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032ABD8B
GetModuleHandleW.KERNEL32(wininet.dll,00000000,00000400,?,00000400,00000000,?,?,?), ref: 032ABDB8
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,00000400,00000000,?,?,?), ref: 032ABDD8

Strings

wininet.dll, xrefs: 032ABDB3

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: FormatHandleMessageModule_memset
String ID: wininet.dll
API String ID: 528496211-3354682871
Opcode ID: 495fc233d9c16b1a358f2de36b087b803574eeb61c08a188ea791cf49248c5d9
Instruction ID: da797def7c6192f3c05de40a5e22af2725d9360028faca3aa4368eafadd7c0b8
Opcode Fuzzy Hash: 495fc233d9c16b1a358f2de36b087b803574eeb61c08a188ea791cf49248c5d9
Instruction Fuzzy Hash: 2D1182B4254345AFE360DB04DC05FAB77A5FF85744F44891CF6899A1C0DBB0A548CBD6

Function 0344105C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 03441073
GetWindowThreadProcessId.USER32(?,?), ref: 03441083
GetClassNameW.USER32(?,?,0000000D), ref: 03441090

Strings

TApplication, xrefs: 03441067

Memory Dump Source

Source File: 00000001.00000002.3285141160.0000000003441000.00000020.00000001.01000000.00000008.sdmp, Offset: 03440000, based on PE: true

Associated: 00000001.00000002.3285127498.0000000003440000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.3285154439.0000000003442000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3440000_Setup.jbxd

Similarity

API ID: Process$ClassCurrentNameThreadWindow
String ID: TApplication
API String ID: 1921375019-233325798
Opcode ID: c65ea94db6495a2b26732269e9220f32f957794a2bfe571247a28a304602074e
Instruction ID: c5756fa2ba4521221ea0442240343efe2de025a03c804422be627527e8e28266
Opcode Fuzzy Hash: c65ea94db6495a2b26732269e9220f32f957794a2bfe571247a28a304602074e
Instruction Fuzzy Hash: F4F06D36900208ABEB10EB91E804AAE77B8EB44755F004536FA01BE144D7B49505CBA1

Function 032C4BE5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,032BB354), ref: 032C4BEA
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 032C4BFA

Strings

KERNEL32, xrefs: 032C4BE5
IsProcessorFeaturePresent, xrefs: 032C4BF4

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 37519507c163bb79213dc839082d21aed34054a9eaaebb18241e1bee98cae6ff
Instruction ID: 65bc1e45d525c4e411ca5646193fcf9ad1ded0fb46f4c290871c3035da76bad2
Opcode Fuzzy Hash: 37519507c163bb79213dc839082d21aed34054a9eaaebb18241e1bee98cae6ff
Instruction Fuzzy Hash: 29F0D634A30949D2DF117BA1BD1E76FBA78BB80746F424694D195A0088DF7190F4D291

Function 032F6088 Relevance: 6.5, Strings: 5, Instructions: 241COMMON

Download Yara Rule

Strings

BUTTON_OK, xrefs: 032F62B5
MS Sans Serif, xrefs: 032F613A
BUTTON_CANCEL, xrefs: 032F62FD
BROWSE_TITLE, xrefs: 032F60C1
BROWSE_LABEL, xrefs: 032F6179

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: TextWindow$FocusLengthMessageSend
String ID: BROWSE_LABEL$BROWSE_TITLE$BUTTON_CANCEL$BUTTON_OK$MS Sans Serif
API String ID: 3276316715-3196092134
Opcode ID: 1b00ef80fc766455eb23379f10f999a93c0abe2ab8faad01b1bf684bd1cfa74c
Instruction ID: 8b3b4861d6587ddcfbec0b12c9f2f844726d4340800131445dda64f86ac1545f
Opcode Fuzzy Hash: 1b00ef80fc766455eb23379f10f999a93c0abe2ab8faad01b1bf684bd1cfa74c
Instruction Fuzzy Hash: 92912F3CA202488BDB00FBA4D481A9DB7FAFF49340FA18575D540AF358DBB5AD85CB60

Function 03335324 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 033353E8
__fileno.LIBCMT ref: 03335408
__locking.LIBCMT ref: 0333540F
__flsbuf.LIBCMT ref: 0333543A

Part of subcall function 03336B5E: __getptd_noexit.LIBCMT ref: 03336B5E

Part of subcall function 03335762: __decode_pointer.LIBCMT ref: 0333576D

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: a6c0f83b5d4224a8cb1c321d851ee7d48bfc1dc65ba7fb677e7a87d8b4502eee
Instruction ID: c72559c46aaf6ef9ff793b313c6726c8dd5d9ee536233d705925878e5ac4061e
Opcode Fuzzy Hash: a6c0f83b5d4224a8cb1c321d851ee7d48bfc1dc65ba7fb677e7a87d8b4502eee
Instruction Fuzzy Hash: 9841A571A00704EBEB29CF6A8CC469EF7B5EF83321F2CC569E46697540D7B0DA818B41

Function 032FD7C8 Relevance: 6.1, APIs: 4, Instructions: 115threadCOMMON

Download Yara Rule

APIs

CharToOemA.USER32(00000000,?), ref: 032FD7E3
OemToCharA.USER32(0334FA54,0334FA54), ref: 032FD881
SetEvent.KERNEL32(00000000), ref: 032FD929
RtlExitUserThread.KERNEL32(00000000,00000000), ref: 032FD939

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Char$EventExitThreadUser
String ID:
API String ID: 2900883078-0
Opcode ID: 82afb2bb6c66b49ad908a6547a695d8497f3c01913f06995fea94dc2a0ced2e8
Instruction ID: 4094f53c8e438c2c67df72087dfdce827cb1a0f460853b168372c8bd73643249
Opcode Fuzzy Hash: 82afb2bb6c66b49ad908a6547a695d8497f3c01913f06995fea94dc2a0ced2e8
Instruction Fuzzy Hash: A041EA786242809FD711EB6CE8C4B55B7ECAB4A714F0440A1EA44CB36ACFF5BC85CB61

Function 032F5650 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

GetCursor.USER32 ref: 032F567D
LoadCursorA.USER32(00000000,00007F02), ref: 032F569A
SetCursor.USER32(00000000,00000000,00007F02,00000000,032F578C), ref: 032F56A0
SetCursor.USER32(?,032F5793,00000000,032F578C), ref: 032F577E

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: Cursor$Load
String ID:
API String ID: 1675784387-0
Opcode ID: 7d8df5740f2fdd2d6e88c807f54c0ae72afea79adc50509e9dbb2e9c44b199a1
Instruction ID: f4443bc7e22714fa18bd1d46ba6ea186330bff8dde42657543d6b6f7a0d7e5ef
Opcode Fuzzy Hash: 7d8df5740f2fdd2d6e88c807f54c0ae72afea79adc50509e9dbb2e9c44b199a1
Instruction Fuzzy Hash: 3E410C78A14208DFCB04DF99C59199EFBF5EF89710F6081A5D904AB355D770EE81CBA0

Function 032C59E3 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 032C5A13
__isleadbyte_l.LIBCMT ref: 032C5A47
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,032BBEA8,?,?,00000002), ref: 032C5A78
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,032BBEA8,?,?,00000002), ref: 032C5AE6

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e2339ea8552c4c17fa7684414a123ac57748a0f17c591a4bbbb8fc2ee1b6eaf0
Instruction ID: 412fa0c6e0988599866447c4baf6baa03a13b5688d4cf873400f58c3931a9108
Opcode Fuzzy Hash: e2339ea8552c4c17fa7684414a123ac57748a0f17c591a4bbbb8fc2ee1b6eaf0
Instruction Fuzzy Hash: A33193315302D6EFDB10DFA6C8C49A97BB5BF06311F2886ADE4568B191E330E9C0CB91

Function 032B5270 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

FtpGetFileSize.WININET(?,?), ref: 032B528B
HttpQueryInfoW.WININET(?,20000005,?,?,?), ref: 032B52CC
InternetCloseHandle.WININET(?), ref: 032B52F8
InternetCloseHandle.WININET(?), ref: 032B530F

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: CloseHandleInternet$FileHttpInfoQuerySize
String ID:
API String ID: 3196265937-0
Opcode ID: aa5bf117e3e8d4d6f6fabf4f4509ea5a56941ad6c773dcda6b093a13733a3342
Instruction ID: 8a583e5ee13b8a3f0b475e652aef074c5521dc5a722ac0506f5a8fa9a9f67cd8
Opcode Fuzzy Hash: aa5bf117e3e8d4d6f6fabf4f4509ea5a56941ad6c773dcda6b093a13733a3342
Instruction Fuzzy Hash: 7B1166716107029FE310DF7AD884BA7B7E9FBC8764F544A2DE9A9C2240D774A6098B21

Function 032A1E00 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,?,?,00000000,00000000), ref: 032A1E55
InternetSetOptionW.WININET(00000000,00000002,000000FE,00000004), ref: 032A1E81
InternetSetOptionW.WININET(00000000,00000005,000000FE,00000004), ref: 032A1E9B
InternetSetOptionW.WININET(00000000,00000006,?,00000004), ref: 032A1EB5

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Internet$Option$Open
String ID:
API String ID: 1764825000-0
Opcode ID: dbd189614730f8f4dacbea1c182991aca9e14256613beb1ed5d94b50ba9b23c4
Instruction ID: 3ea21fbe771fba3f0bc9eed5f240728550539fec66cf0e16d2980ef8331fac8b
Opcode Fuzzy Hash: dbd189614730f8f4dacbea1c182991aca9e14256613beb1ed5d94b50ba9b23c4
Instruction Fuzzy Hash: 97112971650F42EBD734CA78DD09FA3F3E8BB84761F444A2CA2A6961C0D7B4B495CB50

Function 0333AAD2 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0333AAF8

Part of subcall function 0333A91D: __fltout2.LIBCMT ref: 0333A949

__cftog_l.LIBCMT ref: 0333AB1E
__cftoe_l.LIBCMT ref: 0333AB50

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bac42c8d21e0608958c4444f807e436bce001d7a52c923d1bd98c0fa03ebea2c
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 0311893641014EBBCF129F84CC85CEE3F67BB0A250B49C516FAA859030D336C9B1EB81

Function 032C4AD9 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 032C4AFD

Part of subcall function 032C4928: __fltout2.LIBCMT ref: 032C4952

__cftog_l.LIBCMT ref: 032C4B23
__cftoe_l.LIBCMT ref: 032C4B55

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 78bff4cdcd71fd34b8be6c1016b613da2e62522471313754e7b920f579ce037b
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 1201833642018ABBCF13AE85CC11CEE7F22BF1C251B498619FE1859030D372C5B1AB81

Function 032E1974 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0334E5B8,00000000,032E1A2A,?,?,032E220E,?,?,?,?,?,032E1BFD,032E1E43,032E1E68), ref: 032E198A
RtlEnterCriticalSection.KERNEL32(0334E5B8,0334E5B8,00000000,032E1A2A,?,?,032E220E,?,?,?,?,?,032E1BFD,032E1E43,032E1E68), ref: 032E199D
LocalAlloc.KERNEL32(00000000,00000FF8,0334E5B8,00000000,032E1A2A,?,?,032E220E,?,?,?,?,?,032E1BFD,032E1E43,032E1E68), ref: 032E19C7
RtlLeaveCriticalSection.KERNEL32(0334E5B8,032E1A31,00000000,032E1A2A,?,?,032E220E,?,?,?,?,?,032E1BFD,032E1E43,032E1E68), ref: 032E1A24

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 56e3175f58c17d93764f71329dd01b2bd4b7f970c0da5838f6773e0f84c090cd
Instruction ID: 950ca77472acb09ed4b11694dfdede6a5e2f2c97c259cbe65d7558e182214f01
Opcode Fuzzy Hash: 56e3175f58c17d93764f71329dd01b2bd4b7f970c0da5838f6773e0f84c090cd
Instruction Fuzzy Hash: 3301A1786643609EE716FF69D48676C76D9F786700FC444B5E0208AA81DBB8B4E0C715

Function 032BE0F7 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 032BA7F6: __getptd_noexit.LIBCMT ref: 032BA7F7
Part of subcall function 032BA7F6: __amsg_exit.LIBCMT ref: 032BA804

__amsg_exit.LIBCMT ref: 032BE123
__lock.LIBCMT ref: 032BE133
InterlockedDecrement.KERNEL32(?), ref: 032BE150
InterlockedIncrement.KERNEL32(03371398), ref: 032BE17B

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 4beba42b3f55ad2224ed763c2ce581b5c71598847c9a3ab8d9736c70e124a4dc
Instruction ID: 930ba3f20e41adab3a69f6168d2d6e4504a76c9cec06a4c844bc31ad2c9ab63e
Opcode Fuzzy Hash: 4beba42b3f55ad2224ed763c2ce581b5c71598847c9a3ab8d9736c70e124a4dc
Instruction Fuzzy Hash: 5C016139E31712ABCA11FF69B4487DDF7B0AF04B90F2A8505D9506B280CB7469C1CBD1

Function 032B5FCE Relevance: 6.0, APIs: 4, Instructions: 38threadCOMMON

Download Yara Rule

APIs

Part of subcall function 032BAE7A: _doexit.LIBCMT ref: 032BAE82

___set_flsgetvalue.LIBCMT ref: 032B5FDA

Part of subcall function 032BA63F: TlsGetValue.KERNEL32(032BA782,?,00000000), ref: 032BA645
Part of subcall function 032BA63F: __decode_pointer.LIBCMT ref: 032BA655
Part of subcall function 032BA63F: TlsSetValue.KERNEL32(00000000,00000000), ref: 032BA662

Part of subcall function 032BA624: TlsGetValue.KERNEL32(?,032B5FEA,00000000,?), ref: 032BA62E

__freefls@4.LIBCMT ref: 032B6025

Part of subcall function 032BA669: __decode_pointer.LIBCMT ref: 032BA677

GetLastError.KERNEL32(00000000,?,00000000,?), ref: 032B6001
ExitThread.KERNEL32 ref: 032B6008

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Value$__decode_pointer$ErrorExitLastThread___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 297350007-0
Opcode ID: 8cba7fdb54fd30ce3d5524019b341d08fb9266a8eecd6de922164afa293df1c2
Instruction ID: facc567a1ae01b33342e422e97a9153dc1a1c13a46a2534080b227023887c683
Opcode Fuzzy Hash: 8cba7fdb54fd30ce3d5524019b341d08fb9266a8eecd6de922164afa293df1c2
Instruction Fuzzy Hash: E30181B9830301DFDB14FFA9E90899EBBB5EF58380F24C86599149B111DB74C8C3CA50

Function 032A3550 Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 032A356F
TranslateMessage.USER32(?), ref: 032A3584
DispatchMessageW.USER32(?), ref: 032A3587
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 032A3592

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 370ede295d8471886c384263ac9dbafca751cda75a1b8f417472da9ce18a1122
Instruction ID: 008ae6152bbe28dcfbf52f81f41b6ff1526b5a761b9ba6c6932c87f339679f7c
Opcode Fuzzy Hash: 370ede295d8471886c384263ac9dbafca751cda75a1b8f417472da9ce18a1122
Instruction Fuzzy Hash: 70F02B73391B1537F321A11D7C45F9AA34C5F89F44F190420F300760C0C6C3B58141B8

Function 033376AE Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 033376BA

Part of subcall function 033379EB: __getptd_noexit.LIBCMT ref: 033379EE
Part of subcall function 033379EB: __amsg_exit.LIBCMT ref: 033379FB

__getptd.LIBCMT ref: 033376D1
__amsg_exit.LIBCMT ref: 033376DF
__lock.LIBCMT ref: 033376EF

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 8767784f65c09e5b7aca874e9a6a5877172cc99f11b132a491deb8a573c32d08
Instruction ID: da9dea96996f4531f84c61bb539916d8b6b452889a8887b813019b9e9ba8230b
Opcode Fuzzy Hash: 8767784f65c09e5b7aca874e9a6a5877172cc99f11b132a491deb8a573c32d08
Instruction Fuzzy Hash: 9EF090B9D91B049BEB20FB7889D1B5972A06B03760F14C259D4416FAE0CB749901CFA1

Function 032B5F51 Relevance: 6.0, APIs: 4, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 032BAB92: __FindPESection.LIBCMT ref: 032BABB9

__getptd_noexit.LIBCMT ref: 032B5F6F
CloseHandle.KERNEL32(?), ref: 032B5F83
__freeptd.LIBCMT ref: 032B5F8A
ExitThread.KERNEL32 ref: 032B5F92

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: CloseExitFindHandleSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 1479349418-0
Opcode ID: c01f621adbc96e07eaa5e8551cbac9a0ce293816aeab3ae6629c1c7d57939f7d
Instruction ID: 974fb8b8280b3dd4d973cf879afec7fb61b280590f2b2865b2658c053169a494
Opcode Fuzzy Hash: c01f621adbc96e07eaa5e8551cbac9a0ce293816aeab3ae6629c1c7d57939f7d
Instruction Fuzzy Hash: 71E0DF36934A029BD312F6B4686C7AEB678DF023A0B284618E511CD080DB90CC828A91

Function 032A22C0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260networkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 032A237D
InternetCloseHandle.WININET(?), ref: 032A262C

Strings

Starting download..., xrefs: 032A23AB

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: CloseCountHandleInternetTick
String ID: Starting download...
API String ID: 2686910609-2667269516
Opcode ID: 07e2311feb3b00e9b4a4fcbbe046a34157f41b33c3119e3b967a448c5af83672
Instruction ID: b32e0829ac0cfe59487919fc835eb13fe5b81bd0d042cef5a61b41951029c784
Opcode Fuzzy Hash: 07e2311feb3b00e9b4a4fcbbe046a34157f41b33c3119e3b967a448c5af83672
Instruction Fuzzy Hash: EAA1D674924B42DFC724EF2CC5807AAF7A5BF45714F184A5DE8585F281CBB0A885CBE2

Function 032F3A40 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 032F3A6B
SetWindowTextW.USER32(00000000,00000000), ref: 032F3CF8

Part of subcall function 032E4480: SysFreeString.OLEAUT32(088B90C3), ref: 032E448E

Strings

% , xrefs: 032F3CBF

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CountFreeStringTextTickWindow
String ID: %
API String ID: 3369429173-1865242995
Opcode ID: 558b43cbe2cacbdb67b685e9ac1cb818d5776ffaac5bc6ab485af59b746d4cb3
Instruction ID: 5b017acbbd58cc1a61578b9612804dd5f836e424c676f5f375070e0a017749f8
Opcode Fuzzy Hash: 558b43cbe2cacbdb67b685e9ac1cb818d5776ffaac5bc6ab485af59b746d4cb3
Instruction Fuzzy Hash: ADA1413DA20209DFDB01EF99D8C1A9DB7BAFF49300F518561E510AB359DB70AD85CB90

Function 032F3D8C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 032F3DC4
SetWindowTextW.USER32(00000000,00000000), ref: 032F4008

Part of subcall function 032E4480: SysFreeString.OLEAUT32(088B90C3), ref: 032E448E

Strings

% , xrefs: 032F3FCF

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CountFreeStringTextTickWindow
String ID: %
API String ID: 3369429173-1865242995
Opcode ID: 221d6c94c21a09f3ab3fc640b364bac584e4ea8386412a153efd9153296ca5cb
Instruction ID: 72246a8d2802abaa4de89e12ed6186c33d016d99a86585b5324baaad9e09e03e
Opcode Fuzzy Hash: 221d6c94c21a09f3ab3fc640b364bac584e4ea8386412a153efd9153296ca5cb
Instruction Fuzzy Hash: DC912B7CA20209DFDB00EF99D8C0A9EB7BAFF49300F508565E514AB355DBB0AD85CB90

Function 032F9544 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,00000000,032F9715), ref: 032F95B5
SetCurrentDirectoryA.KERNEL32(00000000), ref: 032F9656

Strings

*.*, xrefs: 032F95C0

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CurrentDirectory
String ID: *.*
API String ID: 1611563598-438819550
Opcode ID: d43022c14715077ead620d0b6c21efe68322fa35ab79d0593f538982037220e4
Instruction ID: b9351095e49b70420f9a52701245bc3a2029c8da13ac89ee190556801f76ae49
Opcode Fuzzy Hash: d43022c14715077ead620d0b6c21efe68322fa35ab79d0593f538982037220e4
Instruction Fuzzy Hash: 79410378920709DFCB14EBA5C986BDDF7B5AF85301F9480E19608AB224D7B1AEC58E40

Function 032A7EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 032A7F56
_memcpy_s.LIBCMT ref: 032A7F91

Strings

HEAD, xrefs: 032A7EF4

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: String_base::_Xlen_memcpy_sstd::_
String ID: HEAD
API String ID: 923394732-2439387944
Opcode ID: b5cc1276613627c1627e5207af2113ba691652f84a1242925b39b303e8fe5a75
Instruction ID: f1b8b473b637733fdd52111c95153d7e12af8640e01bea587f6ce41645e85efd
Opcode Fuzzy Hash: b5cc1276613627c1627e5207af2113ba691652f84a1242925b39b303e8fe5a75
Instruction Fuzzy Hash: 0B210632730B058B8720DE9CD8C082AF3BBEFD1301754466DE462CB645DB70BA89C7A9

Function 032FDD68 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 032FDDC6
RtlExitUserThread.KERNEL32(00000000,00000000), ref: 032FDDD6

Part of subcall function 032EEC74: MessageBoxW.USER32(00000000,00000000,?,ISDone.dll), ref: 032EECCD

Strings

ERROR_XDELTA_GENERAL, xrefs: 032FDDB4

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: EventExitMessageThreadUser
String ID: ERROR_XDELTA_GENERAL
API String ID: 1341493344-543900489
Opcode ID: 4a0f07c94e2c1fa2fd68b8eb3873734fba0839f99cc15aab5c16f2f3b2d1040e
Instruction ID: 70079609bd366c3244ce2f72640824ea040b4026726ff202649f1de57b26a53e
Opcode Fuzzy Hash: 4a0f07c94e2c1fa2fd68b8eb3873734fba0839f99cc15aab5c16f2f3b2d1040e
Instruction Fuzzy Hash: 970149782502449FD245EBADE981B1673E9AB9A700F4480A1F904CB36ACFB1BC408B61

Function 0333B189 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03334775: __getptd.LIBCMT ref: 0333477B
Part of subcall function 03334775: __getptd.LIBCMT ref: 0333478B

__getptd.LIBCMT ref: 0333B198

Part of subcall function 033379EB: __getptd_noexit.LIBCMT ref: 033379EE
Part of subcall function 033379EB: __amsg_exit.LIBCMT ref: 033379FB

__getptd.LIBCMT ref: 0333B1A6

Strings

csm, xrefs: 0333B1B4

Memory Dump Source

Source File: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 41ba6205c3135a861abff6b0b366d33342b49d5902cb06ec54cef1370fe79efb
Instruction ID: 048ea3ba484712d7a58d543fa9e47500d3d0c96f181f290a630a4f595503ffeb
Opcode Fuzzy Hash: 41ba6205c3135a861abff6b0b366d33342b49d5902cb06ec54cef1370fe79efb
Instruction Fuzzy Hash: 9B016D3AC013099BCF34DF66C8C5AACF7B9AF02211F58C76DD4825AA61DB308581CF01

Function 032E9568 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(MAINICON), ref: 032E95AF

Part of subcall function 032E9568: CopyImage.USER32(00000000,00000001,00000000,00000000,00000000), ref: 032E9594

Strings

MAINICON, xrefs: 032E95A4

Memory Dump Source

Source File: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID: CopyIconImageLoad
String ID: MAINICON
API String ID: 2942751960-2283262055
Opcode ID: b33d4087f3b7afd17dab899f8be48d6e5fbb632576ac2e4783b70c0b17dde814
Instruction ID: 60ed215d05bcac353b9bf87a70c684d9c527fec6dbafe6a7437c779e0bdbf3f6
Opcode Fuzzy Hash: b33d4087f3b7afd17dab899f8be48d6e5fbb632576ac2e4783b70c0b17dde814
Instruction Fuzzy Hash: 48E092F42742067EEF19EE505CA387A629DEBC1704BD8407BA5318A105DBADD8C58220

Function 032B5365 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 032B536C
__CxxThrowException@8.LIBCMT ref: 032B539E

Part of subcall function 032B72FB: RaiseException.KERNEL32(?,?,032B63B9,?,?,?,?,?,032B63B9,?,032D1154,032D5B80), ref: 032B733B

Strings

invalid string position, xrefs: 032B5371

Memory Dump Source

Source File: 00000001.00000002.3284733718.00000000032A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000001.00000002.3284715490.00000000032A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284826114.00000000032D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_Setup.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid string position
API String ID: 1961742612-1799206989
Opcode ID: fa29eb23677935f3fd988597b54e3701b5f627267da650c83ab5d16fa2773080
Instruction ID: 0cba9d6612591f2e527d17006295afa01b00168f38ad1f3fb4ea6532f2e615f5
Opcode Fuzzy Hash: fa29eb23677935f3fd988597b54e3701b5f627267da650c83ab5d16fa2773080
Instruction Fuzzy Hash: F4E0B6799306989FCB00FBD9DC45BDD7778AF54351F400219E200AA485DBF4A5889622

Function 0330C280 Relevance: 5.1, Strings: 4, Instructions: 76COMMON

Download Yara Rule

Strings

E, xrefs: 0330C2C3
&, xrefs: 0330C312
A, xrefs: 0330C301
S, xrefs: 0330C319

Memory Dump Source

Source File: 00000001.00000002.3284922892.0000000003301000.00000008.00000001.01000000.00000007.sdmp, Offset: 032E0000, based on PE: true

Associated: 00000001.00000002.3284856993.00000000032E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284871902.00000000032E1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284909890.0000000003300000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284922892.0000000003326000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284982008.000000000332A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3284995073.000000000332B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.000000000334D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285037392.0000000003351000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3285065060.0000000003353000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32e0000_Setup.jbxd

Similarity

API ID:
String ID: &$A$E$S
API String ID: 0-2451862443
Opcode ID: 83037f3ebc00f45d9d15811d4521fdcaf87629aafe55e448a22ad99d8973795e
Instruction ID: a1628bbfc16c3965d3fab38d92f5d59cea917d6af64e567a9c707f604ec7b797
Opcode Fuzzy Hash: 83037f3ebc00f45d9d15811d4521fdcaf87629aafe55e448a22ad99d8973795e
Instruction Fuzzy Hash: AA21C931A183825AEB25D6389CE02EEAFCA5BC5214F4C96EED4C4CA5C1C76AE45D8353

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\ISDone.dll

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\QIcon.ico

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\UIcon.ico

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\WinTB.dll

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_shfoldr.dll

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\idp.dll

C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\image.bmp

C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Setup.exe

Function 034410C4 Relevance: 3.0, APIs: 2, Instructions: 18
comCOMMON

Function 032E3A98 Relevance: 3.1, APIs: 2, Instructions: 128
COMMON

Function 032BD175 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Function 032E148C Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Function 034411CA Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Function 032E44BC Relevance: 1.5, APIs: 1, Instructions: 14
memoryCOMMON

Function 03441240 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 032C0598 Relevance: 66.4, APIs: 44, Instructions: 431
COMMONLIBRARYCODE