Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OnLine_Install_Dialog_UI_SSL.exe

Overview

General Information

Sample name:OnLine_Install_Dialog_UI_SSL.exe
Analysis ID:1432289
MD5:74db9f552ccae0af3640851c6960f079
SHA1:44cc1e1e974e90982146719efd496c9721465a4a
SHA256:c5494d160a1b3cdff381623216bdcc8aef9fc5a18565fd1a679a4e2eb8a7c056
Infos:

Detection

Score:28
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Installs new ROOT certificates
Modifies the windows firewall
PE file has a writeable .text section
Uses netsh to modify the Windows network and firewall settings
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution From GUID Like Folder Names
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample searches for specific file, try point organization specific fake files to the analysis machine
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

  • System is w10x64
  • OnLine_Install_Dialog_UI_SSL.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe" MD5: 74DB9F552CCAE0AF3640851C6960F079)
    • setup.exe (PID: 7548 cmdline: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe -package:"C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\" -tempdisk1folder:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\" -IS_OriginalLauncher:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe" MD5: 1B3150F66F03B0DA4EFCCDD9F079E5F7)
      • ISBEW64.exe (PID: 7608 cmdline: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E314697-D110-4002-B63C-61B432079D77} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)
      • ISBEW64.exe (PID: 7640 cmdline: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1856CA6F-3A7F-472E-B337-2E3FA07FC85C} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)
      • ISBEW64.exe (PID: 7672 cmdline: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F0A08E8-A0D1-45AD-AF2B-F10D703CD02A} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)
      • ISBEW64.exe (PID: 7704 cmdline: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAB69511-4FCB-4C17-80A3-43394505337C} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)
      • ISBEW64.exe (PID: 7740 cmdline: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10BFDE1A-F312-4E1F-BEA2-24F4DCA4D57F} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)
      • ISBEW64.exe (PID: 7784 cmdline: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54B59A05-F3F9-4E3A-8D72-1C938585C9B4} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)
      • CloseOZWLBridge.exe (PID: 7816 cmdline: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe MD5: 644CC925D18E5326744499E5560CFC95)
      • CloseOZWebLauncher.exe (PID: 7832 cmdline: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe MD5: 40BFA09CEEE186F28232846DA91C5D98)
      • cmd.exe (PID: 396 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 5820 cmdline: netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • netsh.exe (PID: 8108 cmdline: netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • CheckNetIsolation.exe (PID: 8136 cmdline: CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe" MD5: 712F673ACF999A475D49976CC0ADE71E)
      • regsvr32.exe (PID: 2196 cmdline: C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • regsvr32.exe (PID: 5356 cmdline: C:\Windows\SysWOW64\regsvr32 /s C:\Windows\ZTUACControl.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • cmd.exe (PID: 1780 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.bat /s /v/q MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • regsvr32.exe (PID: 8088 cmdline: regsvr32 /s c:\Windows\ZTUACControl.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • timeout.exe (PID: 7292 cmdline: timeout /t 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 8188 cmdline: timeout /t 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • VSSVC.exe (PID: 7892 cmdline: C:\Windows\system32\vssvc.exe MD5: 875046AD4755396636A68F4A9EDB22A4)
  • svchost.exe (PID: 7936 cmdline: C:\Windows\System32\svchost.exe -k swprv MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SrTasks.exe (PID: 7708 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)
    • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • OZWLService.exe (PID: 3548 cmdline: "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe" MD5: 3946001DADB4BABAA32C30074AD3525E)
    • OZWebLauncherUtil.exe (PID: 1432 cmdline: "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe" MD5: 5CAF8DE84007ED7C692891788F10B025)
    • OZWebLauncher.exe (PID: 5428 cmdline: "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe" MD5: 361BB9069EA7DA381B953A71C0413F05)
  • svchost.exe (PID: 6604 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: regsvr32 /s c:\Windows\ZTUACControl.dll, CommandLine: regsvr32 /s c:\Windows\ZTUACControl.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.bat /s /v/q, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1780, ParentProcessName: cmd.exe, ProcessCommandLine: regsvr32 /s c:\Windows\ZTUACControl.dll, ProcessId: 8088, ProcessName: regsvr32.exe
Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe, ProcessId: 7548, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\OZWLBridge.lnk
Sigma detected: Suspicious Execution From GUID Like Folder Names
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe -package:"C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\" -tempdisk1folder:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\" -IS_OriginalLauncher:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe", ParentImage: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe, ParentProcessId: 7548, ParentProcessName: setup.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q, ProcessId: 396, ProcessName: cmd.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k swprv, CommandLine: C:\Windows\System32\svchost.exe -k swprv, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k swprv, ProcessId: 7936, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004542BF __EH_prolog3_GS,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,CryptHashData,CryptSignHashW,CryptSignHashW,CryptSignHashW,GetLastError,GetLastError,WriteFile,WriteFile,WriteFile,0_2_004542BF
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004546DD __EH_prolog3_GS,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,CryptHashData,GetLastError,_memmove,GetLastError,CryptVerifySignatureW,0_2_004546DD
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00454C59 CryptReleaseContext,0_2_00454C59
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00454C91 CryptDestroyHash,0_2_00454C91
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00454CAB CryptDestroyKey,0_2_00454CAB
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00454DDC CryptExportKey,0_2_00454DDC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0045505F CryptGetHashParam,GetLastError,CryptGetHashParam,0_2_0045505F
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0045521D CryptHashData,0_2_0045521D
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004552A9 CryptImportKey,0_2_004552A9
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00455333 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,0_2_00455333
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0045564F CoCreateGuid,StringFromGUID2,_wcsncpy,CryptAcquireContextW,CryptCreateHash,0_2_0045564F
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004559DE CryptGetHashParam,GetLastError,0_2_004559DE
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004559E0 CryptGetHashParam,GetLastError,CryptSetHashParam,0_2_004559E0
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00455A6D CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash,0_2_00455A6D
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00455DCC SetFilePointer,CryptSignHashW,GetLastError,CryptSignHashW,WriteFile,WriteFile,WriteFile,SetFilePointer,0_2_00455DCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00455D9E CryptVerifySignatureW,GetLastError,0_2_00455D9E
Source: OnLine_Install_Dialog_UI_SSL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmpJump to behavior
Source: OnLine_Install_Dialog_UI_SSL.exeStatic PE information: certificate valid
Source: Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdb source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb source: OZWD629.tmp.1.dr
Source: Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdbP/ source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: OnLine_Install_Dialog_UI_SSL.exe, setup.exe0.0.dr
Source: Binary string: C:\Users\sg0216986\Documents\Visual Studio 2010\Projects\Json4DotNet\System.Net.Json\obj\Release\System.Net.Json.pdb source: OZWebLauncher.exe, 00000021.00000002.2920008536.0000000007902000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLService\Release\OZWLService.pdb source: OZWLService.exe, 0000001E.00000000.2117884411.0000000000BF8000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdbT4 source: ZTrD718.tmp.1.dr
Source: Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdbP/2 source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb\oW4 source: OZWD629.tmp.1.dr
Source: Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdb source: ZTrD718.tmp.1.dr
Source: Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdb source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: d:\ozsource\misc\OZWebLauncher\WebSockets\obj\Release\WebSockets.pdb source: OZWebLauncherUtil.exe, 0000001F.00000002.2915164601.0000000004322000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _is4AD9.tmp.1.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: setup.exe, 00000001.00000003.1667559709.0000000000886000.00000004.00000020.00020000.00000000.sdmp, ISBEW64.exe, 00000002.00000002.2213567077.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000002.00000000.1686921318.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000002.1692670949.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000000.1687461278.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000002.1693203562.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000000.1687911327.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000002.1693902657.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000000.1689065493.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000002.1694512877.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000000.1693173144.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000000.1730363712.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000002.2210041589.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdb source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdbls source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWebLauncherUtil\obj\x86\Release\OZWebLauncherUtil.pdb source: OZWebLauncherUtil.exe, 0000001F.00000000.2118514832.0000000000DC2000.00000002.00000001.01000000.00000012.sdmp, OZWD559.tmp.1.dr
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00425659 __EH_prolog3_GS,FindFirstFileW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,SysStringLen,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,SysStringLen,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,DeleteFileW,lstrcpyW,0_2_00425659
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0042C966 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,0_2_0042C966
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00451BC7 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,0_2_00451BC7
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001F11F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,8_2_001F11F2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F911F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,9_2_00F911F2
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\Jump to behavior
Source: OnLine_Install_Dialog_UI_SSL.exe, setup.exe0.0.drString found in binary or memory: http://=0x%04x.iniMS
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: _is4AD9.tmp.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/MainWindow.xamld
Source: setup.exe, 00000001.00000002.2438979471.000000000083E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2239128364.000000000083D000.00000004.00000020.00020000.00000000.sdmp, data1.hdr.0.drString found in binary or memory: http://deviis4.installshield.com/NetNirvana/
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000022.00000003.2136483818.000002C55364D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000022.00000003.2136483818.000002C553691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/MainWindow.xaml
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/mainwindow.baml
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/mainwindow.bamld
Source: ZTrD718.tmp.1.drString found in binary or memory: http://https://.././SOFTWARE
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: _is4AD9.tmp.1.drString found in binary or memory: http://ocsp.thawte.com0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: _is4AD9.tmp.1.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: _is4AD9.tmp.1.drString found in binary or memory: http://s2.symcb.com0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: _is4AD9.tmp.1.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: _is4AD9.tmp.1.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: _is4AD9.tmp.1.drString found in binary or memory: http://sv.symcd.com0&
Source: _is4AD9.tmp.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: _is4AD9.tmp.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: _is4AD9.tmp.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: _is4AD9.tmp.1.drString found in binary or memory: http://www.flexerasoftware.com0
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: OnLine_Install_Dialog_UI_SSL.exe, setup.ini.1.dr, setup.exe0.0.drString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: _is4AD9.tmp.1.drString found in binary or memory: http://www.symauth.com/cps0(
Source: _is4AD9.tmp.1.drString found in binary or memory: http://www.symauth.com/rpa00
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: setup.exe, 00000001.00000003.2234591613.000000000297A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2212449812.0000000002979000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2240388417.00000000029C5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.000000000297A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://.8T)
Source: _is4AD9.tmp.1.drString found in binary or memory: https://d.symcb.com/cps0%
Source: _is4AD9.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000022.00000003.2136483818.000002C553672000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000022.00000003.2136483818.000002C553672000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_0021E34D GetClientRect,GetAsyncKeyState,SendMessageW,8_2_0021E34D
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001C815B IsWindow,SendMessageW,GetCapture,SendMessageW,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,8_2_001C815B
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001CC169 GetKeyState,GetKeyState,GetKeyState,GetKeyState,8_2_001CC169
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_00224794 GetWindowRect,KillTimer,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,8_2_00224794
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001C9526 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,8_2_001C9526
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_00219612 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageW,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,_memset,SendMessageW,GetParent,8_2_00219612
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001F3A33 SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,8_2_001F3A33
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00FDC1D1 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,9_2_00FDC1D1
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F6C169 GetKeyState,GetKeyState,GetKeyState,GetKeyState,9_2_00F6C169
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F6815B IsWindow,SendMessageW,GetCapture,SendMessageW,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,9_2_00F6815B
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00FC4794 GetWindowRect,KillTimer,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,9_2_00FC4794
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F69526 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,9_2_00F69526
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00FB9612 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageW,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,_memset,SendMessageW,GetParent,9_2_00FB9612
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F93A33 SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,9_2_00F93A33
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\forD4C5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\forcscert.pfx (copy)Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004552A9 CryptImportKey,0_2_004552A9
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00455333 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,0_2_00455333

System Summary

barindex
PE file has a writeable .text section
Source: ISSetup.dll.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSetup.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isr4AC8.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSC3E7.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00447C87 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_00447C87
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Windows\ZTUE4B7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Windows\ZTUE4B7.tmpJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile deleted: C:\Windows\ZTUE4B7.tmpJump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0047C0B00_2_0047C0B0
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0047022B0_2_0047022B
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004685CF0_2_004685CF
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0047C6190_2_0047C619
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0049CA690_2_0049CA69
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00490B400_2_00490B40
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0047CB890_2_0047CB89
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0047D4E80_2_0047D4E8
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0047D8A70_2_0047D8A7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004719F60_2_004719F6
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00475CA10_2_00475CA1
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0049DEC40_2_0049DEC4
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0047E0230_2_0047E023
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0045E9CF0_2_0045E9CF
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0044ECB80_2_0044ECB8
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0045EEC30_2_0045EEC3
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004631900_2_00463190
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0045F2DB0_2_0045F2DB
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004936300_2_00493630
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0045F7100_2_0045F710
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0045FB450_2_0045FB45
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0047FD1C0_2_0047FD1C
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D9431AD02_2_00007FF7D9431AD0
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D94342302_2_00007FF7D9434230
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D943D3082_2_00007FF7D943D308
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D94442FC2_2_00007FF7D94442FC
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D943F11C2_2_00007FF7D943F11C
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D9434E102_2_00007FF7D9434E10
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D943CC642_2_00007FF7D943CC64
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D943FCE42_2_00007FF7D943FCE4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001BE9F48_2_001BE9F4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_002BEB988_2_002BEB98
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_002B8D358_2_002B8D35
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_0021B1618_2_0021B161
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_002B1DB58_2_002B1DB5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_00259FCF8_2_00259FCF
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F5E9F49_2_00F5E9F4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_0105EB989_2_0105EB98
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00FDAA299_2_00FDAA29
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_01058D359_2_01058D35
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00FBB1619_2_00FBB161
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00FD9BD79_2_00FD9BD7
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_01051DB59_2_01051DB5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00FF9FCF9_2_00FF9FCF
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: String function: 01050F8F appears 289 times
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: String function: 01053438 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: String function: 002B0F8F appears 251 times
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: String function: 002B3438 appears 38 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: String function: 00423AD2 appears 41 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: String function: 0045B8C9 appears 297 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: String function: 00459F9F appears 77 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: String function: 0045B8FF appears 56 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: String function: 0045B896 appears 225 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: String function: 004091B8 appears 102 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: String function: 00466610 appears 42 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: String function: 00459FCD appears 56 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: String function: 0045A2FE appears 124 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: String function: 0041AE03 appears 38 times
Source: ozvD4F8.tmp.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ozvD4F8.tmp.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: OnLine_Install_Dialog_UI_SSL.exe, 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInstallShield Setup.exe< vs OnLine_Install_Dialog_UI_SSL.exe
Source: OnLine_Install_Dialog_UI_SSL.exe, 00000000.00000003.2441490591.0000000000885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInstallShield Setup.exe< vs OnLine_Install_Dialog_UI_SSL.exe
Source: OnLine_Install_Dialog_UI_SSL.exeBinary or memory string: OriginalFilenameInstallShield Setup.exe< vs OnLine_Install_Dialog_UI_SSL.exe
Source: OnLine_Install_Dialog_UI_SSL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ISSetup.dll.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSetup.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isr4AC8.tmp.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSC3E7.tmp.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isr4AC8.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: CloseOZWebLauncher.exe, 00000009.00000002.1740048299.0000000001610000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n_ip_tcpBS;.VBpp
Source: CloseOZWebLauncher.exe, 00000009.00000002.1740048299.0000000001610000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BS;.VBp
Source: classification engineClassification label: sus28.evad.winEXE@55/135@0/1
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00447C87 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_00447C87
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0041F883 _memset,lstrcpyW,lstrcatW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,0_2_0041F883
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00446187 __EH_prolog3_GS,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,Process32NextW,OpenProcess,0_2_00446187
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,0_2_004443E5
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00420149 __EH_prolog3_catch_GS,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,0_2_00420149
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\Jump to behavior
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\97e828cd0105f5dc8974dc728e950457_9e146be9-c76a-4720-bcdb-53011b87bd06
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeMutant created: \Sessions\1\BaseNamedObjects\E57AA2E7-1A7E-47FB-B362-ED04768595E6
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeFile created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: @/L0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: EXE=%s0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: EXEProcessBegin0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: ISSetupInit0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: @/L0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: >YG0_2_00475890
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: @/L0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: EXE=%s0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: EXEProcessBegin0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: ISSetupInit0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCommand line argument: @/L0_2_00425FCC
Source: OnLine_Install_Dialog_UI_SSL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeFile read: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.iniJump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: setup.exe, 00000001.00000003.1660754567.0000000000835000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1660914820.0000000000835000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1660845452.0000000000835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Select the language for the installation from the choices below.ue?;
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeFile read: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe "C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe"
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeProcess created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe -package:"C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\" -tempdisk1folder:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\" -IS_OriginalLauncher:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E314697-D110-4002-B63C-61B432079D77}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1856CA6F-3A7F-472E-B337-2E3FA07FC85C}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F0A08E8-A0D1-45AD-AF2B-F10D703CD02A}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAB69511-4FCB-4C17-80A3-43394505337C}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10BFDE1A-F312-4E1F-BEA2-24F4DCA4D57F}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54B59A05-F3F9-4E3A-8D72-1C938585C9B4}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe
Source: unknownProcess created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: unknownProcess created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dll
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s C:\Windows\ZTUACControl.dll
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.bat /s /v/q
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s c:\Windows\ZTUACControl.dll
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Windows\SysWOW64\timeout.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe"
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeProcess created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe"
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeProcess created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Windows\SysWOW64\timeout.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeProcess created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe -package:"C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\" -tempdisk1folder:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\" -IS_OriginalLauncher:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E314697-D110-4002-B63C-61B432079D77}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1856CA6F-3A7F-472E-B337-2E3FA07FC85C}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F0A08E8-A0D1-45AD-AF2B-F10D703CD02A}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAB69511-4FCB-4C17-80A3-43394505337C}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10BFDE1A-F312-4E1F-BEA2-24F4DCA4D57F}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54B59A05-F3F9-4E3A-8D72-1C938585C9B4}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/qJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s C:\Windows\ZTUACControl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.bat /s /v/qJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 5Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s c:\Windows\ZTUACControl.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeProcess created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe"
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeProcess created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe"
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: riched32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: srclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: spp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: sxproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: srclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: spp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: authz.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: virtdisk.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: vss_ps.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: catsrvut.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: mfcsubs.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: clusapi.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\VSSVC.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: swprv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: virtdisk.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vss_ps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vss_ps.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeSection loaded: wtsapi32.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeSection loaded: winsta.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: mscoree.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: aclayers.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: mpr.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: sfc.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: sfc_os.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: version.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: dwrite.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: msvcp140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: uxtheme.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: msisip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: wshext.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: appxsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: opcservices.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: esdsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: dpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: dwmapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeSection loaded: d3d9.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: mscoree.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: aclayers.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: mpr.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: sfc.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: sfc_os.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: version.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: uxtheme.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: dwrite.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: msvcp140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: urlmon.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: iertutil.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: srvcli.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: netutils.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: propsys.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: riched20.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: usp10.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: msls31.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: msisip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: wshext.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: appxsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: opcservices.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: esdsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: dpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: dwmapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: d3d9.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: OZWLBridge.lnk.1.drLNK file: ..\..\..\..\..\..\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeFile written: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\0x0409.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmpJump to behavior
Source: OnLine_Install_Dialog_UI_SSL.exeStatic PE information: certificate valid
Source: OnLine_Install_Dialog_UI_SSL.exeStatic file information: File size 11588408 > 1048576
Source: OnLine_Install_Dialog_UI_SSL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdb source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb source: OZWD629.tmp.1.dr
Source: Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdbP/ source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: OnLine_Install_Dialog_UI_SSL.exe, setup.exe0.0.dr
Source: Binary string: C:\Users\sg0216986\Documents\Visual Studio 2010\Projects\Json4DotNet\System.Net.Json\obj\Release\System.Net.Json.pdb source: OZWebLauncher.exe, 00000021.00000002.2920008536.0000000007902000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLService\Release\OZWLService.pdb source: OZWLService.exe, 0000001E.00000000.2117884411.0000000000BF8000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdbT4 source: ZTrD718.tmp.1.dr
Source: Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdbP/2 source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb\oW4 source: OZWD629.tmp.1.dr
Source: Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdb source: ZTrD718.tmp.1.dr
Source: Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdb source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: d:\ozsource\misc\OZWebLauncher\WebSockets\obj\Release\WebSockets.pdb source: OZWebLauncherUtil.exe, 0000001F.00000002.2915164601.0000000004322000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _is4AD9.tmp.1.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: setup.exe, 00000001.00000003.1667559709.0000000000886000.00000004.00000020.00020000.00000000.sdmp, ISBEW64.exe, 00000002.00000002.2213567077.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000002.00000000.1686921318.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000002.1692670949.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000000.1687461278.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000002.1693203562.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000000.1687911327.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000002.1693902657.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000000.1689065493.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000002.1694512877.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000000.1693173144.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000000.1730363712.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000002.2210041589.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdb source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdbls source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWebLauncherUtil\obj\x86\Release\OZWebLauncherUtil.pdb source: OZWebLauncherUtil.exe, 0000001F.00000000.2118514832.0000000000DC2000.00000002.00000001.01000000.00000012.sdmp, OZWD559.tmp.1.dr
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,0_2_004443E5
Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
Source: ZTU49AE.tmp.1.drStatic PE information: section name: .orpc
Source: dot49BF.tmp.1.drStatic PE information: section name: .boxld01
Source: ZTUD813.tmp.1.drStatic PE information: section name: .orpc
Source: ZTUE4B7.tmp.1.drStatic PE information: section name: .orpc
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dll
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00466655 push ecx; ret 0_2_00466668
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0045B864 push ecx; ret 0_2_0045B877
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_002B1067 push ecx; ret 8_2_002B107A
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_002B347D push ecx; ret 8_2_002B3490
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_01051067 push ecx; ret 9_2_0105107A
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_0105347D push ecx; ret 9_2_01053490
Source: isr4AC8.tmp.1.drStatic PE information: section name: .text entropy: 7.983505264778397

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\717D6C878B0B3041D21EA17EADD7ADD47C44DF25 BlobJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\ozverify.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeFile created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dotNetFx_45.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dotnetinstaller.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTrD718.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTransferLib.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeFile created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\ISSetup.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD5DA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD537.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dot4A95.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setup.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57A.tmp (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISB4A97.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\ISSetup.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGetUserToken.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\WebD708.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD678.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_is4AD9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setC3A7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isr4AC8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_isres_0x0409.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\SysD707.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Clo49EF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGD4D8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSetup.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTU49AE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD6D7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Windows\ZTUACControl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSC3E7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD629.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUD813.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLNotify.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridgeForUAC.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dot49BF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isrt.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Windows\ZTUE4B7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUACControl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD559.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Program Files (x86)\FORCS\OZWebLauncher\ozvD4F8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Clo494E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeFile created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Windows\ZTUE4B7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\Windows\ZTUACControl.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0041CAE7 __EH_prolog3_GS,GetPrivateProfileIntW,0_2_0041CAE7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0048A330 GetLastError,SetLastError,_memset,lstrcpyA,_memset,lstrcpyW,lstrlenA,_memset,lstrcpyA,lstrlenA,lstrlenA,_memmove,lstrcmpiA,GetLastError,SetLastError,_memmove,GetPrivateProfileIntA,_memset,lstrcpyA,GetPrivateProfileStringA,GetSysColor,_memset,_memset,GetPrivateProfileSectionNamesA,lstrcpyA,lstrcpyA,lstrlenA,lstrcpyA,GetPrivateProfileStringA,GetSysColor,GetLastError,SysFreeString,SysFreeString,SysFreeString,SetLastError,lstrcpyA,lstrlenA,lstrcmpA,lstrcpyA,GetPrivateProfileStringA,GetProcAddress,0_2_0048A330
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\OZWLBridge.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestoreJump to behavior
Source: C:\Windows\System32\SrTasks.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\OZWLBridge.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001F4209 IsWindowVisible,IsIconic,8_2_001F4209
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001CE403 IsIconic,PostMessageW,8_2_001CE403
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001D4820 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,8_2_001D4820
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001CC8A2 IsWindow,GetFocus,SendMessageW,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,8_2_001CC8A2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_00225353 GetParent,GetParent,IsIconic,GetParent,8_2_00225353
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001CD8AD IsWindowVisible,ScreenToClient,IsIconic,PtInRect,PtInRect,PtInRect,8_2_001CD8AD
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001B9CA5 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,8_2_001B9CA5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001DBD49 IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,GetWindowRect,GetParent,IsRectEmpty,EndDeferWindowPos,8_2_001DBD49
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F94209 IsWindowVisible,IsIconic,9_2_00F94209
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F6E403 IsIconic,PostMessageW,9_2_00F6E403
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F6C8A2 IsWindow,GetFocus,SendMessageW,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,9_2_00F6C8A2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F74820 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,9_2_00F74820
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00FC5353 GetParent,GetParent,IsIconic,GetParent,9_2_00FC5353
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F6D8AD IsWindowVisible,ScreenToClient,IsIconic,PtInRect,PtInRect,PtInRect,9_2_00F6D8AD
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F59CA5 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,9_2_00F59CA5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F7BD49 IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,GetWindowRect,GetParent,IsRectEmpty,EndDeferWindowPos,9_2_00F7BD49
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D9437180 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00007FF7D9437180
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\VSSVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeMemory allocated: 1C00000 memory reserve | memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeMemory allocated: 1D90000 memory reserve | memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeMemory allocated: 3D90000 memory reserve | memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeMemory allocated: 12B0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeMemory allocated: 3020000 memory reserve | memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeMemory allocated: 2E60000 memory reserve | memory write watch
Source: C:\Windows\System32\svchost.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeWindow / User API: threadDelayed 407
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isr4AC8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ozverify.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_isres_0x0409.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\SysD707.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSetup.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGD4D8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTU49AE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Windows\ZTUACControl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dotNetFx_45.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSC3E7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dotnetinstaller.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTrD718.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD629.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTransferLib.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUD813.tmpJump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\ISSetup.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD5DA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLNotify.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridgeForUAC.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dot49BF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isrt.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dot4A95.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57A.tmp (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Windows\ZTUE4B7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUACControl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGetUserToken.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\ISSetup.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\WebD708.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD678.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ozvD4F8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_is4AD9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeDropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-70705
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeAPI coverage: 7.0 %
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeAPI coverage: 3.2 %
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeAPI coverage: 2.8 %
Source: C:\Windows\System32\SrTasks.exe TID: 7732Thread sleep time: -290000s >= -30000s
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe TID: 7136Thread sleep count: 407 > 30
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe TID: 7136Thread sleep time: -24420000s >= -30000s
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe TID: 2476Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe TID: 7040Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7216Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile Volume queried: C:\Windows FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00425659 __EH_prolog3_GS,FindFirstFileW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,SysStringLen,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,SysStringLen,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,DeleteFileW,lstrcpyW,0_2_00425659
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0042C966 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,0_2_0042C966
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00451BC7 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,0_2_00451BC7
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_001F11F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,8_2_001F11F2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_00F911F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,9_2_00F911F2
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0041CF22 CreateFileW,CreateFileMappingW,GetSystemInfo,MapViewOfFile,IsBadReadPtr,UnmapViewOfFile,MapViewOfFile,IsBadReadPtr,GetLastError,0_2_0041CF22
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeThread delayed: delay time: 60000
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeFile opened: C:\Users\user\Jump to behavior
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0bIsVirtualMachinealled
Source: setup.exe, 00000001.00000003.2228722617.0000000002831000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2230877414.0000000002848000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0bIsVirtualMachine=%ld.
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0bIsVirtualMachinez}
Source: svchost.exe, 0000000C.00000002.2908799857.0000021F17855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: setup.exe, 00000001.00000002.2439910239.0000000002925000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2232792483.000000000291E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0bIsVirtualMachine4
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2234140158.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2233259166.00000000008A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0_GetVirtualMachineType
Source: setup.exe, 00000001.00000002.2439910239.0000000002925000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2210154643.0000000004B6D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2232792483.000000000291E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1667885797.0000000000881000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2440903656.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2210555594.0000000004B85000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435960075.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _IsVirtualMachine
Source: svchost.exe, 00000022.00000002.2917929837.000002C553455000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.2912511691.000002C54DE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: setup.exe, 00000001.00000003.2235951431.000000000088A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0bIsVirtualMachineZ
Source: svchost.exe, 0000000C.00000003.1958674778.0000021F1786B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000C.00000002.2909107251.0000021F17859000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: setup.exe, 00000001.00000002.2439496440.0000000002747000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435654784.0000000002740000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2436719585.0000000002746000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435298859.0000000002735000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bIsVirtualMachine
Source: VSSVC.exe, 0000000B.00000003.2096500791.0000017AD17E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:J
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2910888541.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SrTasks.exe, 00000010.00000002.2243285813.000002848DDBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: svchost.exe, 0000000C.00000003.1958586697.0000021F17863000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2234140158.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2233259166.00000000008A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0_IsVirtualMachine
Source: setup.exe, 00000001.00000003.2210154643.0000000004B6D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2440903656.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2210555594.0000000004B85000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435960075.0000000004B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _IsVirtualMachine3
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0bIsVirtualMachine=%ld
Source: setup.exe, 00000001.00000003.1667885797.0000000000881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _GetVirtualMachineType
Source: VSSVC.exe, 0000000B.00000003.2096500791.0000017AD17E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:{
Source: SrTasks.exe, 00000010.00000003.2153538341.000002848DDBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:889w
Source: setup.exe, 00000001.00000002.2439910239.0000000002925000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2232792483.000000000291E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2228722617.0000000002831000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2235951431.000000000088A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2230877414.0000000002848000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0bIsVirtualMachine
Source: setup.exe, 00000001.00000003.1667885797.0000000000881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_ListCreate_ListCurrentIte
Source: VSSVC.exe, 0000000B.00000002.2909812834.0000017AD17D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:{
Source: VSSVC.exe, 0000000B.00000002.2909812834.0000017AD17D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeAPI call chain: ExitProcess graph end nodegraph_0-70707
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00464F6E _memset,IsDebuggerPresent,0_2_00464F6E
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0047A0BB EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0047A0BB
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,0_2_004443E5
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00430226 GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,0_2_00430226
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004638C7 SetUnhandledExceptionFilter,0_2_004638C7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004638EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004638EA
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D943DCD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF7D943DCD4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exeCode function: 2_2_00007FF7D94407D8 SetUnhandledExceptionFilter,2_2_00007FF7D94407D8
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_002B0383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_002B0383
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: 8_2_002B75BC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_002B75BC
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_01050383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_01050383
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: 9_2_010575BC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_010575BC
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeMemory allocated: page read and write | page guard
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s c:\Windows\ZTUACControl.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exeProcess created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe"
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeProcess created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\setup.exe -package:"c:\users\user\desktop\online_install_dialog_ui_ssl.exe" -no_selfdeleter -is_temp -media_path:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\" -tempdisk1folder:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\" -is_originallauncher:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\setup.exe"
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeProcess created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\setup.exe -package:"c:\users\user\desktop\online_install_dialog_ui_ssl.exe" -no_selfdeleter -is_temp -media_path:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\" -tempdisk1folder:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\" -is_originallauncher:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\setup.exe"Jump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_004448BB __EH_prolog3_GS,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,_memset,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetTempPathW,0_2_004448BB
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00450887 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,0_2_00450887
Source: setup.exe, 00000001.00000003.1659772558.00000000025C0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES,
Source: ISSetup.dll.0.drBinary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: setup.exe, 00000001.00000003.2434948860.0000000000869000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2238976039.0000000000867000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2241930878.0000000000869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OPTYPE_PROGMAN
Source: setup.exe, 00000001.00000003.2434948860.0000000000869000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2238976039.0000000000867000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2241930878.0000000000869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OPTYPE_PROGMANes
Source: setup.exe, 00000001.00000003.2434948860.0000000000869000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2238976039.0000000000867000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2241930878.0000000000869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OPTYPE_PROGMAN;F
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0046391A cpuid 0_2_0046391A
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,0_2_0046E1E0
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: EnumSystemLocalesW,0_2_0046E450
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_0047A437
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_0046E4AC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_0046E529
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,0_2_0046E5AC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,0_2_004125AD
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: GetLocaleInfoW,0_2_0046E79F
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0046E8C7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_0046E974
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,0_2_0046EA48
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: EnumSystemLocalesW,0_2_0046EF47
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: GetLocaleInfoW,0_2_0046EFCD
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: __snwprintf_s,GetLocaleInfoW,PathFindFileNameW,_memset,GetModuleHandleW,GetProcAddress,LoadLibraryExW,8_2_001B23CB
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exeCode function: GetLocaleInfoA,8_2_002C422B
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: __snwprintf_s,GetLocaleInfoW,PathFindFileNameW,_memset,GetModuleHandleW,GetProcAddress,LoadLibraryExW,9_2_00F523CB
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exeCode function: GetLocaleInfoA,9_2_0106422B
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeQueries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeQueries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Classic\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Classic.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_0043B52C __EH_prolog3_GS,GetCurrentProcessId,_memset,GetLocalTime,GetModuleFileNameW,0_2_0043B52C
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exeCode function: 0_2_00430174 GetVersionExW,0_2_00430174
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts2
Native API		1
Scripting		1
DLL Side-Loading		211
Disable or Modify Tools		21
Input Capture		1
System Time Discovery		Remote Services11
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		1
DLL Side-Loading		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory4
File and Directory Discovery		Remote Desktop Protocol21
Input Capture		Junk DataExfiltration Over Bluetooth1
System Shutdown/Reboot
Email AddressesDNS ServerDomain AccountsAt2
Windows Service		2
Windows Service		3
Obfuscated Files or Information		Security Account Manager47
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron2
Registry Run Keys / Startup Folder		12
Process Injection		1
Install Root Certificate		NTDS1
Query Registry		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
Registry Run Keys / Startup Folder		2
Software Packing		LSA Secrets51
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials51
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync3
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job23
Masquerading		Proc Filesystem11
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Modify Registry		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron51
Virtualization/Sandbox Evasion		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Access Token Manipulation		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task12
Process Injection		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
Regsvr32		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432289 Sample: OnLine_Install_Dialog_UI_SSL.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 28 69 PE file has a writeable .text section 2->69 8 OnLine_Install_Dialog_UI_SSL.exe 32 2->8         started        11 OZWLService.exe 2->11         started        13 SrTasks.exe 2->13         started        15 3 other processes 2->15 process3 dnsIp4 61 C:\Users\user\AppData\Local\...\setup.exe, PE32 8->61 dropped 63 C:\Users\user\AppData\Local\...\setup.exe, PE32 8->63 dropped 65 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 8->65 dropped 18 setup.exe 46 133 8->18         started        22 OZWebLauncherUtil.exe 11->22         started        24 OZWebLauncher.exe 11->24         started        26 conhost.exe 13->26         started        67 127.0.0.1 unknown unknown 15->67 file5 process6 file7 53 C:\Windows\ZTUE4B7.tmp, PE32 18->53 dropped 55 C:\Windows\ZTUACControl.dll (copy), PE32 18->55 dropped 57 C:\Users\user\AppData\...\isrt.dll (copy), PE32 18->57 dropped 59 46 other files (none is malicious) 18->59 dropped 71 Installs new ROOT certificates 18->71 28 cmd.exe 18->28         started        31 cmd.exe 18->31         started        33 timeout.exe 18->33         started        35 11 other processes 18->35 signatures8 process9 signatures10 73 Uses netsh to modify the Windows network and firewall settings 28->73 75 Modifies the windows firewall 28->75 37 conhost.exe 28->37         started        39 netsh.exe 28->39         started        41 netsh.exe 28->41         started        43 CheckNetIsolation.exe 28->43         started        45 conhost.exe 31->45         started        47 regsvr32.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OnLine_Install_Dialog_UI_SSL.exe0%ReversingLabs
OnLine_Install_Dialog_UI_SSL.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\FORCS\OZWebLauncher\OZGD4D8.tmp0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZGD4D8.tmp0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZGetUserToken.dll (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZGetUserToken.dll (copy)0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD537.tmp0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD537.tmp0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD559.tmp0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD559.tmp0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57A.tmp (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57A.tmp (copy)0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57B.tmp0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57B.tmp0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD5DA.tmp0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD5DA.tmp0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD629.tmp0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD629.tmp0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD678.tmp0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD678.tmp0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD6D7.tmp0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD6D7.tmp0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe (copy)0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridgeForUAC.exe (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridgeForUAC.exe (copy)0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLNotify.exe (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLNotify.exe (copy)0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe (copy)0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe (copy)0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe (copy)0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\SysD707.tmp0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\SysD707.tmp0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll (copy)0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\WebD708.tmp0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\WebD708.tmp0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll (copy)0%VirustotalBrowse
C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUACControl.dll (copy)0%ReversingLabs
C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUACControl.dll (copy)0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://=0x%04x.iniMS0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
http://www.flexerasoftware.com00%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
https://.8T)0%Avira URL Cloudsafe
http://foo/bar/mainwindow.bamld0%Avira URL Cloudsafe
http://foo/bar/mainwindow.baml0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn0%Avira URL Cloudsafe
http://defaultcontainer/MainWindow.xamld0%Avira URL Cloudsafe
http://foo/MainWindow.xaml0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
http://www.founder.com.cn/cn0%VirustotalBrowse
http://https://.././SOFTWARE0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn1%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://=0x%04x.iniMSOnLine_Install_Dialog_UI_SSL.exe, setup.exe0.0.drfalse
  • Avira URL Cloud: safe
low
http://www.apache.org/licenses/LICENSE-2.0OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.fontbureau.comOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.com/designersGOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bTheOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.fontbureau.com/designers?OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://ocsp.thawte.com0_is4AD9.tmp.1.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://deviis4.installshield.com/NetNirvana/setup.exe, 00000001.00000002.2438979471.000000000083E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2239128364.000000000083D000.00000004.00000020.00020000.00000000.sdmp, data1.hdr.0.drfalse
              		high
              http://www.tiro.comOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000022.00000003.2136483818.000002C5536A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536E8000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designersOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%dOnLine_Install_Dialog_UI_SSL.exe, setup.ini.1.dr, setup.exe0.0.drfalse
                    		high
                    http://www.goodfont.co.krOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.symauth.com/cps0(_is4AD9.tmp.1.drfalse
                      		high
                      https://.8T)setup.exe, 00000001.00000003.2234591613.000000000297A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2212449812.0000000002979000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2240388417.00000000029C5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.000000000297A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.carterandcone.comlOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000022.00000003.2136483818.000002C553672000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/cabarga.htmlNOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://foo/bar/mainwindow.bamlOZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://foo/bar/mainwindow.bamldOZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.founder.com.cn/cnOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-user.htmlOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://defaultcontainer/MainWindow.xamldOZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://foo/MainWindow.xamlOZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://crl.thawte.com/ThawteTimestampingCA.crl0_is4AD9.tmp.1.drfalse
                                		high
                                https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.symauth.com/rpa00_is4AD9.tmp.1.drfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fonts.comOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://https://.././SOFTWAREZTrD718.tmp.1.drfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.urwpp.deDPleaseOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.flexerasoftware.com0_is4AD9.tmp.1.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comOZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious

                                          Private

                                          IP
                                          127.0.0.1

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1432289
                                          Start date and time:2024-04-26 19:31:05 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 10m 22s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:39
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:OnLine_Install_Dialog_UI_SSL.exe
                                          Detection:SUS
                                          Classification:sus28.evad.winEXE@55/135@0/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 83%
                                          • Number of executed functions: 73
                                          • Number of non-executed functions: 307
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.204.76.112
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtOpenFile calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          19:32:30API Interceptor29x Sleep call for process: SrTasks.exe modified
                                          19:32:41API Interceptor2x Sleep call for process: svchost.exe modified
                                          19:32:41API Interceptor408x Sleep call for process: OZWLService.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\MimD4C6.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):722
                                          Entropy (8bit):4.719390226150669
                                          Encrypted:false
                                          SSDEEP:12:MMHdGAVYSbSZofyegSZorIHuXZozADVZogF5ZoKFy5ZoQWtNZo3gFKZoUtmtZo3i:JdvifegivHWwADrlFHFoHPWZqoKZt+Yy
                                          MD5:63C23DF34F506DEEB643318D3C582960
                                          SHA1:DC0F0DD6622EEEE9FE77BC9CE230A1161303D290
                                          SHA-256:1D417F12D209147F21DA564B665DAED74D7A39885FC3E39C070F2348ED60FDD5
                                          SHA-512:75C11AFF3CFD14B0A9ED0519D94B7A9C51ED87D432C34AA68326D89F1212A35481270958CC7D7B57E0E183BAC0D944E5773698A5B504E9CDE23639D0B00CFC1B
                                          Malicious:false
                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <system.webServer>.. <staticContent>.. <mimeMap fileExtension=".html" mimeType="text/html"/>.. <mimeMap fileExtension=".css" mimeType="text/css"/>.. <mimeMap fileExtension=".ico" mimeType="image/x-icon"/>.. <mimeMap fileExtension=".jpg" mimeType="image/jpeg"/>.. <mimeMap fileExtension=".jpeg" mimeType="image/jpeg"/>.. <mimeMap fileExtension=".bmp" mimeType="image/bmp"/>.. <mimeMap fileExtension=".png" mimeType="image/png"/>.. <mimeMap fileExtension=".js" mimeType="text/javascript"/>.. <mimeMap fileExtension=".map" mimeType="application/json"/>.. </staticContent>.. </system.webServer>..</configuration>

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\MimeTypes.config (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):722
                                          Entropy (8bit):4.719390226150669
                                          Encrypted:false
                                          SSDEEP:12:MMHdGAVYSbSZofyegSZorIHuXZozADVZogF5ZoKFy5ZoQWtNZo3gFKZoUtmtZo3i:JdvifegivHWwADrlFHFoHPWZqoKZt+Yy
                                          MD5:63C23DF34F506DEEB643318D3C582960
                                          SHA1:DC0F0DD6622EEEE9FE77BC9CE230A1161303D290
                                          SHA-256:1D417F12D209147F21DA564B665DAED74D7A39885FC3E39C070F2348ED60FDD5
                                          SHA-512:75C11AFF3CFD14B0A9ED0519D94B7A9C51ED87D432C34AA68326D89F1212A35481270958CC7D7B57E0E183BAC0D944E5773698A5B504E9CDE23639D0B00CFC1B
                                          Malicious:false
                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <system.webServer>.. <staticContent>.. <mimeMap fileExtension=".html" mimeType="text/html"/>.. <mimeMap fileExtension=".css" mimeType="text/css"/>.. <mimeMap fileExtension=".ico" mimeType="image/x-icon"/>.. <mimeMap fileExtension=".jpg" mimeType="image/jpeg"/>.. <mimeMap fileExtension=".jpeg" mimeType="image/jpeg"/>.. <mimeMap fileExtension=".bmp" mimeType="image/bmp"/>.. <mimeMap fileExtension=".png" mimeType="image/png"/>.. <mimeMap fileExtension=".js" mimeType="text/javascript"/>.. <mimeMap fileExtension=".map" mimeType="application/json"/>.. </staticContent>.. </system.webServer>..</configuration>

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZGD4D8.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):206848
                                          Entropy (8bit):6.022048164901216
                                          Encrypted:false
                                          SSDEEP:3072:c7cP793ktqgfVR+Fe/TWVH4aI43AGjIoDoqA5o6lkZY5MGSSTp:Oa790tqgfV4Fe/EYaI2jIoDVA57KGV
                                          MD5:357FA1B4C9464FF735AF0BD5F0E14E5F
                                          SHA1:518853FBFFAEEBF28E778456CCE32C43F6179612
                                          SHA-256:2E7DFEF19D23AD36D92992EEA8BE8B2DB6653BCADFE85ED0C097C6105AD37E27
                                          SHA-512:D340D662C15FC2267105A2AE0E304BA1BBAC76496900EB60A4EFB642AF51B4F294AE5201C45F308BBB6197C2083079D21131FEF8BAC77F0862BA2CA702C75A6D
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X.<.9zo.9zo.9zo...o.9zo...o.9zo.9{o.8zo.A.o.9zo.A.os9zo.A.o.9zo.k.o.9zo.A.o.9zo.A.o.9zo.k.o.9zo.A.o.9zoRich.9zo........................PE..L...[.^_...........!.........@......-................................................-....@..........................z..o....e..........p4................... ..( ..`...............................`?..@...................le..@....................text............................... ..`.rdata...z.......|..................@..@.data....\......."...d..............@....rsrc...p4.......6..................@..@.reloc..jk... ...l..................@..B................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZGetUserToken.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):206848
                                          Entropy (8bit):6.022048164901216
                                          Encrypted:false
                                          SSDEEP:3072:c7cP793ktqgfVR+Fe/TWVH4aI43AGjIoDoqA5o6lkZY5MGSSTp:Oa790tqgfV4Fe/EYaI2jIoDVA57KGV
                                          MD5:357FA1B4C9464FF735AF0BD5F0E14E5F
                                          SHA1:518853FBFFAEEBF28E778456CCE32C43F6179612
                                          SHA-256:2E7DFEF19D23AD36D92992EEA8BE8B2DB6653BCADFE85ED0C097C6105AD37E27
                                          SHA-512:D340D662C15FC2267105A2AE0E304BA1BBAC76496900EB60A4EFB642AF51B4F294AE5201C45F308BBB6197C2083079D21131FEF8BAC77F0862BA2CA702C75A6D
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X.<.9zo.9zo.9zo...o.9zo...o.9zo.9{o.8zo.A.o.9zo.A.os9zo.A.o.9zo.k.o.9zo.A.o.9zo.A.o.9zo.k.o.9zo.A.o.9zoRich.9zo........................PE..L...[.^_...........!.........@......-................................................-....@..........................z..o....e..........p4................... ..( ..`...............................`?..@...................le..@....................text............................... ..`.rdata...z.......|..................@..@.data....\......."...d..............@....rsrc...p4.......6..................@..@.reloc..jk... ...l..................@..B................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD537.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):476448
                                          Entropy (8bit):6.03726241051135
                                          Encrypted:false
                                          SSDEEP:3072:M0uDZLiywwyyKq7Q4S8Q/9ZL7oa4JEwzpT98FW8lUJKFbRwyyKq7Q4S8QyeP0+:Uyyn7NSxMa4Jx59u6yyn7NSxyb+
                                          MD5:361BB9069EA7DA381B953A71C0413F05
                                          SHA1:3555E34946290B7CE60CCD35308B6C7B435B54AA
                                          SHA-256:C3949C5A8EFBDC551B911E99DA2B666EA03991C6BB4253FB9F233A98042798FA
                                          SHA-512:C6C1FFA185532FCC0C147269CA2C25CADFE3D1161D83270E908DB0D793736C2F6F59FC811AF83F87863406F4C62F5F2DA98A783942CB91B4C62E3DB547C3B320
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..b.................T...........s... ........@.. ..............................,s....@.................................Ds..W.................... .. %...`.......r............................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc.......`......................@..B.................s......H.......`...`............................................................0...........(.....(....(....o.....(....o.....r...p(...........+$.......o........o.....3..(.......X.......i2..J.(....&r...p..A...(......(......(........(....,...( .....&..s...................(....-.(....o1.....(....o7.....(....o/.......(!...-?("...o#.....~.........($...rI..p......................o%..........~....s....}......{....~....s&...}.....{......o'...s.........~....~....o....~....o(...~....o)...~...

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD558.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1588
                                          Entropy (8bit):4.804590155346702
                                          Encrypted:false
                                          SSDEEP:24:33IK0m4V69JK14Ev+XPmhBrfyZjZvQHVvQJuvPT/ZveRDvfBPRvm:IrNVMJNq3brfy5Z4HVYcbZ2RDRRe
                                          MD5:D3E3C53FCED80EF5F250076C410C1557
                                          SHA1:569819D47532C0539E0C91D280FF224B6F2E7B94
                                          SHA-256:6FE969ADD848CA075AE04ED652C60C8CD469E6DC2D65E2F9167132886F91782E
                                          SHA-512:3958B338D207037E182C20ABD1D55BF3775EDDCDD4EF4D29D8F9060C29873A0464EE6D4513EB1CB8195C8DE6AA63E9E36CB98BD8CC567E5D38682C73B7C6C7EF
                                          Malicious:false
                                          Preview:<?xml version="1.0"?>..<configuration>..<configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">.. <section name="OZWebLauncher.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false"/>.. </sectionGroup>..</configSections>..<startup useLegacyV2RuntimeActivationPolicy="true"><supportedRuntime version="4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/><supportedRuntime version="v2.0.50727" sku="Client"/></startup><userSettings>.. <OZWebLauncher.Properties.Settings>.. <setting name="WebRoot" serializeAs="String">.. <value/>.. </setting>.. <setting name="Port" serializeAs="String">.. <value>36480</value>.. </setting>..

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD559.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):353568
                                          Entropy (8bit):6.530007636264551
                                          Encrypted:false
                                          SSDEEP:6144:J5Y73cZ5jRMQ/xYEe/5Y73cZJjRMQ/xYEXu:JS7MruVJS7MvuVt
                                          MD5:5CAF8DE84007ED7C692891788F10B025
                                          SHA1:B934FCF5516D79C0FD34B928BF388DDE8720D2FE
                                          SHA-256:8CE285ECCE01E696B6E376551819BBD45753F33F87BC4BC1BC05AEB54EC98A73
                                          SHA-512:17DACADEB9F0E85FB87EB97DD560F14C4ED07FFDFE84E10C7C62BF792EDE653D0271E33253A60C96FD1D42370B7C9540DD7FCE39E46EC92E7FF8EBC9CAB67CBE
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eb................................. ........@.. ..............................l.....@.....................................O........}...........@.. %...`....................................................... ............... ..H............text........ ...................... ..`.rsrc....}.......~..................@..@.reloc.......`.......>..............@..B........................H............4.........../...y...........................................0..E........{....(....-..{....(....,..{....*(....o....o....(....r...p~....o....*....0...........(......}......(....-..+..(....}.....{....(....-(.{.....(....r...p..........{......o....*.{.....(....r?..p..........{......o....*....0...........o......E....5.......l...8.....o ...r[..p(!...,s.o"....o#....o$....{....s(...*.o ...r[..po%...-C.o"....o#....o .....{.....{....s....*.o"....o ....{.....{....s&...*.o"..

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD579.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1051
                                          Entropy (8bit):5.073694420071437
                                          Encrypted:false
                                          SSDEEP:24:JdiIK0m449dK14Ev+XotXmhBrfyZFJuvf:3jrNKdNqVt2brfyHc3
                                          MD5:AE7741D3360BAE3A169991BC330E1B18
                                          SHA1:FD9156C2A2FD2082141F69D9E74C64C74B8EE3AD
                                          SHA-256:9AB1FEE63863B2C89F6CBCBC38F7D5F83F25CAF3F4DD8FFA8E6FAE98096081C8
                                          SHA-512:743E928B20E89EA71BDF2A6D7553C3459E4AA5A1D78C9741B7ED5967FC1054F3318C68E7BCBF5271C442C94BD3962C7A5644F95EE3B82504BF2A0BE98FAAD093
                                          Malicious:false
                                          Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="OZWebLauncherUtil.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>...<startup useLegacyV2RuntimeActivationPolicy="true"><supportedRuntime version="4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/><supportedRuntime version="v2.0.50727" sku="Client"/></startup>.. <userSettings>.. <OZWebLauncherUtil.Properties.Settings>.. <setting name="CertificateFile" serializeAs="String">.. <value>./forcscert.pfx</value>.. </setting>.. </OZWebLauncherUtil.Properti

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57A.tmp (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1872672
                                          Entropy (8bit):6.499227609867708
                                          Encrypted:false
                                          SSDEEP:49152:VdnnXPDkpRJPHZEwDWyYS88U8ZOG0mJ5RvvJhLmnPW29bjd:VFPDsJqwDWyYSjUYOGvRvrmnPW2v
                                          MD5:A89C71542148CCE54DCA80B46FEC606B
                                          SHA1:318A79983DA770C486546A20BABEC78AF5523E37
                                          SHA-256:973735C096F43B1D977C6A2FD3E64179787509A4E474866B1B82482A58E5A054
                                          SHA-512:4079C7D3450789E967AD85B7461088A8537747419E7923FC91456A541516E3D653196242D4BC8BEF4724D0BD6D709C3B8F4A0B94062C5B77B4C5583D59748675
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..0.`.c.`.c.`.c>..c.`.c>..c8`.c.`.c.b.c...c5`.c...c.`.c...cxa.c.2.c.`.c...c.`.c.2.c.`.c...c.`.cRich.`.c........................PE..L.....^_............................. ............@.................................i.....@.....................................T....................n.. %......|....................................`..@...............8.......@....................text...v........................... ..`.rdata...S.......T..................@..@.data........ ...b..................@....rsrc................^..............@..@.reloc...-...........@..............@..B........................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57B.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1872672
                                          Entropy (8bit):6.499227609867708
                                          Encrypted:false
                                          SSDEEP:49152:VdnnXPDkpRJPHZEwDWyYS88U8ZOG0mJ5RvvJhLmnPW29bjd:VFPDsJqwDWyYSjUYOGvRvrmnPW2v
                                          MD5:A89C71542148CCE54DCA80B46FEC606B
                                          SHA1:318A79983DA770C486546A20BABEC78AF5523E37
                                          SHA-256:973735C096F43B1D977C6A2FD3E64179787509A4E474866B1B82482A58E5A054
                                          SHA-512:4079C7D3450789E967AD85B7461088A8537747419E7923FC91456A541516E3D653196242D4BC8BEF4724D0BD6D709C3B8F4A0B94062C5B77B4C5583D59748675
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..0.`.c.`.c.`.c>..c.`.c>..c8`.c.`.c.b.c...c5`.c...c.`.c...cxa.c.2.c.`.c...c.`.c.2.c.`.c...c.`.cRich.`.c........................PE..L.....^_............................. ............@.................................i.....@.....................................T....................n.. %......|....................................`..@...............8.......@....................text...v........................... ..`.rdata...S.......T..................@..@.data........ ...b..................@....rsrc................^..............@..@.reloc...-...........@..............@..B........................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD5DA.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1872672
                                          Entropy (8bit):6.499227609867708
                                          Encrypted:false
                                          SSDEEP:49152:VdnnXPDkpRJPHZEwDWyYS88U8ZOG0mJ5RvvJhLmnPW29bjd:VFPDsJqwDWyYSjUYOGvRvrmnPW2v
                                          MD5:A89C71542148CCE54DCA80B46FEC606B
                                          SHA1:318A79983DA770C486546A20BABEC78AF5523E37
                                          SHA-256:973735C096F43B1D977C6A2FD3E64179787509A4E474866B1B82482A58E5A054
                                          SHA-512:4079C7D3450789E967AD85B7461088A8537747419E7923FC91456A541516E3D653196242D4BC8BEF4724D0BD6D709C3B8F4A0B94062C5B77B4C5583D59748675
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..0.`.c.`.c.`.c>..c.`.c>..c8`.c.`.c.b.c...c5`.c...c.`.c...cxa.c.2.c.`.c...c.`.c.2.c.`.c...c.`.cRich.`.c........................PE..L.....^_............................. ............@.................................i.....@.....................................T....................n.. %......|....................................`..@...............8.......@....................text...v........................... ..`.rdata...S.......T..................@..@.data........ ...b..................@....rsrc................^..............@..@.reloc...-...........@..............@..B........................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD629.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1874208
                                          Entropy (8bit):6.513508665272854
                                          Encrypted:false
                                          SSDEEP:49152:G8RwWauJhl5FJj6BNYXyodS+zIlCDOJBxnYl3Sb0Sm/:GmwCJhCBodS+zI8OvlVb0S0
                                          MD5:5C92E465DBB75107D78B1D7235C10A33
                                          SHA1:AEB2A0527BD3978BC7157544FFF32B4505CFDAED
                                          SHA-256:4CB30237D3F2BAB8BB67435BA6317553868BB9A2976BD5021EA29433CB19DF56
                                          SHA-512:975D1CD0D77583AFAA6F533342B9F5C77BB6D9F4CCBEC03D9E50F868DF02A97833A24311EA3D601196C93B4BE044C0F6D088D85A29284AB8A45A569B87E47018
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A=...\..\..\."....\."...$\..\..^..$[.)\..$M..\..$J.g]...J..\..$D..\...Z..\..$_..\.Rich.\.........PE..L......_..........................................@.......................................@.....................................T....................t.. %...........................................]..@.......................@....................text............................... ..`.rdata...O.......P..................@..@.data............b..................@....rsrc................\..............@..@.reloc..>-...........F..............@..B........................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD678.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1866528
                                          Entropy (8bit):6.505084005598429
                                          Encrypted:false
                                          SSDEEP:49152:JHnJVPWMMDZz655HCfe9UH1C6K+EJ35YBlTrW:JH/WNc55HWemH1lKhJuBlTC
                                          MD5:250DDA017C3B1005AC5EC97A1E882548
                                          SHA1:14303D3BA7E5B6E222A4D46EA8761D013A13AF0A
                                          SHA-256:495695B083C3290339DBFFCB4E621E97BD570454DDC3F277A335601C925A3867
                                          SHA-512:A55D45A278CE8223C3C2352D0031B4BC0848B8B2114F843DA955CD22286C449D5700AA48CF55D107AC619143C992082CAF7E8858BB0D485EB856DB25E58C6743
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............._.._.._.Y._.._.Y._._.._).._..._._..._x.._..._..._..._.._..._.._..._.._..._.._Rich.._........................PE..L...b.^_............................s.............@.................................w.....@.................................P...T....................V.. %..........................................xL..@.......................@....................text...y........................... ..`.rdata..8M.......N..................@..@.data............`..................@....rsrc................H..............@..@.reloc...,...........(..............@..B........................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD6D7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):420640
                                          Entropy (8bit):6.327502018125821
                                          Encrypted:false
                                          SSDEEP:6144:j9vNfCn4wEaAWT0cPBzJQQeYFdnLBe6QzCWnPrpg8tBSrM:JgmWTXPBzJQQeYFdnt9QzNrtBSY
                                          MD5:3946001DADB4BABAA32C30074AD3525E
                                          SHA1:78DAA9D0E2CDEC1644A077853210B324E593D730
                                          SHA-256:4AEF64BB81CC1A290FDD579B8568B9AA353C963A55AB6BF1F032A8AC84D54020
                                          SHA-512:93EEB4B6071B2BB1627A1E4AEF8D099294C63E8E1E534D848EC9283BE85C9567E5C0CA819B92E09DFA601EFA731CCC248F0E2F0DCF2BECC695EDF8F4D0829BB2
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.n.`...`...`...G.m.g...G.{.{...`...z...i...y...i.......i.......~...c...i...e...~...a...i...a...Rich`...........PE..L......a.................d...........,............@.................................H.....@.............................................D............F.. %...@...$..0...................................@...................l...@....................text....c.......d.................. ..`.rdata..h............h..............@..@.data....^... ..."..................@....rsrc...D...........................@..@.reloc...o...@...p..................@..B........................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1872672
                                          Entropy (8bit):6.499227609867708
                                          Encrypted:false
                                          SSDEEP:49152:VdnnXPDkpRJPHZEwDWyYS88U8ZOG0mJ5RvvJhLmnPW29bjd:VFPDsJqwDWyYSjUYOGvRvrmnPW2v
                                          MD5:A89C71542148CCE54DCA80B46FEC606B
                                          SHA1:318A79983DA770C486546A20BABEC78AF5523E37
                                          SHA-256:973735C096F43B1D977C6A2FD3E64179787509A4E474866B1B82482A58E5A054
                                          SHA-512:4079C7D3450789E967AD85B7461088A8537747419E7923FC91456A541516E3D653196242D4BC8BEF4724D0BD6D709C3B8F4A0B94062C5B77B4C5583D59748675
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..0.`.c.`.c.`.c>..c.`.c>..c8`.c.`.c.b.c...c5`.c...c.`.c...cxa.c.2.c.`.c...c.`.c.2.c.`.c...c.`.cRich.`.c........................PE..L.....^_............................. ............@.................................i.....@.....................................T....................n.. %......|....................................`..@...............8.......@....................text...v........................... ..`.rdata...S.......T..................@..@.data........ ...b..................@....rsrc................^..............@..@.reloc...-...........@..............@..B........................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridgeForUAC.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1874208
                                          Entropy (8bit):6.513508665272854
                                          Encrypted:false
                                          SSDEEP:49152:G8RwWauJhl5FJj6BNYXyodS+zIlCDOJBxnYl3Sb0Sm/:GmwCJhCBodS+zI8OvlVb0S0
                                          MD5:5C92E465DBB75107D78B1D7235C10A33
                                          SHA1:AEB2A0527BD3978BC7157544FFF32B4505CFDAED
                                          SHA-256:4CB30237D3F2BAB8BB67435BA6317553868BB9A2976BD5021EA29433CB19DF56
                                          SHA-512:975D1CD0D77583AFAA6F533342B9F5C77BB6D9F4CCBEC03D9E50F868DF02A97833A24311EA3D601196C93B4BE044C0F6D088D85A29284AB8A45A569B87E47018
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A=...\..\..\."....\."...$\..\..^..$[.)\..$M..\..$J.g]...J..\..$D..\...Z..\..$_..\.Rich.\.........PE..L......_..........................................@.......................................@.....................................T....................t.. %...........................................]..@.......................@....................text............................... ..`.rdata...O.......P..................@..@.data............b..................@....rsrc................\..............@..@.reloc..>-...........F..............@..B........................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLNotify.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1866528
                                          Entropy (8bit):6.505084005598429
                                          Encrypted:false
                                          SSDEEP:49152:JHnJVPWMMDZz655HCfe9UH1C6K+EJ35YBlTrW:JH/WNc55HWemH1lKhJuBlTC
                                          MD5:250DDA017C3B1005AC5EC97A1E882548
                                          SHA1:14303D3BA7E5B6E222A4D46EA8761D013A13AF0A
                                          SHA-256:495695B083C3290339DBFFCB4E621E97BD570454DDC3F277A335601C925A3867
                                          SHA-512:A55D45A278CE8223C3C2352D0031B4BC0848B8B2114F843DA955CD22286C449D5700AA48CF55D107AC619143C992082CAF7E8858BB0D485EB856DB25E58C6743
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............._.._.._.Y._.._.Y._._.._).._..._._..._x.._..._..._..._.._..._.._..._.._..._.._Rich.._........................PE..L...b.^_............................s.............@.................................w.....@.................................P...T....................V.. %..........................................xL..@.......................@....................text...y........................... ..`.rdata..8M.......N..................@..@.data............`..................@....rsrc................H..............@..@.reloc...,...........(..............@..B........................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):420640
                                          Entropy (8bit):6.327502018125821
                                          Encrypted:false
                                          SSDEEP:6144:j9vNfCn4wEaAWT0cPBzJQQeYFdnLBe6QzCWnPrpg8tBSrM:JgmWTXPBzJQQeYFdnt9QzNrtBSY
                                          MD5:3946001DADB4BABAA32C30074AD3525E
                                          SHA1:78DAA9D0E2CDEC1644A077853210B324E593D730
                                          SHA-256:4AEF64BB81CC1A290FDD579B8568B9AA353C963A55AB6BF1F032A8AC84D54020
                                          SHA-512:93EEB4B6071B2BB1627A1E4AEF8D099294C63E8E1E534D848EC9283BE85C9567E5C0CA819B92E09DFA601EFA731CCC248F0E2F0DCF2BECC695EDF8F4D0829BB2
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.n.`...`...`...G.m.g...G.{.{...`...z...i...y...i.......i.......~...c...i...e...~...a...i...a...Rich`...........PE..L......a.................d...........,............@.................................H.....@.............................................D............F.. %...@...$..0...................................@...................l...@....................text....c.......d.................. ..`.rdata..h............h..............@..@.data....^... ..."..................@....rsrc...D...........................@..@.reloc...o...@...p..................@..B........................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):476448
                                          Entropy (8bit):6.03726241051135
                                          Encrypted:false
                                          SSDEEP:3072:M0uDZLiywwyyKq7Q4S8Q/9ZL7oa4JEwzpT98FW8lUJKFbRwyyKq7Q4S8QyeP0+:Uyyn7NSxMa4Jx59u6yyn7NSxyb+
                                          MD5:361BB9069EA7DA381B953A71C0413F05
                                          SHA1:3555E34946290B7CE60CCD35308B6C7B435B54AA
                                          SHA-256:C3949C5A8EFBDC551B911E99DA2B666EA03991C6BB4253FB9F233A98042798FA
                                          SHA-512:C6C1FFA185532FCC0C147269CA2C25CADFE3D1161D83270E908DB0D793736C2F6F59FC811AF83F87863406F4C62F5F2DA98A783942CB91B4C62E3DB547C3B320
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..b.................T...........s... ........@.. ..............................,s....@.................................Ds..W.................... .. %...`.......r............................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc.......`......................@..B.................s......H.......`...`............................................................0...........(.....(....(....o.....(....o.....r...p(...........+$.......o........o.....3..(.......X.......i2..J.(....&r...p..A...(......(......(........(....,...( .....&..s...................(....-.(....o1.....(....o7.....(....o/.......(!...-?("...o#.....~.........($...rI..p......................o%..........~....s....}......{....~....s&...}.....{......o'...s.........~....~....o....~....o(...~....o)...~...

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe.config (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1588
                                          Entropy (8bit):4.804590155346702
                                          Encrypted:false
                                          SSDEEP:24:33IK0m4V69JK14Ev+XPmhBrfyZjZvQHVvQJuvPT/ZveRDvfBPRvm:IrNVMJNq3brfy5Z4HVYcbZ2RDRRe
                                          MD5:D3E3C53FCED80EF5F250076C410C1557
                                          SHA1:569819D47532C0539E0C91D280FF224B6F2E7B94
                                          SHA-256:6FE969ADD848CA075AE04ED652C60C8CD469E6DC2D65E2F9167132886F91782E
                                          SHA-512:3958B338D207037E182C20ABD1D55BF3775EDDCDD4EF4D29D8F9060C29873A0464EE6D4513EB1CB8195C8DE6AA63E9E36CB98BD8CC567E5D38682C73B7C6C7EF
                                          Malicious:false
                                          Preview:<?xml version="1.0"?>..<configuration>..<configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">.. <section name="OZWebLauncher.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false"/>.. </sectionGroup>..</configSections>..<startup useLegacyV2RuntimeActivationPolicy="true"><supportedRuntime version="4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/><supportedRuntime version="v2.0.50727" sku="Client"/></startup><userSettings>.. <OZWebLauncher.Properties.Settings>.. <setting name="WebRoot" serializeAs="String">.. <value/>.. </setting>.. <setting name="Port" serializeAs="String">.. <value>36480</value>.. </setting>..

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):353568
                                          Entropy (8bit):6.530007636264551
                                          Encrypted:false
                                          SSDEEP:6144:J5Y73cZ5jRMQ/xYEe/5Y73cZJjRMQ/xYEXu:JS7MruVJS7MvuVt
                                          MD5:5CAF8DE84007ED7C692891788F10B025
                                          SHA1:B934FCF5516D79C0FD34B928BF388DDE8720D2FE
                                          SHA-256:8CE285ECCE01E696B6E376551819BBD45753F33F87BC4BC1BC05AEB54EC98A73
                                          SHA-512:17DACADEB9F0E85FB87EB97DD560F14C4ED07FFDFE84E10C7C62BF792EDE653D0271E33253A60C96FD1D42370B7C9540DD7FCE39E46EC92E7FF8EBC9CAB67CBE
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eb................................. ........@.. ..............................l.....@.....................................O........}...........@.. %...`....................................................... ............... ..H............text........ ...................... ..`.rsrc....}.......~..................@..@.reloc.......`.......>..............@..B........................H............4.........../...y...........................................0..E........{....(....-..{....(....,..{....*(....o....o....(....r...p~....o....*....0...........(......}......(....-..+..(....}.....{....(....-(.{.....(....r...p..........{......o....*.{.....(....r?..p..........{......o....*....0...........o......E....5.......l...8.....o ...r[..p(!...,s.o"....o#....o$....{....s(...*.o ...r[..po%...-C.o"....o#....o .....{.....{....s....*.o"....o ....{.....{....s&...*.o"..

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe.config (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1051
                                          Entropy (8bit):5.073694420071437
                                          Encrypted:false
                                          SSDEEP:24:JdiIK0m449dK14Ev+XotXmhBrfyZFJuvf:3jrNKdNqVt2brfyHc3
                                          MD5:AE7741D3360BAE3A169991BC330E1B18
                                          SHA1:FD9156C2A2FD2082141F69D9E74C64C74B8EE3AD
                                          SHA-256:9AB1FEE63863B2C89F6CBCBC38F7D5F83F25CAF3F4DD8FFA8E6FAE98096081C8
                                          SHA-512:743E928B20E89EA71BDF2A6D7553C3459E4AA5A1D78C9741B7ED5967FC1054F3318C68E7BCBF5271C442C94BD3962C7A5644F95EE3B82504BF2A0BE98FAAD093
                                          Malicious:false
                                          Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="OZWebLauncherUtil.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>...<startup useLegacyV2RuntimeActivationPolicy="true"><supportedRuntime version="4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/><supportedRuntime version="v2.0.50727" sku="Client"/></startup>.. <userSettings>.. <OZWebLauncherUtil.Properties.Settings>.. <setting name="CertificateFile" serializeAs="String">.. <value>./forcscert.pfx</value>.. </setting>.. </OZWebLauncherUtil.Properti

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\SysD707.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):15872
                                          Entropy (8bit):5.1191108700785115
                                          Encrypted:false
                                          SSDEEP:384:N53ivQI3t3GDYY/ZfE4E0sEOWEs4t+qSffhva:v39t/xE4E0Zffhy
                                          MD5:577CBBFA3ED386BA14927655460134A3
                                          SHA1:B8C8D6792614B69431DFB378A7579CE9A776523A
                                          SHA-256:C238999EA3CAF3C490717AEF20186BB49C115A2C53057BDB202DAC5E6EA113C1
                                          SHA-512:7B5A82841A4A89A40935722C7CA45FAF12EEEFACA66D51710000492E9B588B94E88B0249B97DE04C5F985BDCF8516999ABC7F90B87F0EE68DB1483538FBB1980
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..O...........!.....6..........>T... ...`....@.. ....................................@..................................S..S....`..............................<S............................................... ............... ..H............text...D4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B................ T......H........3..< ...........................................................0............r...p..r...p(....(....*....0..J.......s......."o....&....8......o...........YE....0...q...R.......A...c......".....\..+q.r...po....&8.....r...po....&8.....r...po....&8.....r...po....&8.....r%..po....&8.....r+..po....&+u.r1..po....&+g.(....,...o....&+U.(....,...o....&+C.(....,...o....&+1.(....,...o....&+..(....,...o....&+...(....o....&..X...o....?......"o....&.o....*...0..........(.......0.~.

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):15872
                                          Entropy (8bit):5.1191108700785115
                                          Encrypted:false
                                          SSDEEP:384:N53ivQI3t3GDYY/ZfE4E0sEOWEs4t+qSffhva:v39t/xE4E0Zffhy
                                          MD5:577CBBFA3ED386BA14927655460134A3
                                          SHA1:B8C8D6792614B69431DFB378A7579CE9A776523A
                                          SHA-256:C238999EA3CAF3C490717AEF20186BB49C115A2C53057BDB202DAC5E6EA113C1
                                          SHA-512:7B5A82841A4A89A40935722C7CA45FAF12EEEFACA66D51710000492E9B588B94E88B0249B97DE04C5F985BDCF8516999ABC7F90B87F0EE68DB1483538FBB1980
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..O...........!.....6..........>T... ...`....@.. ....................................@..................................S..S....`..............................<S............................................... ............... ..H............text...D4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B................ T......H........3..< ...........................................................0............r...p..r...p(....(....*....0..J.......s......."o....&....8......o...........YE....0...q...R.......A...c......".....\..+q.r...po....&8.....r...po....&8.....r...po....&8.....r...po....&8.....r%..po....&8.....r+..po....&+u.r1..po....&+g.(....,...o....&+U.(....,...o....&+C.(....,...o....&+1.(....,...o....&+..(....,...o....&+...(....o....&..X...o....?......"o....&.o....*...0..........(.......0.~.

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\WebD708.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):34816
                                          Entropy (8bit):5.371485248922323
                                          Encrypted:false
                                          SSDEEP:384:uvO/kqAwDXiRdvOsoXV6d6q8/UqYeCglSMRzwLf4hIxyHvHco1cVo3YEsd5y/abg:eOVEOsqV6dmOe72qCnfcL/5N
                                          MD5:013E4FD158439275AA32CC59E92DAD18
                                          SHA1:A969C21557D6B8F721F6489F9C51471108E759EE
                                          SHA-256:B20D017A2C95C8CD07FB020C64CE9A65360F458C347C531E114B61BD065DFA9C
                                          SHA-512:CEB6AD25E2BD413BEF8AC051D462B31A9601F75F808B929AE6B2BB812E089314874C19741DD9856B3BC75E0DC0F3667E99660E43691BD7469FB4E614B426F961
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y..b...........!..................... ........@.. ....................................@.....................................O...................................@................................................ ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........F...V............................................................(......}......}......}.......}......(t...}....*....0...........(....,..(........_....*.*...0..|....... .....-....s............io.........o....&..(....o...........o.....1.............o....&...o....&.o....r...po.....3..-..o....*.........!.......0..W.........{....(....&s......r...pr...ps....o ...(....r...po!.....r...p..i(.....{........io"...*..0..S........o#...r...pr...po$......r"..po%...-..r...po&...,..r(

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):34816
                                          Entropy (8bit):5.371485248922323
                                          Encrypted:false
                                          SSDEEP:384:uvO/kqAwDXiRdvOsoXV6d6q8/UqYeCglSMRzwLf4hIxyHvHco1cVo3YEsd5y/abg:eOVEOsqV6dmOe72qCnfcL/5N
                                          MD5:013E4FD158439275AA32CC59E92DAD18
                                          SHA1:A969C21557D6B8F721F6489F9C51471108E759EE
                                          SHA-256:B20D017A2C95C8CD07FB020C64CE9A65360F458C347C531E114B61BD065DFA9C
                                          SHA-512:CEB6AD25E2BD413BEF8AC051D462B31A9601F75F808B929AE6B2BB812E089314874C19741DD9856B3BC75E0DC0F3667E99660E43691BD7469FB4E614B426F961
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y..b...........!..................... ........@.. ....................................@.....................................O...................................@................................................ ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........F...V............................................................(......}......}......}.......}......(t...}....*....0...........(....,..(........_....*.*...0..|....... .....-....s............io.........o....&..(....o...........o.....1.............o....&...o....&.o....r...po.....3..-..o....*.........!.......0..W.........{....(....&s......r...pr...ps....o ...(....r...po!.....r...p..i(.....{........io"...*..0..S........o#...r...pr...po$......r"..po%...-..r...po&...,..r(

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUACControl.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):179752
                                          Entropy (8bit):6.5246371305408655
                                          Encrypted:false
                                          SSDEEP:3072:I+vSg4CdMtb4L61vPfqhnFJbqJZw2/q5R+5p0x5xNMRVK72Xx0t:Z4Cm14L6+nFgw2C5xx5xNMKqut
                                          MD5:642B14AEA1E552D4EA7CE8C6A7A25817
                                          SHA1:47C57C92D5EE6230407236F9412647A74828AC80
                                          SHA-256:6E912ECEDD220AF7A16A7AB7009CABA264845B0165DABBA36EFC53CB4611C844
                                          SHA-512:3B043777DB1D47FFD47ED276C3E6F834F3DF1DB4993FE2E150A57C76716E1EC7C7421FACBDEC6D27362D9729AA3A125D33D454D91D5E311DE9787E7A95FD8C5A
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>J.._$.._$.._$..'..._$...I.._$..._.._$.._%.$_$..'..._$..'..._$..'..._$......_$..'..._$.Rich._$.........PE..L...}.qb...........!................,...............................................:...............................PC.......1...........#..............(...............................................@...............p............................text............................... ..`.orpc...3........................... ..`.rdata...t.......t..................@..@.data....:...P....... ..............@....rsrc....#.......$...>..............@..@.reloc..P-...........b..............@..B........................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUD813.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):179752
                                          Entropy (8bit):6.5246371305408655
                                          Encrypted:false
                                          SSDEEP:3072:I+vSg4CdMtb4L61vPfqhnFJbqJZw2/q5R+5p0x5xNMRVK72Xx0t:Z4Cm14L6+nFgw2C5xx5xNMKqut
                                          MD5:642B14AEA1E552D4EA7CE8C6A7A25817
                                          SHA1:47C57C92D5EE6230407236F9412647A74828AC80
                                          SHA-256:6E912ECEDD220AF7A16A7AB7009CABA264845B0165DABBA36EFC53CB4611C844
                                          SHA-512:3B043777DB1D47FFD47ED276C3E6F834F3DF1DB4993FE2E150A57C76716E1EC7C7421FACBDEC6D27362D9729AA3A125D33D454D91D5E311DE9787E7A95FD8C5A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>J.._$.._$.._$..'..._$...I.._$..._.._$.._%.$_$..'..._$..'..._$..'..._$......_$..'..._$.Rich._$.........PE..L...}.qb...........!................,...............................................:...............................PC.......1...........#..............(...............................................@...............p............................text............................... ..`.orpc...3........................... ..`.rdata...t.......t..................@..@.data....:...P....... ..............@....rsrc....#.......$...>..............@..@.reloc..P-...........b..............@..B........................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\ZTrD718.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1354752
                                          Entropy (8bit):4.88063015543188
                                          Encrypted:false
                                          SSDEEP:12288:MUeIyTSEGRfC1qOvIJlPBrdbKOPQFn44gU6thi/dBTTb:9gSFC1IJLpbJan44f6thi1pb
                                          MD5:15A43DE9F4337BB4755492C02271B8A3
                                          SHA1:44AA0979B8A53FA34BD2F6A2DFD819D8AB60FE26
                                          SHA-256:8DC4DB4C9770DCE55D6AD31A44D1F1FD8D4FD4973D9EC56198460EFDCDE78F6A
                                          SHA-512:6797F76D19DDF5CEC0FB0A323DF54B77469AF6410806536943E5F46B99EC3D07804E697CCCD3FA214A63D9520999E028F2E84F5337B2F0F10B6FBD8751CED158
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gifJ#...#...#.....e.....*p..?...*p......*p........s.>...#.......=Z..+.......(...*p......*p.."...=Z.."...*p.."...Rich#...........................PE..L.....rb...........!................M...............................................k.....@......................... ...p....................................@..DT.......................................................... ...@....................text...1........................... ..`.rdata...........0..................@..@.data....}... ...B..................@....rsrc................H..............@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\ZTransferLib.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1354752
                                          Entropy (8bit):4.88063015543188
                                          Encrypted:false
                                          SSDEEP:12288:MUeIyTSEGRfC1qOvIJlPBrdbKOPQFn44gU6thi/dBTTb:9gSFC1IJLpbJan44f6thi1pb
                                          MD5:15A43DE9F4337BB4755492C02271B8A3
                                          SHA1:44AA0979B8A53FA34BD2F6A2DFD819D8AB60FE26
                                          SHA-256:8DC4DB4C9770DCE55D6AD31A44D1F1FD8D4FD4973D9EC56198460EFDCDE78F6A
                                          SHA-512:6797F76D19DDF5CEC0FB0A323DF54B77469AF6410806536943E5F46B99EC3D07804E697CCCD3FA214A63D9520999E028F2E84F5337B2F0F10B6FBD8751CED158
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gifJ#...#...#.....e.....*p..?...*p......*p........s.>...#.......=Z..+.......(...*p......*p.."...=Z.."...*p.."...Rich#...........................PE..L.....rb...........!................M...............................................k.....@......................... ...p....................................@..DT.......................................................... ...@....................text...1........................... ..`.rdata...........0..................@..@.data....}... ...B..................@....rsrc................H..............@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\forD4C5.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2525
                                          Entropy (8bit):7.877242658605607
                                          Encrypted:false
                                          SSDEEP:48:epNl7fP6LXmZUq27GsqsRFi96NvLW77XlzN9LtHC7kyJ225flhuGeQ16:e/l76LWZh27GsVjJN6RLtHTyJ2sflXb6
                                          MD5:E978F5756F1E2568A0B717884C73C6D9
                                          SHA1:6D85E5AB732A0A392563903238DFD1D647C03D35
                                          SHA-256:FD54581E063ADA68E1A1F34497D2D83ECC6F9263427B9768471C823E063788D7
                                          SHA-512:7B211B45066615C4D69EF6C6DCA2A774B586249DB095593F5D5AB7725A0927174CE3119192A99EDC23F9B5AD957DA638A4D71CB1B0C543F55E5D6758158BC8EA
                                          Malicious:false
                                          Preview:0......0.....*.H..............0...0..?..*.H.........00..,...0..%..*.H......0...*.H.......0....D.n.."S........n4..._...t=..r.<i.R[.2H.....v...c..1&.....s..P.EF.....i../.?.....*8.a4*.].....H...f.7in. .$....zg.N.b."",SQ [&...a>.`$.c..`e...n.=....UG..3...O..{O..}T..*.._ .r5....c..z.....5:...<.y......'.(..L.c..GFB.2.~-I.}....|.$.T...'!k;'.%.".d..E[s'..g.b.`V.U..p.......r..{ ..7.c.t.U.e.c.....F"[r.H.P....7.-...$../..k..t..!`d5.D.t....a.L.....G.d..f#A...N<.{....>5....`2d....K./.u./..e..F.*.b.[m}....X....`?...6...N.-ZU....D&..~..l.%u.....|.v...w....w.'...9Dv)?.W.:.RG\..D.c.......C.....~..'..h'r.65..i.-.1.....0..R.. ..z.A.[......z....hH.h....:k.G.!.a`>.........p...m.Z..........V.L.n....N...<.&.7..B...$..l....8...xf.. .pM...I.M..<,.,:,,a.G..L..q=..G.yKo.!<].U...Mj_.}.U.._I.P.w..*ir....\....$%...[j......W.K..6...e..P...R.o..Z8.......i`E.a.&c...?w.r.P. P.=.w(p...w$.pi^x.~.i...w...../....$.5.h}R....p.....cE...tCLU...`4. .Q:0.vw....$.5.;.'......

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\forcscert.pfx (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2525
                                          Entropy (8bit):7.877242658605607
                                          Encrypted:false
                                          SSDEEP:48:epNl7fP6LXmZUq27GsqsRFi96NvLW77XlzN9LtHC7kyJ225flhuGeQ16:e/l76LWZh27GsVjJN6RLtHTyJ2sflXb6
                                          MD5:E978F5756F1E2568A0B717884C73C6D9
                                          SHA1:6D85E5AB732A0A392563903238DFD1D647C03D35
                                          SHA-256:FD54581E063ADA68E1A1F34497D2D83ECC6F9263427B9768471C823E063788D7
                                          SHA-512:7B211B45066615C4D69EF6C6DCA2A774B586249DB095593F5D5AB7725A0927174CE3119192A99EDC23F9B5AD957DA638A4D71CB1B0C543F55E5D6758158BC8EA
                                          Malicious:false
                                          Preview:0......0.....*.H..............0...0..?..*.H.........00..,...0..%..*.H......0...*.H.......0....D.n.."S........n4..._...t=..r.<i.R[.2H.....v...c..1&.....s..P.EF.....i../.?.....*8.a4*.].....H...f.7in. .$....zg.N.b."",SQ [&...a>.`$.c..`e...n.=....UG..3...O..{O..}T..*.._ .r5....c..z.....5:...<.y......'.(..L.c..GFB.2.~-I.}....|.$.T...'!k;'.%.".d..E[s'..g.b.`V.U..p.......r..{ ..7.c.t.U.e.c.....F"[r.H.P....7.-...$../..k..t..!`d5.D.t....a.L.....G.d..f#A...N<.{....>5....`2d....K./.u./..e..F.*.b.[m}....X....`?...6...N.-ZU....D&..~..l.%u.....|.v...w....w.'...9Dv)?.W.:.RG\..D.c.......C.....~..'..h'r.65..i.-.1.....0..R.. ..z.A.[......z....hH.h....:k.G.!.a`>.........p...m.Z..........V.L.n....N...<.&.7..B...$..l....8...xf.. .pM...I.M..<,.,:,,a.G..L..q=..G.yKo.!<].U...Mj_.}.U.._I.P.w..*ir....\....$%...[j......W.K..6...e..P...R.o..Z8.......i`E.a.&c...?w.r.P. P.=.w(p...w$.pi^x.~.i...w...../....$.5.h}R....p.....cE...tCLU...`4. .Q:0.vw....$.5.;.'......

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\ozcD4D7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):48
                                          Entropy (8bit):4.204448698502606
                                          Encrypted:false
                                          SSDEEP:3:iDVHAe+WA6nWZmrXpn:iDVHAe+WfWErZn
                                          MD5:4350D5130EB65AFDEEDDA296B703974E
                                          SHA1:C611C56D2F61E834B601539E96C144B6D1B3B8D9
                                          SHA-256:DE1C8D23BAE11503F84C7C02084D114C311773AE6FE9A30977ADB80E3F9C0582
                                          SHA-512:087EFD219B2987A681941EBA4198F480840F34DCB8F452451CC414DB2293A2E82EA0A44DF3D4B2EE2816BB6F89208A4F6D206B56FC1A53D7D6D6E8F39F0224A8
                                          Malicious:false
                                          Preview:pref("security.enterprise_roots.enabled", true);

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\ozcert.js (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):48
                                          Entropy (8bit):4.204448698502606
                                          Encrypted:false
                                          SSDEEP:3:iDVHAe+WA6nWZmrXpn:iDVHAe+WfWErZn
                                          MD5:4350D5130EB65AFDEEDDA296B703974E
                                          SHA1:C611C56D2F61E834B601539E96C144B6D1B3B8D9
                                          SHA-256:DE1C8D23BAE11503F84C7C02084D114C311773AE6FE9A30977ADB80E3F9C0582
                                          SHA-512:087EFD219B2987A681941EBA4198F480840F34DCB8F452451CC414DB2293A2E82EA0A44DF3D4B2EE2816BB6F89208A4F6D206B56FC1A53D7D6D6E8F39F0224A8
                                          Malicious:false
                                          Preview:pref("security.enterprise_roots.enabled", true);

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\ozvD4F8.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):368640
                                          Entropy (8bit):6.090920194850937
                                          Encrypted:false
                                          SSDEEP:6144:RIWz5kQUcH718pq6VU0xv8HAbJq1Hr0flZ4VKLj7PI6b:RIWWQ1HR806VU0xvsANCLO71jF
                                          MD5:BF017B9C106F16B2985D50470248D691
                                          SHA1:1DFA6AB691BD6D07EF8B72F083163CEF7C006512
                                          SHA-256:03C9DF65A3F53A5BE9E59F5E6324325ED3E24855E3E82FCDBBF469A3A86C443A
                                          SHA-512:93A4B66CC86E05C566572D29DFB7B09A99F5C4C863A8202BBA40A7C745B8141935E7A2434E7BADF05178BC7CE26755AEE7CD23A1FB6E68F060946117069A3C9C
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bg....K...K...KX..K...K3..KJ..K...K...K...K...K3..K...Kc..K...K3..K...KRich...K........PE..L....G!C...........!.................d..............................................................................0...H...xy..(................................D......................................................0............................text.............................. ..`.rdata..x...........................@..@.data...L^.......@..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\FORCS\OZWebLauncher\ozverify.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):368640
                                          Entropy (8bit):6.090920194850937
                                          Encrypted:false
                                          SSDEEP:6144:RIWz5kQUcH718pq6VU0xv8HAbJq1Hr0flZ4VKLj7PI6b:RIWWQ1HR806VU0xvsANCLO71jF
                                          MD5:BF017B9C106F16B2985D50470248D691
                                          SHA1:1DFA6AB691BD6D07EF8B72F083163CEF7C006512
                                          SHA-256:03C9DF65A3F53A5BE9E59F5E6324325ED3E24855E3E82FCDBBF469A3A86C443A
                                          SHA-512:93A4B66CC86E05C566572D29DFB7B09A99F5C4C863A8202BBA40A7C745B8141935E7A2434E7BADF05178BC7CE26755AEE7CD23A1FB6E68F060946117069A3C9C
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bg....K...K...KX..K...K3..KJ..K...K...K...K...K3..K...Kc..K...K3..K...KRich...K........PE..L....G!C...........!.................d..............................................................................0...H...xy..(................................D......................................................0............................text.............................. ..`.rdata..x...........................@..@.data...L^.......@..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\0x0409.ini (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):22490
                                          Entropy (8bit):3.484827950705229
                                          Encrypted:false
                                          SSDEEP:384:CTmyuV//BiTbh/Y4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/N/lWr0aa0Mhs+XVgv
                                          MD5:8586214463BD73E1C2716113E5BD3E13
                                          SHA1:F02E3A76FD177964A846D4AA0A23F738178DB2BE
                                          SHA-256:089D3068E42958DD2C0AEC668E5B7E57B7584ACA5C77132B1BCBE3A1DA33EF54
                                          SHA-512:309200F38D0E29C9AAA99BB6D95F4347F8A8C320EB65742E7C539246AD9B759608BD5151D1C5D1D05888979DAA38F2B6C3BF492588B212B583B8ADBE81FA161B
                                          Malicious:false
                                          Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\0x0411.ini (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):14958
                                          Entropy (8bit):5.199600266556664
                                          Encrypted:false
                                          SSDEEP:384:DKeEbO3nlKcDUK21OxgCvk3aV4ls8Gb8YVyl:DKtbO3lKcoK21OxgCl7Fyl
                                          MD5:831FE6D667B6F53826290536C987FE2B
                                          SHA1:71A6552DCD68C8606933F80B770736C5E8EDBDDF
                                          SHA-256:9E6D74A5CD777C12767959CD684A5A277930FC6FB109A0641E8D65570A7422D2
                                          SHA-512:9382F8BFE268167756A5D17D84CFD176C66F749BB13DE8369BB5F7697D6101DF08F01F188E9A0C3E465B1807B14251238467E358755C9C37958BBA4EF239945F
                                          Malicious:false
                                          Preview:..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.M.S. .U.I. .G.o.t.h.i.c.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.1.].....1.1.0.0.=..0.0.0.0.0.0.R.g.S.0.0.0....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..0.0.0.0.0.0o0.0.0.0.0.0.0.0.0.0.0.0.0n0Kb...0T0Hh.QY0.0 .%.2. ..0.n.PW0f0D0~0Y0.0W0p0.0O0J0._a0O0`0U0D0.0....1.1.0.3.=..0.0.0.0.0.0.0.0 ..0.0.0.0n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r..0-..[W0f0D0~0Y0....1.1.0.6.=.%.s. ..0-..[W0f0D0~0Y0....1.1.0.7.=..0.0.0.0.0.0o0.0.0.0.0.0.Nn0 .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n0-..[.0.[.NW0~0W0_0.0.0.0.0.0.0.0.0.}L.Y0.0k0o0.0.0.0.0.0.0.Qw..RY0.0._..L0B0.0~0Y0.0.0.Qw..R.0.0.0.0.0.0W0f0.0.0.0.0.0.0.Qw..RW0f0O0`0U0D0.0....1.1.0.8.=.%.s.....1.1.2.5.=..0.0.0.0.0.0....n0x..b....1.1.2.6.=.S0n0.0.0.0.0.0.0g0.O(uY0.0.....0!kn0.0.0.0K0.0x..bW0f0O0`0U0D0.0....1.1.2.7.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..0.0.0.0n0-..[.0.[.bU0[0.0.p.0.0.0.0.0.0.0o0

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\0x0412.ini (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):14126
                                          Entropy (8bit):5.413031845668093
                                          Encrypted:false
                                          SSDEEP:192:NtPl0V894Pp/WwJTqSuQusVG5qyKBUxVzliQZWNtgHmYgHgsNSbiE/VRauG:+G94xOwJTqSuQB7VNtc3OS3VUV
                                          MD5:73E70A6B9354E80237C8E2B3170830A0
                                          SHA1:B4C8777CE9C2D2FFF4C0C914825CBE698FEAADAF
                                          SHA-256:316577CF74D3545D632B0DE55513A3511D654849655157CB84821B871EC081E9
                                          SHA-512:F15E736E7C0B55437B39869A0BBCE15D5365F04C70BE23FC373D83CE0E99E0A806244C1C44CD298DC4970D20AF6CB1198A9D84749F5D5AC02162C261B1460ED7
                                          Malicious:false
                                          Preview:..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.t.......F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.2.].....1.1.0.0.=.$.X. ...0.T. .$.X.....1.1.0.1.=.%.s.....1.1.0.2.=.%.2. ... ......X. .....0... .%.1.D.(.|.). .$.X.`. .$.X. ......|. ...D. ........ ..... .0.......$.......1.1.0.3.=..... ..... ..... .U.x. .......1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. ..... .U.x. .......1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .l.1. .......1.1.0.6.=.%.s. .l.1. .......1.1.0.7.=.$.X. ...\.....t. ......X. ....\... .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.X. .l.1.D. .D......... .$.X.|. ....X.$.t. ....\.D. .... ....t.|. .i..... .".... ....". ...|. .... ....\.D. .... .....X.....$.......1.1.0.8.=.%.s.....1.1.2.5.=.$.X. .... . .......1.1.2.6.=.$.X.X.. ..H. .....`. ....|. .D...... . ...X.....$.......1.1.2.7.=.$.X. ...\.....t. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ...D... .l.1.D. .D..X.$.t. ....\.D. .... ....t.|. .i..... . ..... ....\.D. .... ....X.$.t. .[...].|. .t..X...

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\0x0C416.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):22490
                                          Entropy (8bit):3.484827950705229
                                          Encrypted:false
                                          SSDEEP:384:CTmyuV//BiTbh/Y4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/N/lWr0aa0Mhs+XVgv
                                          MD5:8586214463BD73E1C2716113E5BD3E13
                                          SHA1:F02E3A76FD177964A846D4AA0A23F738178DB2BE
                                          SHA-256:089D3068E42958DD2C0AEC668E5B7E57B7584ACA5C77132B1BCBE3A1DA33EF54
                                          SHA-512:309200F38D0E29C9AAA99BB6D95F4347F8A8C320EB65742E7C539246AD9B759608BD5151D1C5D1D05888979DAA38F2B6C3BF492588B212B583B8ADBE81FA161B
                                          Malicious:false
                                          Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\0x0C427.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):14958
                                          Entropy (8bit):5.199600266556664
                                          Encrypted:false
                                          SSDEEP:384:DKeEbO3nlKcDUK21OxgCvk3aV4ls8Gb8YVyl:DKtbO3lKcoK21OxgCl7Fyl
                                          MD5:831FE6D667B6F53826290536C987FE2B
                                          SHA1:71A6552DCD68C8606933F80B770736C5E8EDBDDF
                                          SHA-256:9E6D74A5CD777C12767959CD684A5A277930FC6FB109A0641E8D65570A7422D2
                                          SHA-512:9382F8BFE268167756A5D17D84CFD176C66F749BB13DE8369BB5F7697D6101DF08F01F188E9A0C3E465B1807B14251238467E358755C9C37958BBA4EF239945F
                                          Malicious:false
                                          Preview:..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.M.S. .U.I. .G.o.t.h.i.c.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.1.].....1.1.0.0.=..0.0.0.0.0.0.R.g.S.0.0.0....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..0.0.0.0.0.0o0.0.0.0.0.0.0.0.0.0.0.0.0n0Kb...0T0Hh.QY0.0 .%.2. ..0.n.PW0f0D0~0Y0.0W0p0.0O0J0._a0O0`0U0D0.0....1.1.0.3.=..0.0.0.0.0.0.0.0 ..0.0.0.0n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r..0-..[W0f0D0~0Y0....1.1.0.6.=.%.s. ..0-..[W0f0D0~0Y0....1.1.0.7.=..0.0.0.0.0.0o0.0.0.0.0.0.Nn0 .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n0-..[.0.[.NW0~0W0_0.0.0.0.0.0.0.0.0.}L.Y0.0k0o0.0.0.0.0.0.0.Qw..RY0.0._..L0B0.0~0Y0.0.0.Qw..R.0.0.0.0.0.0W0f0.0.0.0.0.0.0.Qw..RW0f0O0`0U0D0.0....1.1.0.8.=.%.s.....1.1.2.5.=..0.0.0.0.0.0....n0x..b....1.1.2.6.=.S0n0.0.0.0.0.0.0g0.O(uY0.0.....0!kn0.0.0.0K0.0x..bW0f0O0`0U0D0.0....1.1.2.7.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..0.0.0.0n0-..[.0.[.bU0[0.0.p.0.0.0.0.0.0.0o0

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\0x0C9B6.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):14126
                                          Entropy (8bit):5.413031845668093
                                          Encrypted:false
                                          SSDEEP:192:NtPl0V894Pp/WwJTqSuQusVG5qyKBUxVzliQZWNtgHmYgHgsNSbiE/VRauG:+G94xOwJTqSuQB7VNtc3OS3VUV
                                          MD5:73E70A6B9354E80237C8E2B3170830A0
                                          SHA1:B4C8777CE9C2D2FFF4C0C914825CBE698FEAADAF
                                          SHA-256:316577CF74D3545D632B0DE55513A3511D654849655157CB84821B871EC081E9
                                          SHA-512:F15E736E7C0B55437B39869A0BBCE15D5365F04C70BE23FC373D83CE0E99E0A806244C1C44CD298DC4970D20AF6CB1198A9D84749F5D5AC02162C261B1460ED7
                                          Malicious:false
                                          Preview:..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.t.......F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.2.].....1.1.0.0.=.$.X. ...0.T. .$.X.....1.1.0.1.=.%.s.....1.1.0.2.=.%.2. ... ......X. .....0... .%.1.D.(.|.). .$.X.`. .$.X. ......|. ...D. ........ ..... .0.......$.......1.1.0.3.=..... ..... ..... .U.x. .......1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. ..... .U.x. .......1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .l.1. .......1.1.0.6.=.%.s. .l.1. .......1.1.0.7.=.$.X. ...\.....t. ......X. ....\... .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.X. .l.1.D. .D......... .$.X.|. ....X.$.t. ....\.D. .... ....t.|. .i..... .".... ....". ...|. .... ....\.D. .... .....X.....$.......1.1.0.8.=.%.s.....1.1.2.5.=.$.X. .... . .......1.1.2.6.=.$.X.X.. ..H. .....`. ....|. .D...... . ...X.....$.......1.1.2.7.=.$.X. ...\.....t. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ...D... .l.1.D. .D..X.$.t. ....\.D. .... ....t.|. .i..... . ..... ....\.D. .... ....X.$.t. .[...].|. .t..X...

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSC3E7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                          Category:dropped
                                          Size (bytes):800256
                                          Entropy (8bit):7.772746681961582
                                          Encrypted:false
                                          SSDEEP:12288:mIGz7ovgUHjhKtYCdP2q4/8mnL2YCTdSxZa65jcttUO+UC1nHZ:mIGz8IUDP0OqGL2YCsxZa6RuUO+UCd5
                                          MD5:40FEFC3D907D44A9ADC84475AB073A6E
                                          SHA1:4CBEA84B4784ACB795E3891B5ED60B25809DB762
                                          SHA-256:C51699CBF0B433C4F7B687C8520192AD5EA519214BFDE6732453FF194BC2FFD9
                                          SHA-512:F6D64FDF76EA8E5725451B50A2A49042A3DBB66A68BA787BA742EB202345E298317257740E11C8C8BA0E217059DE991A10FF0DC95F83B8F820BB248AF71E9229
                                          Malicious:false
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......l.j.(...(...(......).....1...........c......./.......)...(...4}......=......#....../......S......)......)...(...)......)...Rich(...................PE..L.....yY...........!.....(...*......E.%......P................................%......C..............................8.%.G.....%.......#.0.....................%.....`X..8....................................................k.......................text.....#......"......PEC2MO...... ....rsrc.........#......&.............. ....reloc........%......4..............@...........................................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSetup.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                          Category:dropped
                                          Size (bytes):800256
                                          Entropy (8bit):7.772746681961582
                                          Encrypted:false
                                          SSDEEP:12288:mIGz7ovgUHjhKtYCdP2q4/8mnL2YCTdSxZa65jcttUO+UC1nHZ:mIGz8IUDP0OqGL2YCsxZa6RuUO+UCd5
                                          MD5:40FEFC3D907D44A9ADC84475AB073A6E
                                          SHA1:4CBEA84B4784ACB795E3891B5ED60B25809DB762
                                          SHA-256:C51699CBF0B433C4F7B687C8520192AD5EA519214BFDE6732453FF194BC2FFD9
                                          SHA-512:F6D64FDF76EA8E5725451B50A2A49042A3DBB66A68BA787BA742EB202345E298317257740E11C8C8BA0E217059DE991A10FF0DC95F83B8F820BB248AF71E9229
                                          Malicious:false
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......l.j.(...(...(......).....1...........c......./.......)...(...4}......=......#....../......S......)......)...(...)......)...Rich(...................PE..L.....yY...........!.....(...*......E.%......P................................%......C..............................8.%.G.....%.......#.0.....................%.....`X..8....................................................k.......................text.....#......"......PEC2MO...... ....rsrc.........#......&.............. ....reloc........%......4..............@...........................................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\datC309.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:InstallShield CAB
                                          Category:dropped
                                          Size (bytes):26054
                                          Entropy (8bit):3.5887655093558037
                                          Encrypted:false
                                          SSDEEP:768:wUaIZIO6SaJvFm5g5Sp8X7/e9lK71HAaAzRP/IFWK4qqTzRPNL:Y3HAaAzRP/IFWK4qCRPNL
                                          MD5:EB7583FCD1066946983E3532F111418D
                                          SHA1:9010F83B20F622226772FD96F70FEC33BEF8BBAA
                                          SHA-256:390F9E1A0F95721B3C00916E82EA0156A397B381297086D6BBB0F2319EB47439
                                          SHA-512:EF0442CDE8E37E2A1EDC244189B2A0B0575E0D56A93D3EE832B12B7830170CCA2851A296664CB4FFD3AA7B690A2638D457785EEA1A5D596E52A09CEDBD0AA7C6
                                          Malicious:false
                                          Preview:ISc(.............H...e..........................................................................B~..........................................................................................................................................................................................................................................................................................z.~..G.b..v........................UI....-.m._......N.S..!...=we[lbF.2...`?.....................................................?...........H..........................<.........................................................$...0...<...........H.......`...............l...x................................................................................................................................................................................................... ...............,...........8...................................D...............P.......\...h.....................................................

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\datC319.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:InstallShield CAB
                                          Category:dropped
                                          Size (bytes):4034074
                                          Entropy (8bit):7.998927656036685
                                          Encrypted:true
                                          SSDEEP:98304:IpkIARx9gcDm9rf10AXmqOQTTUHiKkXilTyL:IpkqskjW4J3vKkSVyL
                                          MD5:EE044475CA78405A346689689249AD84
                                          SHA1:9AD777A46032CA285933B7655E0CEB0C97176C71
                                          SHA-256:30E681C1F70FB6583E802409988AB08969E3003BA022894202B2557324AB4E46
                                          SHA-512:C7EBABEE44F54562E826ED78AA9DD0BBFA5255B72426E6D42284C17339F6DBF4C7B4D3F3200C8C13A01A5A28B9EFC84372D1C55629C663358C9A8CEEAC8CD0E3
                                          Malicious:false
                                          Preview:ISc(............................ .............................................................................................................................................................................................................................................................................................................................................................z.~..G.b..v........................UI....-.m._......N.S..!...=we[lbF.2...`?.....................................................L.}xT.0~&3I&0a.L0B.A.WA..*....Lb%.$.3PHb+.NG[#..hI.N.9...-..E....A...BB............v.4D...Zk..L....<.?.r>..g......{*..Q.J.d.?...I.+....,.4b.#.....b......>.nXz..,.....|..._q.g.{..}.w..}W...../.>?.X.Y...=p.k..S.../}x,..?|#......'<|Y......[.~..|......q.._B..>..{x$.o.{.w.`...!.~I.c...wu...R.e.%O..FI..;.=duI...V.....,I.6.I.%.X..c!.t....{.F.z.>Z..p..]*I.-....H.P..,.6.."m[?J*.o..tL..9.~.`.....(...d......%:.c..-..._....%..r...7...6..^.........%.w...\..K.\z...XSc

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\data1.cab (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:InstallShield CAB
                                          Category:dropped
                                          Size (bytes):4034074
                                          Entropy (8bit):7.998927656036685
                                          Encrypted:true
                                          SSDEEP:98304:IpkIARx9gcDm9rf10AXmqOQTTUHiKkXilTyL:IpkqskjW4J3vKkSVyL
                                          MD5:EE044475CA78405A346689689249AD84
                                          SHA1:9AD777A46032CA285933B7655E0CEB0C97176C71
                                          SHA-256:30E681C1F70FB6583E802409988AB08969E3003BA022894202B2557324AB4E46
                                          SHA-512:C7EBABEE44F54562E826ED78AA9DD0BBFA5255B72426E6D42284C17339F6DBF4C7B4D3F3200C8C13A01A5A28B9EFC84372D1C55629C663358C9A8CEEAC8CD0E3
                                          Malicious:false
                                          Preview:ISc(............................ .............................................................................................................................................................................................................................................................................................................................................................z.~..G.b..v........................UI....-.m._......N.S..!...=we[lbF.2...`?.....................................................L.}xT.0~&3I&0a.L0B.A.WA..*....Lb%.$.3PHb+.NG[#..hI.N.9...-..E....A...BB............v.4D...Zk..L....<.?.r>..g......{*..Q.J.d.?...I.+....,.4b.#.....b......>.nXz..,.....|..._q.g.{..}.w..}W...../.>?.X.Y...=p.k..S.../}x,..?|#......'<|Y......[.~..|......q.._B..>..{x$.o.{.w.`...!.~I.c...wu...R.e.%O..FI..;.=duI...V.....,I.6.I.%.X..c!.t....{.F.z.>Z..p..]*I.-....H.P..,.6.."m[?J*.o..tL..9.~.`.....(...d......%:.c..-..._....%..r...7...6..^.........%.w...\..K.\z...XSc

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\data1.hdr (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:InstallShield CAB
                                          Category:dropped
                                          Size (bytes):26054
                                          Entropy (8bit):3.5887655093558037
                                          Encrypted:false
                                          SSDEEP:768:wUaIZIO6SaJvFm5g5Sp8X7/e9lK71HAaAzRP/IFWK4qqTzRPNL:Y3HAaAzRP/IFWK4qCRPNL
                                          MD5:EB7583FCD1066946983E3532F111418D
                                          SHA1:9010F83B20F622226772FD96F70FEC33BEF8BBAA
                                          SHA-256:390F9E1A0F95721B3C00916E82EA0156A397B381297086D6BBB0F2319EB47439
                                          SHA-512:EF0442CDE8E37E2A1EDC244189B2A0B0575E0D56A93D3EE832B12B7830170CCA2851A296664CB4FFD3AA7B690A2638D457785EEA1A5D596E52A09CEDBD0AA7C6
                                          Malicious:false
                                          Preview:ISc(.............H...e..........................................................................B~..........................................................................................................................................................................................................................................................................................z.~..G.b..v........................UI....-.m._......N.S..!...=we[lbF.2...`?.....................................................?...........H..........................<.........................................................$...0...<...........H.......`...............l...x................................................................................................................................................................................................... ...............,...........8...................................D...............P.......\...h.....................................................

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\layC2E9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):610
                                          Entropy (8bit):2.0528353271086552
                                          Encrypted:false
                                          SSDEEP:6:oMaqUlfKDjO2CzCnXl87clRJDWLNglETl127W7Jtn:o5flfcO2wkpl/yBTj
                                          MD5:3719C98DE521D5B4DAE628BEC7C80134
                                          SHA1:D5465002E5F91E8000292F88C0C1C81B5DDD3910
                                          SHA-256:1759489A4DE0EFE993A55E064B3E7BBDE359D193EF6C1F1C06B863DE15B1CF62
                                          SHA-512:92D2B9FBC84CDF7B2C7855470433691C4EBB38544995B532C3D327A48BCBF908831A865BAB143A85FAFE198A6BD4F8A3F8A835EFCD92D7FFCCB3CF26FBA0C60F
                                          Malicious:false
                                          Preview:c..S.@..b..........@.(...................................................................................................................................................................................................................................................... ...L....P..........x...............................$...8...N...............................................s.e.t.u.p...i.n.i.....s.e.t.u.p...i.n.x...I.S.S.e.t.u.p...d.l.l...0.x.0.4.0.9...i.n.i...0.x.0.4.1.1...i.n.i...0.x.0.4.1.2...i.n.i...d.a.t.a.1...h.d.r...d.a.t.a.1...c.a.b...d.a.t.a.2...c.a.b...l.a.y.o.u.t...b.i.n...s.e.t.u.p...e.x.e...

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\layout.bin (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):610
                                          Entropy (8bit):2.0528353271086552
                                          Encrypted:false
                                          SSDEEP:6:oMaqUlfKDjO2CzCnXl87clRJDWLNglETl127W7Jtn:o5flfcO2wkpl/yBTj
                                          MD5:3719C98DE521D5B4DAE628BEC7C80134
                                          SHA1:D5465002E5F91E8000292F88C0C1C81B5DDD3910
                                          SHA-256:1759489A4DE0EFE993A55E064B3E7BBDE359D193EF6C1F1C06B863DE15B1CF62
                                          SHA-512:92D2B9FBC84CDF7B2C7855470433691C4EBB38544995B532C3D327A48BCBF908831A865BAB143A85FAFE198A6BD4F8A3F8A835EFCD92D7FFCCB3CF26FBA0C60F
                                          Malicious:false
                                          Preview:c..S.@..b..........@.(...................................................................................................................................................................................................................................................... ...L....P..........x...............................$...8...N...............................................s.e.t.u.p...i.n.i.....s.e.t.u.p...i.n.x...I.S.S.e.t.u.p...d.l.l...0.x.0.4.0.9...i.n.i...0.x.0.4.1.1...i.n.i...0.x.0.4.1.2...i.n.i...d.a.t.a.1...h.d.r...d.a.t.a.1...c.a.b...d.a.t.a.2...c.a.b...l.a.y.o.u.t...b.i.n...s.e.t.u.p...e.x.e...

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setC3A7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1193984
                                          Entropy (8bit):6.684414940299207
                                          Encrypted:false
                                          SSDEEP:24576:eGjk6PMUtgtIKIch5+915zApy/MrllllVrGifVyCWgA:fjk6PMUtgtJphMDw3llllVrGSVId
                                          MD5:1B3150F66F03B0DA4EFCCDD9F079E5F7
                                          SHA1:D8E6C6B36E026BF2AC5DEEF22EB62C0D5BAD793D
                                          SHA-256:77648A3E8566D3E5B15BFACBEB72843679EAECDF03406317474B9A7F22EF5500
                                          SHA-512:76004C1F0B0C0C6526D9C88F501D0AE7743BB165CD9B5D95FB9173A44669FC1FE3D89CC40C258BC5A635666BD4EE79F315F4E41785F43F8F6222130E705B4ADA
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^y....s...s...s.....s......s.....s.....s....Z.s..o....s...r...s..o....s...7.s.....s.......s.....s.Rich..s.........................PE..L...d.yY.....................p....................@..........................................................................B..........t...............................8...........................x4..@...............t...H:.. ....................text............................... ..`.rdata..............................@..@.data...$L...p...&...N..............@....rsrc...t............t..............@..@................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setC9C7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):255186
                                          Entropy (8bit):7.384273267559334
                                          Encrypted:false
                                          SSDEEP:3072:jIvdrk/YBXdCyfKjgqjWNlZNvlac9s4HfWsO0L1SuA90mG/EJKtglG5QZ6vSDMSh:jIOYxdC98ZZ7L1SuA93bItscabFB5EY7
                                          MD5:FA701C7DAAC8CA35B83BA40529B7D776
                                          SHA1:98C6298261F6E74F0EB29861C2D408D5B0048161
                                          SHA-256:B944AF37E91CCD737A358D15B66D41D23B7CF2B95E207090D3608C727C953803
                                          SHA-512:A5EB1CE77299D78F50FA94CC151CA57E902872C5B1CADD06772167A8C7EFCE82F8CB2952FE8C88EBEC9A560035FE2003E10CEE24A7696C6AF02F177987522430
                                          Malicious:false
                                          Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aB!mQ.Y]A..M1#.)!.)........................................}...m..q]}}aMmmQ=].E-M.5.=.%.-......................u...........v.-.u.}uuA}....(..s.911%9w..O.....[.G#;._7.....0.TP$$@.....u..thX......`...8..mee=m.(....{c.{{.--..S.g_G7.k#+G##.....<..4$H...0 .......l.......P.E{}1e.w\.H...w....=.))..o..{3;W33.;_'.X.P....,.@(..d$........i..T...,...AYY)A......Sw..W....._._w'S;+;.`.........t4........i..\.....L...0...YYY.A...{o.......W_O.....7..O h.`,0........<. .l......}..L.....mi]UU)]...k .k........._.SoW.c.[.THl........$.<.....(...m...p.........9E].E....go$..._C.cW{....W..o<$.$D.\.4(L.........P...t...u..Au.T......,.c911.9w.W.[O..@.....3.W._8,ll%......(. .8..q}.Y..........X..(...MI-1cC..w{.[.......CkS/.....(8 ...... <$......(.....q..qq.iaaiisIU5AA5I.o..-%%.-g.GK.c........o8xL..... .\.D..........q.....q.ayyma...E]]1E..c|)=.))...7.;{C?..;S.....h..X

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setD495.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2372
                                          Entropy (8bit):3.68017858480026
                                          Encrypted:false
                                          SSDEEP:48:rsAMqxWt3KZcPTmsVu/+S8gvn6CJkkY09TzcqYtxkYOvl5ZAMXvrcOyb0pn:rsAMqQOcrzqrvnp6kY05w7tCYOvlnAMn
                                          MD5:9D52A282131FF272712BD5BA4B800EC1
                                          SHA1:4E078174EA404C55C2D66BA989700D3F9072E98F
                                          SHA-256:9BF8191859390A998D26F7DB3CEF636C13A3EA152848071C118252AC73CACF1E
                                          SHA-512:7955AE14380CA84C605F3ADEB7A9805D97BD2A6E1A6A8219D9F629EE37392034095B6176D5960017FF11A9170D60434678EF343E0AE78D5A87E0511C37896984
                                          Malicious:false
                                          Preview:..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.O.Z.W.e.b.L.a.u.n.c.h.e.r.....P.r.o.d.u.c.t.G.U.I.D.=.E.5.7.A.A.2.E.7.-.1.A.7.E.-.4.7.F.B.-.B.3.6.2.-.E.D.0.4.7.6.8.5.9.5.E.6.....C.o.m.p.a.n.y.N.a.m.e.=.F.O.R.C.S. .C.o...,.L.T.D.......E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.Y.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.4.0.9.,.0.x.0.4.1.1.,.0.x.0.4.1.2.....R.e.q.u.i.r.e.E.x.a.c.t.L.a.n.g.M.a.t.c.h.=.0.x.0.4.0.4.,.0.x.0.8.0.4.....R.T.L.L.a.n.g.s.=.0.x.0.4.0.1.,.0.x.0.4.0.d.........[.0.x.0.4.0.9.].....0.x.0.4.0.9.=.E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.).

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setup.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1193984
                                          Entropy (8bit):6.684414940299207
                                          Encrypted:false
                                          SSDEEP:24576:eGjk6PMUtgtIKIch5+915zApy/MrllllVrGifVyCWgA:fjk6PMUtgtJphMDw3llllVrGSVId
                                          MD5:1B3150F66F03B0DA4EFCCDD9F079E5F7
                                          SHA1:D8E6C6B36E026BF2AC5DEEF22EB62C0D5BAD793D
                                          SHA-256:77648A3E8566D3E5B15BFACBEB72843679EAECDF03406317474B9A7F22EF5500
                                          SHA-512:76004C1F0B0C0C6526D9C88F501D0AE7743BB165CD9B5D95FB9173A44669FC1FE3D89CC40C258BC5A635666BD4EE79F315F4E41785F43F8F6222130E705B4ADA
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^y....s...s...s.....s......s.....s.....s....Z.s..o....s...r...s..o....s...7.s.....s.......s.....s.Rich..s.........................PE..L...d.yY.....................p....................@..........................................................................B..........t...............................8...........................x4..@...............t...H:.. ....................text............................... ..`.rdata..............................@..@.data...$L...p...&...N..............@....rsrc...t............t..............@..@................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setup.ilg (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):242176
                                          Entropy (8bit):2.8398090315048803
                                          Encrypted:false
                                          SSDEEP:3072:sFaUPDJ5QWxnQ41m/bix/4pp46Jk9Wk3SbixzyWpC74resXq4CE4Hix6Q484d7cQ:oa
                                          MD5:5A9526FE953E292780883A5A160EF703
                                          SHA1:50535ABD0C027D5E7858993EA73B0AC4D0D52A1B
                                          SHA-256:7589D44FDD4A86FA00C0E3C3A04070546D3708E6D77A3B0B2291EE1CBE5CBE11
                                          SHA-512:C441FE247790BDB015AAE348B0362007C39924BF296AA61D659DBEFA9AC51FABA0DAF87C2644D8FC6BB513A7440690FD67327F6AD46A85393AA33B5EC8FCEFB8
                                          Malicious:false
                                          Preview:......................>.......................................................}.......w...............................................................................................................................................................................................................................................................................................................................................................................................................................................!..............................................................................................................."... ...)...b...#...$...%...&...'...(...6...7...+...,...-......./...0...1...2...3...4...5...X...8...T...9...:...;...<...=...>...?...@...A...a...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...U...`...V...W...X...Y...Z...[...\...]...^..._...w...e...c.......d...g...f...h...u...i.......k...l...m...n...o...p...q...r...s...t.......v.......x...y...z...

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setup.ini

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2520
                                          Entropy (8bit):3.7074004116008505
                                          Encrypted:false
                                          SSDEEP:48:rsAMqxWt3KZcPTcxWtUOmsVu/+S8gvn6CJkkY09TzcqYtxkYOvl5ZAMXvrcOyb0p:rsAMqQOcwQOOzqrvnp6kY05w7tCYOvlR
                                          MD5:23B64C0D9619BFE572DF99BC024E5D4C
                                          SHA1:6C0B09D4E3412B7D049A8531225FEE07B7729BDA
                                          SHA-256:3E5732705995BA17DD0C5FF5AF8CFCD045448983A829B5B75BFA630E1D18911F
                                          SHA-512:C3563747E50258A63705243E9C594410B62906EA3EB7FFA4EB470FBC842DA1EF9D3093A8A14151BCBCDA3B43A594E188F624475FFD50DA690F547A77DFADBBF9
                                          Malicious:false
                                          Preview:..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.O.Z.W.e.b.L.a.u.n.c.h.e.r.....P.r.o.d.u.c.t.G.U.I.D.=.E.5.7.A.A.2.E.7.-.1.A.7.E.-.4.7.F.B.-.B.3.6.2.-.E.D.0.4.7.6.8.5.9.5.E.6.....C.o.m.p.a.n.y.N.a.m.e.=.F.O.R.C.S. .C.o...,.L.T.D.......E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.Y.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.....S.o.u.r.c.e.=.0.....A.l.l.U.s.e.r.s.=.1.....I.n.s.t.a.l.l.G.u.i.d.=.{.E.5.7.A.A.2.E.7.-.1.A.7.E.-.4.7.F.B.-.B.3.6.2.-.E.D.0.4.7.6.8.5.9.5.E.6.}.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.4.0.9.,.0.x.0.4.1.1.,.0.x.0.4.1.2.....R.e.q.u.i.r.e.E.x.a.c.t.L.a.n.g.M.a.t.c.h.=.0.x.0.4.0.4.,.

                                          C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setup.inx (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):255186
                                          Entropy (8bit):7.384273267559334
                                          Encrypted:false
                                          SSDEEP:3072:jIvdrk/YBXdCyfKjgqjWNlZNvlac9s4HfWsO0L1SuA90mG/EJKtglG5QZ6vSDMSh:jIOYxdC98ZZ7L1SuA93bItscabFB5EY7
                                          MD5:FA701C7DAAC8CA35B83BA40529B7D776
                                          SHA1:98C6298261F6E74F0EB29861C2D408D5B0048161
                                          SHA-256:B944AF37E91CCD737A358D15B66D41D23B7CF2B95E207090D3608C727C953803
                                          SHA-512:A5EB1CE77299D78F50FA94CC151CA57E902872C5B1CADD06772167A8C7EFCE82F8CB2952FE8C88EBEC9A560035FE2003E10CEE24A7696C6AF02F177987522430
                                          Malicious:false
                                          Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aB!mQ.Y]A..M1#.)!.)........................................}...m..q]}}aMmmQ=].E-M.5.=.%.-......................u...........v.-.u.}uuA}....(..s.911%9w..O.....[.G#;._7.....0.TP$$@.....u..thX......`...8..mee=m.(....{c.{{.--..S.g_G7.k#+G##.....<..4$H...0 .......l.......P.E{}1e.w\.H...w....=.))..o..{3;W33.;_'.X.P....,.@(..d$........i..T...,...AYY)A......Sw..W....._._w'S;+;.`.........t4........i..\.....L...0...YYY.A...{o.......W_O.....7..O h.`,0........<. .l......}..L.....mi]UU)]...k .k........._.SoW.c.[.THl........$.<.....(...m...p.........9E].E....go$..._C.cW{....W..o<$.$D.\.4(L.........P...t...u..Au.T......,.c911.9w.W.[O..@.....3.W._8,ll%......(. .8..q}.Y..........X..(...MI-1cC..w{.[.......CkS/.....(8 ...... <$......(.....q..qq.iaaiisIU5AA5I.o..-%%.-g.GK.c........o8xL..... .\.D..........q.....q.ayyma...E]]1E..c|)=.))...7.;{C?..;S.....h..X

                                          C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:modified
                                          Size (bytes):48
                                          Entropy (8bit):4.204448698502606
                                          Encrypted:false
                                          SSDEEP:3:iDVHAe+WA6nWZmrXpn:iDVHAe+WfWErZn
                                          MD5:4350D5130EB65AFDEEDDA296B703974E
                                          SHA1:C611C56D2F61E834B601539E96C144B6D1B3B8D9
                                          SHA-256:DE1C8D23BAE11503F84C7C02084D114C311773AE6FE9A30977ADB80E3F9C0582
                                          SHA-512:087EFD219B2987A681941EBA4198F480840F34DCB8F452451CC414DB2293A2E82EA0A44DF3D4B2EE2816BB6F89208A4F6D206B56FC1A53D7D6D6E8F39F0224A8
                                          Malicious:false
                                          Preview:pref("security.enterprise_roots.enabled", true);

                                          C:\Program Files\Mozilla Firefox\defaults\pref\ozcert.js (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):48
                                          Entropy (8bit):4.204448698502606
                                          Encrypted:false
                                          SSDEEP:3:iDVHAe+WA6nWZmrXpn:iDVHAe+WfWErZn
                                          MD5:4350D5130EB65AFDEEDDA296B703974E
                                          SHA1:C611C56D2F61E834B601539E96C144B6D1B3B8D9
                                          SHA-256:DE1C8D23BAE11503F84C7C02084D114C311773AE6FE9A30977ADB80E3F9C0582
                                          SHA-512:087EFD219B2987A681941EBA4198F480840F34DCB8F452451CC414DB2293A2E82EA0A44DF3D4B2EE2816BB6F89208A4F6D206B56FC1A53D7D6D6E8F39F0224A8
                                          Malicious:false
                                          Preview:pref("security.enterprise_roots.enabled", true);

                                          C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d740f826251dfc26466d955613f5a1ba_9e146be9-c76a-4720-bcdb-53011b87bd06

                                          Download File
                                          Process:C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2251
                                          Entropy (8bit):7.635888092284755
                                          Encrypted:false
                                          SSDEEP:48:/aqwNEtsUShdQlAP/Cev8YzM5zpyXiXCufepBe9VS15Y36:/hvWoK1v8YzMXxyufm0f6
                                          MD5:B3BB87E2CF78465FC3A99FB48D76B24C
                                          SHA1:9AAB15D611CC6C9C3C4536EB1A153362BE5C7BCF
                                          SHA-256:9F749E6F827E336ADDE6E4954D9F1D73579D0E89CA8B69802C04F5CA90F87FF3
                                          SHA-512:26E89DDADE99BB8FE8AF339868D96C28AC3AAFB95CA70A1B24149D5292C2886AA9CA87C24D42D7840A539062344BF077B7103722DEC8E880577D7C1C20B5BFEC
                                          Malicious:false
                                          Preview:........'...............P...............{C1213E71-A338-40FD-882B-141989BFC5E6}.....................RSA1................s.....MH^.7$.7...l.....q =(.....L..a.......ujh..q.n.a.....W..V..a!&QI..,/.K.....X.1.8T..q..1~)......VC1i.O..f.X....Fj...z......[.0.... ..li.....D....".d#..q....1......2.@G..'7..`..Ko..JX.~>t.5.zG..=..,..8...?....&....f...uU..........@p.h.3.....................z..O.......Z..QD..C..$.....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....../..y0..{/....)..../..H.Y.............. ...D%l...t.bXZ..o......E.....ZP...-........u/..)...a...'jl.w$..k<.V....).^f......C@...v..})....0_JH.j<..V%...'...{..R.#.. ....H.U.E..V.........W.......\...^.I..l(...._......^.H.D.D9.......3MW...9{jEI..`Z.).u........P^h.V.;.!...>........Q......,\..Ak.....FBD....^..2..?.^.Z......z_.[.......4.._.2....ik..(.z?..<.Z.[.B.G......9h.l..=Y..{...}...>$E.C.*...h....>.t.zK..W..}...1.j..].....1\....%7k..B!.)4h{..k..mIU..dk....h!..^.A..f. ....

                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1310720
                                          Entropy (8bit):1.3073671214186275
                                          Encrypted:false
                                          SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrE:KooCEYhgYEL0In
                                          MD5:A48BC1194E22C6E773B814B0B6CC87B4
                                          SHA1:4986AB5E7310047AC9796FC1DCD12DD497581F90
                                          SHA-256:02ABBF8021757ABC6975A077D2310B12AB95249B6EF9343D35A2B89008618BDB
                                          SHA-512:E0E3F6F15AA429DD8BD4C17A3CC785602B23118DE738941472115D15CF128DCDAA7BF4827712E8C2FDE4D361CEB134C6F5C7745393AF2E53F10B46974D6A2030
                                          Malicious:false
                                          Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xc2e66c4a, page size 16384, DirtyShutdown, Windows version 10.0
                                          Category:dropped
                                          Size (bytes):1310720
                                          Entropy (8bit):0.4221391919729354
                                          Encrypted:false
                                          SSDEEP:1536:pSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:paza/vMUM2Uvz7DO
                                          MD5:4CF7DE9D15FF8E64F3435381B494A218
                                          SHA1:BB655ED5F6E758F53D2A9F867A28A34D6A781D44
                                          SHA-256:1B3338B6B0C5CC691C7A0AA83189DA773592E5DADCD68BDC892D1B108180BB97
                                          SHA-512:246EA0F4EFE5A5B014870E37E27D57C1773A16E1666A1A1BC9A95D9FD2AEF99C9AD819BC4BED3ECD655C7F006F0BF0CB6D19CB0E4E45C3A1853EE35BF8110C6D
                                          Malicious:false
                                          Preview:..lJ... .......A.......X\...;...{......................0.!..........{A.* ...|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................1lB.* ...|...................l.[* ...|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):16384
                                          Entropy (8bit):0.07716076731711201
                                          Encrypted:false
                                          SSDEEP:3:lR//KYe4ORxjn13a/UGP6XlollcVO/lnlZMxZNQl:f/KzXx53qNPrOewk
                                          MD5:F8D08BDEB230FC2365A765D1496AC4CA
                                          SHA1:0D580943FBAF86BB52C4C021EA5BAEB58E31A44D
                                          SHA-256:C04F2B41B14B3903CFF7E9D33B6D7287563A282FC84BA6AB0BC52B9F105400DD
                                          SHA-512:183EAF27DE0AD03186F85859B46E09724D8007ED32D4E56442F605517351D4CA687F31F3EAB1182A15AB1E52F9BFE06F302D6C49B344FF975328F0768A318C62
                                          Malicious:false
                                          Preview:./>Y.....................................;...{..* ...|.......{A..............{A......{A..........{A].................l.[* ...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\OZWLBridge.lnk

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Apr 26 16:32:30 2024, mtime=Fri Apr 26 16:32:30 2024, atime=Thu Jun 16 08:28:22 2022, length=1872672, window=hide
                                          Category:dropped
                                          Size (bytes):2157
                                          Entropy (8bit):3.5214813309435598
                                          Encrypted:false
                                          SSDEEP:24:8Q6OD+zEnbdOEaV6L0NAZp0Ed1xdLdc0jYUUkpL9vVqyFm:8MD+QbdOH8ZGEdLdLdDjt77vsyF
                                          MD5:B227AF2B404D26871AA826F01BF22EC1
                                          SHA1:D83BDAA512DB1B2FE1726598B194F3678CA1798B
                                          SHA-256:A5F2530AA19BE600494B7E15E5AA99808880A0AEF24BEA3D64540B24457EA586
                                          SHA-512:3C690ACCCF70094A618BC0697580219369B1D685135AFA2C4CD7CA2178855A5EB301A4F6817CD95D65194123C49323D1CB32829A2F57E705C9CC3A6688B92507
                                          Malicious:false
                                          Preview:L..................F.@.. .....D......~F........kc... ............................P.O. .:i.....+00.../C:\.....................1......X....PROGRA~2.........O.I.X......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....P.1......X....FORCS.<......X...X................................F.O.R.C.S.....d.1......X....OZWEBL~1..L......X...X..............................O.Z.W.e.b.L.a.u.n.c.h.e.r.....j.2. ....T.K .OZWLBR~1.EXE..N......X...X................................O.Z.W.L.B.r.i.d.g.e...e.x.e.......h...............-.......g...........O.......C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe..H.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.O.R.C.S.\.O.Z.W.e.b.L.a.u.n.c.h.e.r.\.O.Z.W.L.B.r.i.d.g.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.O.R.C.S.\.O.Z.W.e.b.L.a.u.n.c.h.e.r.9.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.O.R.C.S.\.O.Z.W.e.b.L.a.u.n.c.h.e.r.\.O.Z.W.L.B.r.i

                                          C:\Users\user\AppData\Local\Temp\491D.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):242176
                                          Entropy (8bit):2.8398090315048803
                                          Encrypted:false
                                          SSDEEP:3072:sFaUPDJ5QWxnQ41m/bix/4pp46Jk9Wk3SbixzyWpC74resXq4CE4Hix6Q484d7cQ:oa
                                          MD5:5A9526FE953E292780883A5A160EF703
                                          SHA1:50535ABD0C027D5E7858993EA73B0AC4D0D52A1B
                                          SHA-256:7589D44FDD4A86FA00C0E3C3A04070546D3708E6D77A3B0B2291EE1CBE5CBE11
                                          SHA-512:C441FE247790BDB015AAE348B0362007C39924BF296AA61D659DBEFA9AC51FABA0DAF87C2644D8FC6BB513A7440690FD67327F6AD46A85393AA33B5EC8FCEFB8
                                          Malicious:false
                                          Preview:......................>.......................................................}.......w...............................................................................................................................................................................................................................................................................................................................................................................................................................................!..............................................................................................................."... ...)...b...#...$...%...&...'...(...6...7...+...,...-......./...0...1...2...3...4...5...X...8...T...9...:...;...<...=...>...?...@...A...a...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...U...`...V...W...X...Y...Z...[...\...]...^..._...w...e...c.......d...g...f...h...u...i.......k...l...m...n...o...p...q...r...s...t.......v.......x...y...z...

                                          C:\Users\user\AppData\Local\Temp\ozweblauncher_1.log

                                          Download File
                                          Process:C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):400
                                          Entropy (8bit):5.017457694955054
                                          Encrypted:false
                                          SSDEEP:12:XcRCy3QSO4cRCyMKfGzgQcRCTC4cRCmKfGzey:sngptnMKfGzg199KfGzey
                                          MD5:8D38C9F4656DA306BB5056212B2DBF63
                                          SHA1:8BDBE4C1B9067DB393DB4F4976BB67520738B4B7
                                          SHA-256:8DA5BCB8AA47A1398A487F5610F485A2C57FF89193C9660D05D4EA7035FE582C
                                          SHA-512:1E212D41D1AF6E8E68AE74A6EA7234510E59DA98478E8AABE52D4A677DED56A30941F5D60240A0BDF0E8C7B24B3F80A9F219B9E43207DA7B96416BD2455665C5
                                          Malicious:false
                                          Preview:OZWebLauncher.exe Information: 0 : 26/04/2024 19:32:41 : Web root: C:\Program Files (x86)\FORCS\OZWebLauncher\..OZWebLauncher.exe Information: 0 : 26/04/2024 19:32:41 : Server started listening on port 36480..OZWebLauncher.exe Information: 0 : 26/04/2024 19:32:42 : Successfully loaded certificate..OZWebLauncher.exe Information: 0 : 26/04/2024 19:32:42 : Server started listening on port 36510..

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\0x0409.ini

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):22490
                                          Entropy (8bit):3.484827950705229
                                          Encrypted:false
                                          SSDEEP:384:CTmyuV//BiTbh/Y4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/N/lWr0aa0Mhs+XVgv
                                          MD5:8586214463BD73E1C2716113E5BD3E13
                                          SHA1:F02E3A76FD177964A846D4AA0A23F738178DB2BE
                                          SHA-256:089D3068E42958DD2C0AEC668E5B7E57B7584ACA5C77132B1BCBE3A1DA33EF54
                                          SHA-512:309200F38D0E29C9AAA99BB6D95F4347F8A8C320EB65742E7C539246AD9B759608BD5151D1C5D1D05888979DAA38F2B6C3BF492588B212B583B8ADBE81FA161B
                                          Malicious:false
                                          Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\0x0411.ini

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):14958
                                          Entropy (8bit):5.199600266556664
                                          Encrypted:false
                                          SSDEEP:384:DKeEbO3nlKcDUK21OxgCvk3aV4ls8Gb8YVyl:DKtbO3lKcoK21OxgCl7Fyl
                                          MD5:831FE6D667B6F53826290536C987FE2B
                                          SHA1:71A6552DCD68C8606933F80B770736C5E8EDBDDF
                                          SHA-256:9E6D74A5CD777C12767959CD684A5A277930FC6FB109A0641E8D65570A7422D2
                                          SHA-512:9382F8BFE268167756A5D17D84CFD176C66F749BB13DE8369BB5F7697D6101DF08F01F188E9A0C3E465B1807B14251238467E358755C9C37958BBA4EF239945F
                                          Malicious:false
                                          Preview:..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.M.S. .U.I. .G.o.t.h.i.c.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.1.].....1.1.0.0.=..0.0.0.0.0.0.R.g.S.0.0.0....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..0.0.0.0.0.0o0.0.0.0.0.0.0.0.0.0.0.0.0n0Kb...0T0Hh.QY0.0 .%.2. ..0.n.PW0f0D0~0Y0.0W0p0.0O0J0._a0O0`0U0D0.0....1.1.0.3.=..0.0.0.0.0.0.0.0 ..0.0.0.0n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r..0-..[W0f0D0~0Y0....1.1.0.6.=.%.s. ..0-..[W0f0D0~0Y0....1.1.0.7.=..0.0.0.0.0.0o0.0.0.0.0.0.Nn0 .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n0-..[.0.[.NW0~0W0_0.0.0.0.0.0.0.0.0.}L.Y0.0k0o0.0.0.0.0.0.0.Qw..RY0.0._..L0B0.0~0Y0.0.0.Qw..R.0.0.0.0.0.0W0f0.0.0.0.0.0.0.Qw..RW0f0O0`0U0D0.0....1.1.0.8.=.%.s.....1.1.2.5.=..0.0.0.0.0.0....n0x..b....1.1.2.6.=.S0n0.0.0.0.0.0.0g0.O(uY0.0.....0!kn0.0.0.0K0.0x..bW0f0O0`0U0D0.0....1.1.2.7.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..0.0.0.0n0-..[.0.[.bU0[0.0.p.0.0.0.0.0.0.0o0

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\0x0412.ini

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):14126
                                          Entropy (8bit):5.413031845668093
                                          Encrypted:false
                                          SSDEEP:192:NtPl0V894Pp/WwJTqSuQusVG5qyKBUxVzliQZWNtgHmYgHgsNSbiE/VRauG:+G94xOwJTqSuQB7VNtc3OS3VUV
                                          MD5:73E70A6B9354E80237C8E2B3170830A0
                                          SHA1:B4C8777CE9C2D2FFF4C0C914825CBE698FEAADAF
                                          SHA-256:316577CF74D3545D632B0DE55513A3511D654849655157CB84821B871EC081E9
                                          SHA-512:F15E736E7C0B55437B39869A0BBCE15D5365F04C70BE23FC373D83CE0E99E0A806244C1C44CD298DC4970D20AF6CB1198A9D84749F5D5AC02162C261B1460ED7
                                          Malicious:false
                                          Preview:..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.t.......F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.2.].....1.1.0.0.=.$.X. ...0.T. .$.X.....1.1.0.1.=.%.s.....1.1.0.2.=.%.2. ... ......X. .....0... .%.1.D.(.|.). .$.X.`. .$.X. ......|. ...D. ........ ..... .0.......$.......1.1.0.3.=..... ..... ..... .U.x. .......1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. ..... .U.x. .......1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .l.1. .......1.1.0.6.=.%.s. .l.1. .......1.1.0.7.=.$.X. ...\.....t. ......X. ....\... .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.X. .l.1.D. .D......... .$.X.|. ....X.$.t. ....\.D. .... ....t.|. .i..... .".... ....". ...|. .... ....\.D. .... .....X.....$.......1.1.0.8.=.%.s.....1.1.2.5.=.$.X. .... . .......1.1.2.6.=.$.X.X.. ..H. .....`. ....|. .D...... . ...X.....$.......1.1.2.7.=.$.X. ...\.....t. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ...D... .l.1.D. .D..X.$.t. ....\.D. .... ....t.|. .i..... . ..... ....\.D. .... ....X.$.t. .[...].|. .t..X...

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\0x0409.ini

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):22490
                                          Entropy (8bit):3.484827950705229
                                          Encrypted:false
                                          SSDEEP:384:CTmyuV//BiTbh/Y4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/N/lWr0aa0Mhs+XVgv
                                          MD5:8586214463BD73E1C2716113E5BD3E13
                                          SHA1:F02E3A76FD177964A846D4AA0A23F738178DB2BE
                                          SHA-256:089D3068E42958DD2C0AEC668E5B7E57B7584ACA5C77132B1BCBE3A1DA33EF54
                                          SHA-512:309200F38D0E29C9AAA99BB6D95F4347F8A8C320EB65742E7C539246AD9B759608BD5151D1C5D1D05888979DAA38F2B6C3BF492588B212B583B8ADBE81FA161B
                                          Malicious:false
                                          Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\0x0411.ini

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):14958
                                          Entropy (8bit):5.199600266556664
                                          Encrypted:false
                                          SSDEEP:384:DKeEbO3nlKcDUK21OxgCvk3aV4ls8Gb8YVyl:DKtbO3lKcoK21OxgCl7Fyl
                                          MD5:831FE6D667B6F53826290536C987FE2B
                                          SHA1:71A6552DCD68C8606933F80B770736C5E8EDBDDF
                                          SHA-256:9E6D74A5CD777C12767959CD684A5A277930FC6FB109A0641E8D65570A7422D2
                                          SHA-512:9382F8BFE268167756A5D17D84CFD176C66F749BB13DE8369BB5F7697D6101DF08F01F188E9A0C3E465B1807B14251238467E358755C9C37958BBA4EF239945F
                                          Malicious:false
                                          Preview:..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.M.S. .U.I. .G.o.t.h.i.c.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.1.].....1.1.0.0.=..0.0.0.0.0.0.R.g.S.0.0.0....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..0.0.0.0.0.0o0.0.0.0.0.0.0.0.0.0.0.0.0n0Kb...0T0Hh.QY0.0 .%.2. ..0.n.PW0f0D0~0Y0.0W0p0.0O0J0._a0O0`0U0D0.0....1.1.0.3.=..0.0.0.0.0.0.0.0 ..0.0.0.0n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r..0-..[W0f0D0~0Y0....1.1.0.6.=.%.s. ..0-..[W0f0D0~0Y0....1.1.0.7.=..0.0.0.0.0.0o0.0.0.0.0.0.Nn0 .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n0-..[.0.[.NW0~0W0_0.0.0.0.0.0.0.0.0.}L.Y0.0k0o0.0.0.0.0.0.0.Qw..RY0.0._..L0B0.0~0Y0.0.0.Qw..R.0.0.0.0.0.0W0f0.0.0.0.0.0.0.Qw..RW0f0O0`0U0D0.0....1.1.0.8.=.%.s.....1.1.2.5.=..0.0.0.0.0.0....n0x..b....1.1.2.6.=.S0n0.0.0.0.0.0.0g0.O(uY0.0.....0!kn0.0.0.0K0.0x..bW0f0O0`0U0D0.0....1.1.2.7.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..0.0.0.0n0-..[.0.[.bU0[0.0.p.0.0.0.0.0.0.0o0

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\0x0412.ini

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):14126
                                          Entropy (8bit):5.413031845668093
                                          Encrypted:false
                                          SSDEEP:192:NtPl0V894Pp/WwJTqSuQusVG5qyKBUxVzliQZWNtgHmYgHgsNSbiE/VRauG:+G94xOwJTqSuQB7VNtc3OS3VUV
                                          MD5:73E70A6B9354E80237C8E2B3170830A0
                                          SHA1:B4C8777CE9C2D2FFF4C0C914825CBE698FEAADAF
                                          SHA-256:316577CF74D3545D632B0DE55513A3511D654849655157CB84821B871EC081E9
                                          SHA-512:F15E736E7C0B55437B39869A0BBCE15D5365F04C70BE23FC373D83CE0E99E0A806244C1C44CD298DC4970D20AF6CB1198A9D84749F5D5AC02162C261B1460ED7
                                          Malicious:false
                                          Preview:..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.t.......F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.2.].....1.1.0.0.=.$.X. ...0.T. .$.X.....1.1.0.1.=.%.s.....1.1.0.2.=.%.2. ... ......X. .....0... .%.1.D.(.|.). .$.X.`. .$.X. ......|. ...D. ........ ..... .0.......$.......1.1.0.3.=..... ..... ..... .U.x. .......1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. ..... .U.x. .......1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .l.1. .......1.1.0.6.=.%.s. .l.1. .......1.1.0.7.=.$.X. ...\.....t. ......X. ....\... .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.X. .l.1.D. .D......... .$.X.|. ....X.$.t. ....\.D. .... ....t.|. .i..... .".... ....". ...|. .... ....\.D. .... .....X.....$.......1.1.0.8.=.%.s.....1.1.2.5.=.$.X. .... . .......1.1.2.6.=.$.X.X.. ..H. .....`. ....|. .D...... . ...X.....$.......1.1.2.7.=.$.X. ...\.....t. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ...D... .l.1.D. .D..X.$.t. ....\.D. .... ....t.|. .i..... . ..... ....\.D. .... ....X.$.t. .[...].|. .t..X...

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\ISSetup.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                          Category:dropped
                                          Size (bytes):800256
                                          Entropy (8bit):7.772746681961582
                                          Encrypted:false
                                          SSDEEP:12288:mIGz7ovgUHjhKtYCdP2q4/8mnL2YCTdSxZa65jcttUO+UC1nHZ:mIGz8IUDP0OqGL2YCsxZa6RuUO+UCd5
                                          MD5:40FEFC3D907D44A9ADC84475AB073A6E
                                          SHA1:4CBEA84B4784ACB795E3891B5ED60B25809DB762
                                          SHA-256:C51699CBF0B433C4F7B687C8520192AD5EA519214BFDE6732453FF194BC2FFD9
                                          SHA-512:F6D64FDF76EA8E5725451B50A2A49042A3DBB66A68BA787BA742EB202345E298317257740E11C8C8BA0E217059DE991A10FF0DC95F83B8F820BB248AF71E9229
                                          Malicious:false
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......l.j.(...(...(......).....1...........c......./.......)...(...4}......=......#....../......S......)......)...(...)......)...Rich(...................PE..L.....yY...........!.....(...*......E.%......P................................%......C..............................8.%.G.....%.......#.0.....................%.....`X..8....................................................k.......................text.....#......"......PEC2MO...... ....rsrc.........#......&.............. ....reloc........%......4..............@...........................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\data1.cab

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:InstallShield CAB
                                          Category:dropped
                                          Size (bytes):4034074
                                          Entropy (8bit):7.998927656036685
                                          Encrypted:true
                                          SSDEEP:98304:IpkIARx9gcDm9rf10AXmqOQTTUHiKkXilTyL:IpkqskjW4J3vKkSVyL
                                          MD5:EE044475CA78405A346689689249AD84
                                          SHA1:9AD777A46032CA285933B7655E0CEB0C97176C71
                                          SHA-256:30E681C1F70FB6583E802409988AB08969E3003BA022894202B2557324AB4E46
                                          SHA-512:C7EBABEE44F54562E826ED78AA9DD0BBFA5255B72426E6D42284C17339F6DBF4C7B4D3F3200C8C13A01A5A28B9EFC84372D1C55629C663358C9A8CEEAC8CD0E3
                                          Malicious:false
                                          Preview:ISc(............................ .............................................................................................................................................................................................................................................................................................................................................................z.~..G.b..v........................UI....-.m._......N.S..!...=we[lbF.2...`?.....................................................L.}xT.0~&3I&0a.L0B.A.WA..*....Lb%.$.3PHb+.NG[#..hI.N.9...-..E....A...BB............v.4D...Zk..L....<.?.r>..g......{*..Q.J.d.?...I.+....,.4b.#.....b......>.nXz..,.....|..._q.g.{..}.w..}W...../.>?.X.Y...=p.k..S.../}x,..?|#......'<|Y......[.~..|......q.._B..>..{x$.o.{.w.`...!.~I.c...wu...R.e.%O..FI..;.=duI...V.....,I.6.I.%.X..c!.t....{.F.z.>Z..p..]*I.-....H.P..,.6.."m[?J*.o..tL..9.~.`.....(...d......%:.c..-..._....%..r...7...6..^.........%.w...\..K.\z...XSc

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\data1.hdr

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:InstallShield CAB
                                          Category:dropped
                                          Size (bytes):26054
                                          Entropy (8bit):3.5887655093558037
                                          Encrypted:false
                                          SSDEEP:768:wUaIZIO6SaJvFm5g5Sp8X7/e9lK71HAaAzRP/IFWK4qqTzRPNL:Y3HAaAzRP/IFWK4qCRPNL
                                          MD5:EB7583FCD1066946983E3532F111418D
                                          SHA1:9010F83B20F622226772FD96F70FEC33BEF8BBAA
                                          SHA-256:390F9E1A0F95721B3C00916E82EA0156A397B381297086D6BBB0F2319EB47439
                                          SHA-512:EF0442CDE8E37E2A1EDC244189B2A0B0575E0D56A93D3EE832B12B7830170CCA2851A296664CB4FFD3AA7B690A2638D457785EEA1A5D596E52A09CEDBD0AA7C6
                                          Malicious:false
                                          Preview:ISc(.............H...e..........................................................................B~..........................................................................................................................................................................................................................................................................................z.~..G.b..v........................UI....-.m._......N.S..!...=we[lbF.2...`?.....................................................?...........H..........................<.........................................................$...0...<...........H.......`...............l...x................................................................................................................................................................................................... ...............,...........8...................................D...............P.......\...h.....................................................

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\layout.bin

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):610
                                          Entropy (8bit):2.0528353271086552
                                          Encrypted:false
                                          SSDEEP:6:oMaqUlfKDjO2CzCnXl87clRJDWLNglETl127W7Jtn:o5flfcO2wkpl/yBTj
                                          MD5:3719C98DE521D5B4DAE628BEC7C80134
                                          SHA1:D5465002E5F91E8000292F88C0C1C81B5DDD3910
                                          SHA-256:1759489A4DE0EFE993A55E064B3E7BBDE359D193EF6C1F1C06B863DE15B1CF62
                                          SHA-512:92D2B9FBC84CDF7B2C7855470433691C4EBB38544995B532C3D327A48BCBF908831A865BAB143A85FAFE198A6BD4F8A3F8A835EFCD92D7FFCCB3CF26FBA0C60F
                                          Malicious:false
                                          Preview:c..S.@..b..........@.(...................................................................................................................................................................................................................................................... ...L....P..........x...............................$...8...N...............................................s.e.t.u.p...i.n.i.....s.e.t.u.p...i.n.x...I.S.S.e.t.u.p...d.l.l...0.x.0.4.0.9...i.n.i...0.x.0.4.1.1...i.n.i...0.x.0.4.1.2...i.n.i...d.a.t.a.1...h.d.r...d.a.t.a.1...c.a.b...d.a.t.a.2...c.a.b...l.a.y.o.u.t...b.i.n...s.e.t.u.p...e.x.e...

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1193984
                                          Entropy (8bit):6.684414940299207
                                          Encrypted:false
                                          SSDEEP:24576:eGjk6PMUtgtIKIch5+915zApy/MrllllVrGifVyCWgA:fjk6PMUtgtJphMDw3llllVrGSVId
                                          MD5:1B3150F66F03B0DA4EFCCDD9F079E5F7
                                          SHA1:D8E6C6B36E026BF2AC5DEEF22EB62C0D5BAD793D
                                          SHA-256:77648A3E8566D3E5B15BFACBEB72843679EAECDF03406317474B9A7F22EF5500
                                          SHA-512:76004C1F0B0C0C6526D9C88F501D0AE7743BB165CD9B5D95FB9173A44669FC1FE3D89CC40C258BC5A635666BD4EE79F315F4E41785F43F8F6222130E705B4ADA
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^y....s...s...s.....s......s.....s.....s....Z.s..o....s...r...s..o....s...7.s.....s.......s.....s.Rich..s.........................PE..L...d.yY.....................p....................@..........................................................................B..........t...............................8...........................x4..@...............t...H:.. ....................text............................... ..`.rdata..............................@..@.data...$L...p...&...N..............@....rsrc...t............t..............@..@................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.ini

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2372
                                          Entropy (8bit):3.68017858480026
                                          Encrypted:false
                                          SSDEEP:48:rsAMqxWt3KZcPTmsVu/+S8gvn6CJkkY09TzcqYtxkYOvl5ZAMXvrcOyb0pn:rsAMqQOcrzqrvnp6kY05w7tCYOvlnAMn
                                          MD5:9D52A282131FF272712BD5BA4B800EC1
                                          SHA1:4E078174EA404C55C2D66BA989700D3F9072E98F
                                          SHA-256:9BF8191859390A998D26F7DB3CEF636C13A3EA152848071C118252AC73CACF1E
                                          SHA-512:7955AE14380CA84C605F3ADEB7A9805D97BD2A6E1A6A8219D9F629EE37392034095B6176D5960017FF11A9170D60434678EF343E0AE78D5A87E0511C37896984
                                          Malicious:false
                                          Preview:..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.O.Z.W.e.b.L.a.u.n.c.h.e.r.....P.r.o.d.u.c.t.G.U.I.D.=.E.5.7.A.A.2.E.7.-.1.A.7.E.-.4.7.F.B.-.B.3.6.2.-.E.D.0.4.7.6.8.5.9.5.E.6.....C.o.m.p.a.n.y.N.a.m.e.=.F.O.R.C.S. .C.o...,.L.T.D.......E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.Y.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.4.0.9.,.0.x.0.4.1.1.,.0.x.0.4.1.2.....R.e.q.u.i.r.e.E.x.a.c.t.L.a.n.g.M.a.t.c.h.=.0.x.0.4.0.4.,.0.x.0.8.0.4.....R.T.L.L.a.n.g.s.=.0.x.0.4.0.1.,.0.x.0.4.0.d.........[.0.x.0.4.0.9.].....0.x.0.4.0.9.=.E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.).

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.inx

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):255186
                                          Entropy (8bit):7.384273267559334
                                          Encrypted:false
                                          SSDEEP:3072:jIvdrk/YBXdCyfKjgqjWNlZNvlac9s4HfWsO0L1SuA90mG/EJKtglG5QZ6vSDMSh:jIOYxdC98ZZ7L1SuA93bItscabFB5EY7
                                          MD5:FA701C7DAAC8CA35B83BA40529B7D776
                                          SHA1:98C6298261F6E74F0EB29861C2D408D5B0048161
                                          SHA-256:B944AF37E91CCD737A358D15B66D41D23B7CF2B95E207090D3608C727C953803
                                          SHA-512:A5EB1CE77299D78F50FA94CC151CA57E902872C5B1CADD06772167A8C7EFCE82F8CB2952FE8C88EBEC9A560035FE2003E10CEE24A7696C6AF02F177987522430
                                          Malicious:false
                                          Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aB!mQ.Y]A..M1#.)!.)........................................}...m..q]}}aMmmQ=].E-M.5.=.%.-......................u...........v.-.u.}uuA}....(..s.911%9w..O.....[.G#;._7.....0.TP$$@.....u..thX......`...8..mee=m.(....{c.{{.--..S.g_G7.k#+G##.....<..4$H...0 .......l.......P.E{}1e.w\.H...w....=.))..o..{3;W33.;_'.X.P....,.@(..d$........i..T...,...AYY)A......Sw..W....._._w'S;+;.`.........t4........i..\.....L...0...YYY.A...{o.......W_O.....7..O h.`,0........<. .l......}..L.....mi]UU)]...k .k........._.SoW.c.[.THl........$.<.....(...m...p.........9E].E....go$..._C.cW{....W..o<$.$D.\.4(L.........P...t...u..Au.T......,.c911.9w.W.[O..@.....3.W._8,ll%......(. .8..q}.Y..........X..(...MI-1cC..w{.[.......CkS/.....(8 ...... <$......(.....q..qq.iaaiisIU5AA5I.o..-%%.-g.GK.c........o8xL..... .\.D..........q.....q.ayyma...E]]1E..c|)=.))...7.;{C?..;S.....h..X

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\ISSetup.dll

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                          Category:dropped
                                          Size (bytes):800256
                                          Entropy (8bit):7.772746681961582
                                          Encrypted:false
                                          SSDEEP:12288:mIGz7ovgUHjhKtYCdP2q4/8mnL2YCTdSxZa65jcttUO+UC1nHZ:mIGz8IUDP0OqGL2YCsxZa6RuUO+UCd5
                                          MD5:40FEFC3D907D44A9ADC84475AB073A6E
                                          SHA1:4CBEA84B4784ACB795E3891B5ED60B25809DB762
                                          SHA-256:C51699CBF0B433C4F7B687C8520192AD5EA519214BFDE6732453FF194BC2FFD9
                                          SHA-512:F6D64FDF76EA8E5725451B50A2A49042A3DBB66A68BA787BA742EB202345E298317257740E11C8C8BA0E217059DE991A10FF0DC95F83B8F820BB248AF71E9229
                                          Malicious:false
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......l.j.(...(...(......).....1...........c......./.......)...(...4}......=......#....../......S......)......)...(...)......)...Rich(...................PE..L.....yY...........!.....(...*......E.%......P................................%......C..............................8.%.G.....%.......#.0.....................%.....`X..8....................................................k.......................text.....#......"......PEC2MO...... ....rsrc.........#......&.............. ....reloc........%......4..............@...........................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1193984
                                          Entropy (8bit):6.684414940299207
                                          Encrypted:false
                                          SSDEEP:24576:eGjk6PMUtgtIKIch5+915zApy/MrllllVrGifVyCWgA:fjk6PMUtgtJphMDw3llllVrGSVId
                                          MD5:1B3150F66F03B0DA4EFCCDD9F079E5F7
                                          SHA1:D8E6C6B36E026BF2AC5DEEF22EB62C0D5BAD793D
                                          SHA-256:77648A3E8566D3E5B15BFACBEB72843679EAECDF03406317474B9A7F22EF5500
                                          SHA-512:76004C1F0B0C0C6526D9C88F501D0AE7743BB165CD9B5D95FB9173A44669FC1FE3D89CC40C258BC5A635666BD4EE79F315F4E41785F43F8F6222130E705B4ADA
                                          Malicious:true
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^y....s...s...s.....s......s.....s.....s....Z.s..o....s...r...s..o....s...7.s.....s.......s.....s.Rich..s.........................PE..L...d.yY.....................p....................@..........................................................................B..........t...............................8...........................x4..@...............t...H:.. ....................text............................... ..`.rdata..............................@..@.data...$L...p...&...N..............@....rsrc...t............t..............@..@................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.ini

                                          Download File
                                          Process:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2372
                                          Entropy (8bit):3.68017858480026
                                          Encrypted:false
                                          SSDEEP:48:rsAMqxWt3KZcPTmsVu/+S8gvn6CJkkY09TzcqYtxkYOvl5ZAMXvrcOyb0pn:rsAMqQOcrzqrvnp6kY05w7tCYOvlnAMn
                                          MD5:9D52A282131FF272712BD5BA4B800EC1
                                          SHA1:4E078174EA404C55C2D66BA989700D3F9072E98F
                                          SHA-256:9BF8191859390A998D26F7DB3CEF636C13A3EA152848071C118252AC73CACF1E
                                          SHA-512:7955AE14380CA84C605F3ADEB7A9805D97BD2A6E1A6A8219D9F629EE37392034095B6176D5960017FF11A9170D60434678EF343E0AE78D5A87E0511C37896984
                                          Malicious:false
                                          Preview:..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.O.Z.W.e.b.L.a.u.n.c.h.e.r.....P.r.o.d.u.c.t.G.U.I.D.=.E.5.7.A.A.2.E.7.-.1.A.7.E.-.4.7.F.B.-.B.3.6.2.-.E.D.0.4.7.6.8.5.9.5.E.6.....C.o.m.p.a.n.y.N.a.m.e.=.F.O.R.C.S. .C.o...,.L.T.D.......E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.Y.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.4.0.9.,.0.x.0.4.1.1.,.0.x.0.4.1.2.....R.e.q.u.i.r.e.E.x.a.c.t.L.a.n.g.M.a.t.c.h.=.0.x.0.4.0.4.,.0.x.0.8.0.4.....R.T.L.L.a.n.g.s.=.0.x.0.4.0.1.,.0.x.0.4.0.d.........[.0.x.0.4.0.9.].....0.x.0.4.0.9.=.E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.).

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISB4A97.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):182008
                                          Entropy (8bit):5.745001134941054
                                          Encrypted:false
                                          SSDEEP:3072:CIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYVdeZ2bgA/qrXo:2Un0mT8Sc/T4F1bnxg85
                                          MD5:8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
                                          SHA1:49199A62DE0EDA485B5287BAD469F92AD8EBD407
                                          SHA-256:4104FDE5404BFB3C5347B8ECDAEC89A2E746B1162DC75186BC79738805818C0A
                                          SHA-512:1393BD6C06C30DF7414494E5B06242445EB8AFDF5467C6A5E875F2C63506B0B581322B6444C6D8F06B39AA5B04D1C55A631CCF932DC6D5043296DD3ED3CD9FC8
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...6.yY.........."......X...v.................@..........................................`..................................................J..................$...................`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc................v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):182008
                                          Entropy (8bit):5.745001134941054
                                          Encrypted:false
                                          SSDEEP:3072:CIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYVdeZ2bgA/qrXo:2Un0mT8Sc/T4F1bnxg85
                                          MD5:8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
                                          SHA1:49199A62DE0EDA485B5287BAD469F92AD8EBD407
                                          SHA-256:4104FDE5404BFB3C5347B8ECDAEC89A2E746B1162DC75186BC79738805818C0A
                                          SHA-512:1393BD6C06C30DF7414494E5B06242445EB8AFDF5467C6A5E875F2C63506B0B581322B6444C6D8F06B39AA5B04D1C55A631CCF932DC6D5043296DD3ED3CD9FC8
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...6.yY.........."......X...v.................@..........................................`..................................................J..................$...................`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc................v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\cor4A65.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65503
                                          Entropy (8bit):3.783333450686201
                                          Encrypted:false
                                          SSDEEP:1536:biZVg/LPnypGccYM3MFe/Xvv+JcvpqLm416lt91FHWEi7I8qQdeVH3+HF2FnlP5r:gW/LPni+3MFe/XycRj4slt9HHWEi7I8M
                                          MD5:09D38CECA6A012F4CE5B54F03DB9B21A
                                          SHA1:01FCB72F22205E406FF9A48C5B98D7B7457D7D98
                                          SHA-256:F6D7BC8CA6550662166F34407968C7D3669613E50E98A4E40BEC1589E74FF5D1
                                          SHA-512:8C73CA3AF53A9BAF1B9801F87A8FF759DA9B40637A86567C6CC10AB491ACCB446B40C8966807BD06D52EB57384E2D6A4886510DE338019CFD7EF966B45315BA9
                                          Malicious:false
                                          Preview:; Corecomp.ini..;..; This file stores information about files that InstallShield..; will install to the Windows\System folder, such as Windows..; 95 and NT 4.0 core components and DAO, ODBC, and ActiveX files...; ..; The entries have the following format, without a space before ..; or after the equal sign:..;..; <file name>=<properties>..; ..; Currently, following properties are supported:..; 0x00000000 No registry entry is created for this file. It is..; not logged for uninstallation, and is therefore ..; never removed...;..; Inappropriate modification to this file can prevent an..; application from getting Windows 95/Windows NT logo...;..; Last Updated: 2/27/2002; rs....[Win32]....12500852.cpx=0x00000000 ..12510866.cpx=0x00000000 ..12520437.cpx=0x00000000..12520850.cpx=0x00000000..12520860.cpx=0x00000000..12520861.cpx=0x00000000 ..12520863.cpx=0x00000000 ..12520865.cpx=0x00000000..6to4svc.dll=0x00000000..82557ndi.dll=0x00000000..8514a.dll=0x000

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\corecomp.ini (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65503
                                          Entropy (8bit):3.783333450686201
                                          Encrypted:false
                                          SSDEEP:1536:biZVg/LPnypGccYM3MFe/Xvv+JcvpqLm416lt91FHWEi7I8qQdeVH3+HF2FnlP5r:gW/LPni+3MFe/XycRj4slt9HHWEi7I8M
                                          MD5:09D38CECA6A012F4CE5B54F03DB9B21A
                                          SHA1:01FCB72F22205E406FF9A48C5B98D7B7457D7D98
                                          SHA-256:F6D7BC8CA6550662166F34407968C7D3669613E50E98A4E40BEC1589E74FF5D1
                                          SHA-512:8C73CA3AF53A9BAF1B9801F87A8FF759DA9B40637A86567C6CC10AB491ACCB446B40C8966807BD06D52EB57384E2D6A4886510DE338019CFD7EF966B45315BA9
                                          Malicious:false
                                          Preview:; Corecomp.ini..;..; This file stores information about files that InstallShield..; will install to the Windows\System folder, such as Windows..; 95 and NT 4.0 core components and DAO, ODBC, and ActiveX files...; ..; The entries have the following format, without a space before ..; or after the equal sign:..;..; <file name>=<properties>..; ..; Currently, following properties are supported:..; 0x00000000 No registry entry is created for this file. It is..; not logged for uninstallation, and is therefore ..; never removed...;..; Inappropriate modification to this file can prevent an..; application from getting Windows 95/Windows NT logo...;..; Last Updated: 2/27/2002; rs....[Win32]....12500852.cpx=0x00000000 ..12510866.cpx=0x00000000 ..12520437.cpx=0x00000000..12520850.cpx=0x00000000..12520860.cpx=0x00000000..12520861.cpx=0x00000000 ..12520863.cpx=0x00000000 ..12520865.cpx=0x00000000..6to4svc.dll=0x00000000..82557ndi.dll=0x00000000..8514a.dll=0x000

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dot4A95.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):23816
                                          Entropy (8bit):4.157035386837471
                                          Encrypted:false
                                          SSDEEP:192:YEm805ZvWFXfXDuQkC2+Z4nYe+PjPrSBO3SwVEnujexYi:q8SZvWFSQzHOnYPLWhjei
                                          MD5:A6CBAC7CEF4B03FCB1A9D65A5337B46C
                                          SHA1:DEC659C2ADEEA0B8E6C40DB8290F5855D652D7F4
                                          SHA-256:46AD0972344B2C71B560DAEB90075FDC5BD80F5D3AF33F1FD8B4C2D3A09FF978
                                          SHA-512:E8EBB5150274882E53AE7CC2BA21B01F2A7270D0FF7E979C8163EBB7600A8245D7ADEC5AAABE705EF03B5F16987649B21D6ABEBCB438935919D7403F8B25D05A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yY..................... .......*... ...@....... ....................................@..................................*..K....@..x............@.......`....................................................... ............... ..H............text........ ...................... ..`.rsrc...x....@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dot4A96.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):146
                                          Entropy (8bit):4.677494553177857
                                          Encrypted:false
                                          SSDEEP:3:cTIMOoIRuQVK/FNURAmIRMNHNQAolFNURAmIRMNHjKbo5KWREBAW4QIMOn:8IffVKNC7VNQAofC7V2bopuAW4QIT
                                          MD5:DB722945AB9C024CE55E469644393824
                                          SHA1:191782B3B4C7BD21FABB3D5B655B7F2DEC2F4F56
                                          SHA-256:C7E5BDC4B79F7F8C68C5F09C0C055E97FB8C62FE1B5D469B3527AB6B767C8DF2
                                          SHA-512:40503C28296CEB68428E327AC79326579C067511638263A477534B8E33341F24E2944077ACCDABB947981980F91604B71B6715A1488181B9C48515AB81271ED8
                                          Malicious:false
                                          Preview:<configuration>.. <startup>.. <supportedRuntime version="v2.0.50727"/>.. <supportedRuntime version="v4.0"/>.. </startup>..</configuration>

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dotnetinstaller.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):23816
                                          Entropy (8bit):4.157035386837471
                                          Encrypted:false
                                          SSDEEP:192:YEm805ZvWFXfXDuQkC2+Z4nYe+PjPrSBO3SwVEnujexYi:q8SZvWFSQzHOnYPLWhjei
                                          MD5:A6CBAC7CEF4B03FCB1A9D65A5337B46C
                                          SHA1:DEC659C2ADEEA0B8E6C40DB8290F5855D652D7F4
                                          SHA-256:46AD0972344B2C71B560DAEB90075FDC5BD80F5D3AF33F1FD8B4C2D3A09FF978
                                          SHA-512:E8EBB5150274882E53AE7CC2BA21B01F2A7270D0FF7E979C8163EBB7600A8245D7ADEC5AAABE705EF03B5F16987649B21D6ABEBCB438935919D7403F8B25D05A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yY..................... .......*... ...@....... ....................................@..................................*..K....@..x............@.......`....................................................... ............... ..H............text........ ...................... ..`.rsrc...x....@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dotnetinstaller.exe.config (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):146
                                          Entropy (8bit):4.677494553177857
                                          Encrypted:false
                                          SSDEEP:3:cTIMOoIRuQVK/FNURAmIRMNHNQAolFNURAmIRMNHjKbo5KWREBAW4QIMOn:8IffVKNC7VNQAofC7V2bopuAW4QIT
                                          MD5:DB722945AB9C024CE55E469644393824
                                          SHA1:191782B3B4C7BD21FABB3D5B655B7F2DEC2F4F56
                                          SHA-256:C7E5BDC4B79F7F8C68C5F09C0C055E97FB8C62FE1B5D469B3527AB6B767C8DF2
                                          SHA-512:40503C28296CEB68428E327AC79326579C067511638263A477534B8E33341F24E2944077ACCDABB947981980F91604B71B6715A1488181B9C48515AB81271ED8
                                          Malicious:false
                                          Preview:<configuration>.. <startup>.. <supportedRuntime version="v2.0.50727"/>.. <supportedRuntime version="v4.0"/>.. </startup>..</configuration>

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Clo494E.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1747272
                                          Entropy (8bit):6.509155391008949
                                          Encrypted:false
                                          SSDEEP:49152:hCoYKl50tEr293jTbQCiHIpElO6/z5TQDtiibwuWb:hrmCc3jTbQCiHIGlz/zepiiMuWb
                                          MD5:644CC925D18E5326744499E5560CFC95
                                          SHA1:F60AFED62A04AC45A16123C5C5C134C39A2F73C3
                                          SHA-256:EA421943F3BE7038CBB6014C79C7824859E494C781FA7C940BE904348F15B539
                                          SHA-512:11914D235B5CD8AF867C8C8609A7AA2B91F597866DD6B70757593B02602D52B7496934C4DF8BD1344D631AC39A7ACF9AED67E76F2405DC8806BA9EC493960F4A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.q)...z...z...z7Hrz...z7Hdz1..z...z...z...z<..z...z...z...zN..z..z...z...z...z..z...z...z...zRich...z........................PE..L....o._.................p..........y.............@.......................... ......k}....@.....................................T........D..............H...........................................@...@...................D...@....................text...6o.......p.................. ..`.rdata...H.......J...t..............@..@.data............`..................@....rsrc....D.......D..................@..@.reloc...*.......,...b..............@..B........................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Clo49EF.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1747304
                                          Entropy (8bit):6.509416080476435
                                          Encrypted:false
                                          SSDEEP:49152:jLYdpYaUtEP7yJqcGqYBte9M1OKHvXDgZ0iInsqPxE:jfv2mJqcGqYBteG1LHvU2iIsqPxE
                                          MD5:40BFA09CEEE186F28232846DA91C5D98
                                          SHA1:A046233C3F3CE6DD171A15DE7B3EDF75129974D4
                                          SHA-256:F0E53B58B62D654A995F44E8D43352C8ACA2F4571178192215A3D9DA1F4E3B75
                                          SHA-512:A792585D2680E61E34ED932C8550541948E159A620CBD0DD5E86C1F8983B23B9EF6E11DF64E3F520794FD42FD2BF21BDBB96461D448C1C4D2C57C98ED9C38C67
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.q)...z...z...z7Hrz...z7Hdz1..z...z...z...z<..z...z...z...zN..z..z...z...z...z..z...z...z...zRich...z........................PE..L....<~[.................p..........y.............@.......................... .......(....@.....................................T........C..............h...........................................@...@...................T...@....................text...6o.......p.................. ..`.rdata...H.......J...t..............@..@.data............`..................@....rsrc....C.......D..................@..@.reloc...*.......,...b..............@..B........................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1747272
                                          Entropy (8bit):6.509155391008949
                                          Encrypted:false
                                          SSDEEP:49152:hCoYKl50tEr293jTbQCiHIpElO6/z5TQDtiibwuWb:hrmCc3jTbQCiHIGlz/zepiiMuWb
                                          MD5:644CC925D18E5326744499E5560CFC95
                                          SHA1:F60AFED62A04AC45A16123C5C5C134C39A2F73C3
                                          SHA-256:EA421943F3BE7038CBB6014C79C7824859E494C781FA7C940BE904348F15B539
                                          SHA-512:11914D235B5CD8AF867C8C8609A7AA2B91F597866DD6B70757593B02602D52B7496934C4DF8BD1344D631AC39A7ACF9AED67E76F2405DC8806BA9EC493960F4A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.q)...z...z...z7Hrz...z7Hdz1..z...z...z...z<..z...z...z...zN..z..z...z...z...z..z...z...z...zRich...z........................PE..L....o._.................p..........y.............@.......................... ......k}....@.....................................T........D..............H...........................................@...@...................D...@....................text...6o.......p.................. ..`.rdata...H.......J...t..............@..@.data............`..................@....rsrc....D.......D..................@..@.reloc...*.......,...b..............@..B........................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1747304
                                          Entropy (8bit):6.509416080476435
                                          Encrypted:false
                                          SSDEEP:49152:jLYdpYaUtEP7yJqcGqYBte9M1OKHvXDgZ0iInsqPxE:jfv2mJqcGqYBteG1LHvU2iIsqPxE
                                          MD5:40BFA09CEEE186F28232846DA91C5D98
                                          SHA1:A046233C3F3CE6DD171A15DE7B3EDF75129974D4
                                          SHA-256:F0E53B58B62D654A995F44E8D43352C8ACA2F4571178192215A3D9DA1F4E3B75
                                          SHA-512:A792585D2680E61E34ED932C8550541948E159A620CBD0DD5E86C1F8983B23B9EF6E11DF64E3F520794FD42FD2BF21BDBB96461D448C1C4D2C57C98ED9C38C67
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.q)...z...z...z7Hrz...z7Hdz1..z...z...z...z<..z...z...z...zN..z..z...z...z...z..z...z...z...zRich...z........................PE..L....<~[.................p..........y.............@.......................... .......(....@.....................................T........C..............h...........................................@...@...................T...@....................text...6o.......p.................. ..`.rdata...H.......J...t..............@..@.data............`..................@....rsrc....C.......D..................@..@.reloc...*.......,...b..............@..B........................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\DIF4A64.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):84
                                          Entropy (8bit):4.638552692098388
                                          Encrypted:false
                                          SSDEEP:3:m1eAsIdWVVVWhs6E2QVVK2Whsyor3Vg2Wn:mdv0am2QVVgQ3Van
                                          MD5:1EB6253DEE328C2063CA12CF657BE560
                                          SHA1:46E01BCBB287873CF59C57B616189505D2BB1607
                                          SHA-256:6BC8B890884278599E4C0CA4095CEFDF0F5394C5796012D169CC0933E03267A1
                                          SHA-512:7C573896ABC86D899AFBCE720690454C06DBFAFA97B69BC49B8E0DDEC5590CE16F3CC1A30408314DB7C4206AA95F5C684A6587EA2DA033AECC4F70720FC6189E
                                          Malicious:false
                                          Preview:[<Properties>]..DIFx32Supported=No..DIFxIntel64Supported=No..DIFxAMD64Supported=No..

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\DIFxData.ini (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):84
                                          Entropy (8bit):4.638552692098388
                                          Encrypted:false
                                          SSDEEP:3:m1eAsIdWVVVWhs6E2QVVK2Whsyor3Vg2Wn:mdv0am2QVVgQ3Van
                                          MD5:1EB6253DEE328C2063CA12CF657BE560
                                          SHA1:46E01BCBB287873CF59C57B616189505D2BB1607
                                          SHA-256:6BC8B890884278599E4C0CA4095CEFDF0F5394C5796012D169CC0933E03267A1
                                          SHA-512:7C573896ABC86D899AFBCE720690454C06DBFAFA97B69BC49B8E0DDEC5590CE16F3CC1A30408314DB7C4206AA95F5C684A6587EA2DA033AECC4F70720FC6189E
                                          Malicious:false
                                          Preview:[<Properties>]..DIFx32Supported=No..DIFxIntel64Supported=No..DIFxAMD64Supported=No..

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Fon4A53.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):37
                                          Entropy (8bit):4.175273297885966
                                          Encrypted:false
                                          SSDEEP:3:m1eAsCMWRXBQYrD:mdjXIYf
                                          MD5:8CE28395A49EB4ADA962F828ECA2F130
                                          SHA1:270730E2969B8B03DB2A08BA93DFE60CBFB36C5F
                                          SHA-256:A7E91B042CE33490353C00244C0420C383A837E73E6006837A60D3C174102932
                                          SHA-512:BB712043CDDBE62B5BFDD79796299B0C4DE0883A39F79CD006D3B04A1A2BED74B477DF985F7A89B653E20CB719B94FA255FDAA0819A8C6180C338C01F39B8382
                                          Malicious:false
                                          Preview:[<Properties>]..FontRegistration=No..

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\FontData.ini (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):37
                                          Entropy (8bit):4.175273297885966
                                          Encrypted:false
                                          SSDEEP:3:m1eAsCMWRXBQYrD:mdjXIYf
                                          MD5:8CE28395A49EB4ADA962F828ECA2F130
                                          SHA1:270730E2969B8B03DB2A08BA93DFE60CBFB36C5F
                                          SHA-256:A7E91B042CE33490353C00244C0420C383A837E73E6006837A60D3C174102932
                                          SHA-512:BB712043CDDBE62B5BFDD79796299B0C4DE0883A39F79CD006D3B04A1A2BED74B477DF985F7A89B653E20CB719B94FA255FDAA0819A8C6180C338C01F39B8382
                                          Malicious:false
                                          Preview:[<Properties>]..FontRegistration=No..

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Str4AB7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3298
                                          Entropy (8bit):3.7274227072617543
                                          Encrypted:false
                                          SSDEEP:96:rscISQHQSXz2Ar2BKw+yJkFDqDBAsByyyUh:w/KBgYdA1xY
                                          MD5:F1BFF6571FABBE425A839A0D2FB06F46
                                          SHA1:BF884BA898D35CD277BC101AC568CEBEBFD88085
                                          SHA-256:156B50E0C8FF598DD01DB66C6A4967ECAF307718CC6E430B095E9CFDFB5D4F03
                                          SHA-512:FD42F94C47D4F9176F3AFC7536E1C5D7354AF617AB34BE451D55597DE280293B91C86BF62DE78C5EB8C1E93F7947B8B191818BB97B3DA8C69B67432EC081DFCA
                                          Malicious:false
                                          Preview:..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.9.].....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.O.M.P.L.E.T.E.=.C.o.m.p.l.e.t.e.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.O.M.P.L.E.T.E._.D.E.S.C.=.C.o.m.p.l.e.t.e.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.U.S.T.O.M.=.C.u.s.t.o.m.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.U.S.T.O.M._.D.E.S.C._.P.R.O.=.C.u.s.t.o.m.....I.D.S._.S.Q.L.S.C.R.I.P.T._.I.N.S.T.A.L.L.I.N.G.=.E.x.e.c.u.t.i.n.g. .S.Q.L. .I.n.s.t.a.l.l. .S.c.r.i.p.t...........I.D.S._.S.Q.L.S.C.R.I.P.T._.U.N.I.N.S.T.A.L.L.I.N.G.=.E.x.e.c.u.t.i.n.g. .S.Q.L. .U.n.i.n.s.t.a.l.l. .S.c.r.i.p.t...........I.D._.S.T.R.I.N.G.1.=.F.O.R.C.S.....I.D._.S.T.R.I.N.G.1.0.=.O.Z.W.e.b.L.a.u.n.c.h.e.r.....I.D._.S.T.R.I.N.G.1.1.=.C.e.r.t.i.f.i.c.a.t.i.o.n. .F.i.l.e.s.....I.D._.S.T.R.I.N.G.1.2.=.O.Z.W.e.b.L.a.u.n.c.h.e.r. .i.s. .r.u.n.n.i.n.g...\.n.T.h.e. .p.r.o.g.r.a.m. .p.r.o.c.e.e.d.s. .a.f.t.e.r. .O.Z.W.e.b.L.a.u.n.c.h.e.r. .c.l.o.s.e.d.......I.D._.S.T.R.I.N.G.1.4.=.O.Z.W.e.b.L.a.u.n.c.h.e.r.....I.D._.S.T.R.I.N.G.1.

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\StringTable_0x0409.ips (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3298
                                          Entropy (8bit):3.7274227072617543
                                          Encrypted:false
                                          SSDEEP:96:rscISQHQSXz2Ar2BKw+yJkFDqDBAsByyyUh:w/KBgYdA1xY
                                          MD5:F1BFF6571FABBE425A839A0D2FB06F46
                                          SHA1:BF884BA898D35CD277BC101AC568CEBEBFD88085
                                          SHA-256:156B50E0C8FF598DD01DB66C6A4967ECAF307718CC6E430B095E9CFDFB5D4F03
                                          SHA-512:FD42F94C47D4F9176F3AFC7536E1C5D7354AF617AB34BE451D55597DE280293B91C86BF62DE78C5EB8C1E93F7947B8B191818BB97B3DA8C69B67432EC081DFCA
                                          Malicious:false
                                          Preview:..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.9.].....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.O.M.P.L.E.T.E.=.C.o.m.p.l.e.t.e.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.O.M.P.L.E.T.E._.D.E.S.C.=.C.o.m.p.l.e.t.e.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.U.S.T.O.M.=.C.u.s.t.o.m.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.U.S.T.O.M._.D.E.S.C._.P.R.O.=.C.u.s.t.o.m.....I.D.S._.S.Q.L.S.C.R.I.P.T._.I.N.S.T.A.L.L.I.N.G.=.E.x.e.c.u.t.i.n.g. .S.Q.L. .I.n.s.t.a.l.l. .S.c.r.i.p.t...........I.D.S._.S.Q.L.S.C.R.I.P.T._.U.N.I.N.S.T.A.L.L.I.N.G.=.E.x.e.c.u.t.i.n.g. .S.Q.L. .U.n.i.n.s.t.a.l.l. .S.c.r.i.p.t...........I.D._.S.T.R.I.N.G.1.=.F.O.R.C.S.....I.D._.S.T.R.I.N.G.1.0.=.O.Z.W.e.b.L.a.u.n.c.h.e.r.....I.D._.S.T.R.I.N.G.1.1.=.C.e.r.t.i.f.i.c.a.t.i.o.n. .F.i.l.e.s.....I.D._.S.T.R.I.N.G.1.2.=.O.Z.W.e.b.L.a.u.n.c.h.e.r. .i.s. .r.u.n.n.i.n.g...\.n.T.h.e. .p.r.o.g.r.a.m. .p.r.o.c.e.e.d.s. .a.f.t.e.r. .O.Z.W.e.b.L.a.u.n.c.h.e.r. .c.l.o.s.e.d.......I.D._.S.T.R.I.N.G.1.4.=.O.Z.W.e.b.L.a.u.n.c.h.e.r.....I.D._.S.T.R.I.N.G.1.

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTU49AD.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):39
                                          Entropy (8bit):4.541311192999328
                                          Encrypted:false
                                          SSDEEP:3:5jFbKAA9NIJ:P+S
                                          MD5:1BC352B8821D6B0A3647BFD8498D3294
                                          SHA1:E7FE323204EE78009A1B8048008209A6F4FD67D9
                                          SHA-256:26DB93A07B57F92905A87A580CEE11E0F781C3031FFEBBA805348BC03B88A7BC
                                          SHA-512:99A3CB192A1BB67F96C5CF7DA0BD4B8A9E429F42EAE0FD005F62C3E3EE787997DC51973F33A6DB59544E5C826D0AC169034B5300CF9F44FEE2DC0BD2DCA86AEE
                                          Malicious:false
                                          Preview:regsvr32 /s c:\Windows\ZTUACControl.dll

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTU49AE.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):179752
                                          Entropy (8bit):6.5246371305408655
                                          Encrypted:false
                                          SSDEEP:3072:I+vSg4CdMtb4L61vPfqhnFJbqJZw2/q5R+5p0x5xNMRVK72Xx0t:Z4Cm14L6+nFgw2C5xx5xNMKqut
                                          MD5:642B14AEA1E552D4EA7CE8C6A7A25817
                                          SHA1:47C57C92D5EE6230407236F9412647A74828AC80
                                          SHA-256:6E912ECEDD220AF7A16A7AB7009CABA264845B0165DABBA36EFC53CB4611C844
                                          SHA-512:3B043777DB1D47FFD47ED276C3E6F834F3DF1DB4993FE2E150A57C76716E1EC7C7421FACBDEC6D27362D9729AA3A125D33D454D91D5E311DE9787E7A95FD8C5A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>J.._$.._$.._$..'..._$...I.._$..._.._$.._%.$_$..'..._$..'..._$..'..._$......_$..'..._$.Rich._$.........PE..L...}.qb...........!................,...............................................:...............................PC.......1...........#..............(...............................................@...............p............................text............................... ..`.orpc...3........................... ..`.rdata...t.......t..................@..@.data....:...P....... ..............@....rsrc....#.......$...>..............@..@.reloc..P-...........b..............@..B........................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.bat (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):39
                                          Entropy (8bit):4.541311192999328
                                          Encrypted:false
                                          SSDEEP:3:5jFbKAA9NIJ:P+S
                                          MD5:1BC352B8821D6B0A3647BFD8498D3294
                                          SHA1:E7FE323204EE78009A1B8048008209A6F4FD67D9
                                          SHA-256:26DB93A07B57F92905A87A580CEE11E0F781C3031FFEBBA805348BC03B88A7BC
                                          SHA-512:99A3CB192A1BB67F96C5CF7DA0BD4B8A9E429F42EAE0FD005F62C3E3EE787997DC51973F33A6DB59544E5C826D0AC169034B5300CF9F44FEE2DC0BD2DCA86AEE
                                          Malicious:false
                                          Preview:regsvr32 /s c:\Windows\ZTUACControl.dll

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):179752
                                          Entropy (8bit):6.5246371305408655
                                          Encrypted:false
                                          SSDEEP:3072:I+vSg4CdMtb4L61vPfqhnFJbqJZw2/q5R+5p0x5xNMRVK72Xx0t:Z4Cm14L6+nFgw2C5xx5xNMKqut
                                          MD5:642B14AEA1E552D4EA7CE8C6A7A25817
                                          SHA1:47C57C92D5EE6230407236F9412647A74828AC80
                                          SHA-256:6E912ECEDD220AF7A16A7AB7009CABA264845B0165DABBA36EFC53CB4611C844
                                          SHA-512:3B043777DB1D47FFD47ED276C3E6F834F3DF1DB4993FE2E150A57C76716E1EC7C7421FACBDEC6D27362D9729AA3A125D33D454D91D5E311DE9787E7A95FD8C5A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>J.._$.._$.._$..'..._$...I.._$..._.._$.._%.$_$..'..._$..'..._$..'..._$......_$..'..._$.Rich._$.........PE..L...}.qb...........!................,...............................................:...............................PC.......1...........#..............(...............................................@...............p............................text............................... ..`.orpc...3........................... ..`.rdata...t.......t..................@..@.data....:...P....... ..............@....rsrc....#.......$...>..............@..@.reloc..P-...........b..............@..B........................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTr49EE.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):40
                                          Entropy (8bit):4.6219280948873624
                                          Encrypted:false
                                          SSDEEP:3:5jFbKAS8L/J:P68V
                                          MD5:B97BA3D8276E820158933CEE338EC8E0
                                          SHA1:B4C1999714E2099C6FA57E33734AB43E1DCA6AA4
                                          SHA-256:18C3A9358625CC53C4BD64A0F23314EFC78E7250C39E8F0E5DB25E3AD23F24E7
                                          SHA-512:693D99EF254A72C7F87CB32DEA39BC5F31C22649D4532CA4FA6D43AFFE38DEE16917A15A49DC06C8D04107E18776394E1F3880C852C649E2D851561AAB62680B
                                          Malicious:false
                                          Preview:regsvr32 /s c:\Windows\ZTransferXUAC.dll

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTransferXUAC.bat (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):40
                                          Entropy (8bit):4.6219280948873624
                                          Encrypted:false
                                          SSDEEP:3:5jFbKAS8L/J:P68V
                                          MD5:B97BA3D8276E820158933CEE338EC8E0
                                          SHA1:B4C1999714E2099C6FA57E33734AB43E1DCA6AA4
                                          SHA-256:18C3A9358625CC53C4BD64A0F23314EFC78E7250C39E8F0E5DB25E3AD23F24E7
                                          SHA-512:693D99EF254A72C7F87CB32DEA39BC5F31C22649D4532CA4FA6D43AFFE38DEE16917A15A49DC06C8D04107E18776394E1F3880C852C649E2D851561AAB62680B
                                          Malicious:false
                                          Preview:regsvr32 /s c:\Windows\ZTransferXUAC.dll

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_is4AD9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1863024
                                          Entropy (8bit):5.6880358236693995
                                          Encrypted:false
                                          SSDEEP:12288:es4d9dfaOdWUIhpJCPtjvntnSb8COevQonCLPub+7iqV:ghrWVhDCPtjvntnSb8COevQonCfrV
                                          MD5:A05838872C391E729B414D2B15083983
                                          SHA1:027038259B7C4BFE0066B6F5635E416EFBD84157
                                          SHA-256:A7C7DB8CE84441DF150EE880E5BDE9C17BC7C85DC87A61B1760738ECEB61AD52
                                          SHA-512:0B13D56945A381DCFD453E9D21D62B030007D24B89FA6F7EAF75D62CA80F7C7FE1842A44D9DEB25E286AC8FB1FE7C3567666C1E116C96DFD641B56E99262125A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...[.yY...........!.........................................................p...............................................@..(....P..V...........pP.......@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...V....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_isres_0x0409.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1863024
                                          Entropy (8bit):5.6880358236693995
                                          Encrypted:false
                                          SSDEEP:12288:es4d9dfaOdWUIhpJCPtjvntnSb8COevQonCLPub+7iqV:ghrWVhDCPtjvntnSb8COevQonCfrV
                                          MD5:A05838872C391E729B414D2B15083983
                                          SHA1:027038259B7C4BFE0066B6F5635E416EFBD84157
                                          SHA-256:A7C7DB8CE84441DF150EE880E5BDE9C17BC7C85DC87A61B1760738ECEB61AD52
                                          SHA-512:0B13D56945A381DCFD453E9D21D62B030007D24B89FA6F7EAF75D62CA80F7C7FE1842A44D9DEB25E286AC8FB1FE7C3567666C1E116C96DFD641B56E99262125A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...[.yY...........!.........................................................p...............................................@..(....P..V...........pP.......@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...V....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\add4A40.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):390
                                          Entropy (8bit):4.9610954329884995
                                          Encrypted:false
                                          SSDEEP:6:6IsxYkLpLBfMLPzYH20LdXGuSIsxYkL4bQLBfMLPzYH20HdXGuy4055seHZG5Vx3:wVM+TukgM+I4+XHZ6T3
                                          MD5:B35079C68A6C5651C8CA7B13F282320C
                                          SHA1:9C21C29805D82356707A300315B6208C0B1FE54D
                                          SHA-256:CEB78B366B4401C1857E29C4C74D979B54425319B59EA750960C498FBDCB76BA
                                          SHA-512:B9D1AC89D4D926CA36FF32C15CA18A4C7A186E9FD12193ABE0B40928793F4A568B8D934A77A5890D3F4063E000A0D8DDC52B126BDF8F753B6CD1A8604F82FEB8
                                          Malicious:false
                                          Preview:netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow..netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow..CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\add4A41.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):402
                                          Entropy (8bit):5.036771004054146
                                          Encrypted:false
                                          SSDEEP:6:6IsxYkLpLBfMLPzYHi5ZLdXGuSIsxYkL4bQLBfMLPzYHi5ZHdXGuy4055seHZG5D:wVM+aPukgM+as4+XHZ6T3
                                          MD5:9DB1190E25AAF9079E5CEB5B33C48E39
                                          SHA1:8EFF0A99A11923689485972D1F23F0575A7D8B7A
                                          SHA-256:6CAC8EEF36B7219299E61DDF652209A3D208D7A25B804F8EE0F7E1721CEF5F3E
                                          SHA-512:61F33DB365E7C38E73A99A39D5502C06E361B588656265DF5576864F0E9A1D6A8C307B2E55F40C4A4D4AC12D0F710B2AE53553B33E5DDC8CBE249EEDD5772452
                                          Malicious:false
                                          Preview:netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow..netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow..CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):402
                                          Entropy (8bit):5.036771004054146
                                          Encrypted:false
                                          SSDEEP:6:6IsxYkLpLBfMLPzYHi5ZLdXGuSIsxYkL4bQLBfMLPzYHi5ZHdXGuy4055seHZG5D:wVM+aPukgM+as4+XHZ6T3
                                          MD5:9DB1190E25AAF9079E5CEB5B33C48E39
                                          SHA1:8EFF0A99A11923689485972D1F23F0575A7D8B7A
                                          SHA-256:6CAC8EEF36B7219299E61DDF652209A3D208D7A25B804F8EE0F7E1721CEF5F3E
                                          SHA-512:61F33DB365E7C38E73A99A39D5502C06E361B588656265DF5576864F0E9A1D6A8C307B2E55F40C4A4D4AC12D0F710B2AE53553B33E5DDC8CBE249EEDD5772452
                                          Malicious:false
                                          Preview:netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow..netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow..CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall32.bat (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):390
                                          Entropy (8bit):4.9610954329884995
                                          Encrypted:false
                                          SSDEEP:6:6IsxYkLpLBfMLPzYH20LdXGuSIsxYkL4bQLBfMLPzYH20HdXGuy4055seHZG5Vx3:wVM+TukgM+I4+XHZ6T3
                                          MD5:B35079C68A6C5651C8CA7B13F282320C
                                          SHA1:9C21C29805D82356707A300315B6208C0B1FE54D
                                          SHA-256:CEB78B366B4401C1857E29C4C74D979B54425319B59EA750960C498FBDCB76BA
                                          SHA-512:B9D1AC89D4D926CA36FF32C15CA18A4C7A186E9FD12193ABE0B40928793F4A568B8D934A77A5890D3F4063E000A0D8DDC52B126BDF8F753B6CD1A8604F82FEB8
                                          Malicious:false
                                          Preview:netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow..netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow..CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\def4AD8.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:RIFF (little-endian) data, palette, 1168 bytes, data size 1028, 256 entries, extra bytes 0x6f66666c
                                          Category:dropped
                                          Size (bytes):1168
                                          Entropy (8bit):2.551387347019812
                                          Encrypted:false
                                          SSDEEP:12:b126a96IlDkYTYcspSuB0MRG763GDwFGrZYOFBz3WI7KEpw3f6QL7nhem:Ax96Il9T3ISMg76KJrZtT2b5X
                                          MD5:0ABAFE3F69D053494405061DE2629C82
                                          SHA1:E414B6F1E9EB416B9895012D24110B844F9F56D1
                                          SHA-256:8075162DB275EB52F5D691B15FC0D970CB007F5BECE33CE5DB509EDF51C1F020
                                          SHA-512:63448F2BEF338EA44F3BF9EF35E594EF94B4259F3B2595D77A836E872129B879CEF912E23CF48421BABF1208275E21DA1FABFDC494958BCFCD391C78308EAA27
                                          Malicious:false
                                          Preview:RIFF....PAL data..........................................................f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3...............f...3..................f...3...............f..3.....f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3...................f...3..................f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3.....f...f...f...f.f.f.3.f...f...f...f..f.f.f.3.f...f...f...f...f.i.f.3.f...ff..ff..ff..fff.ff3.ff..f3..f3..f3..f3f.f33.f3..f...f...f...f.f.f.3.f...3...3...3...3.f.3.3.3...3...3...3..3.f.3.3.3...3...3...3...3.f.3.3.3...3f..3f..3f..3ff.3f3.3f..33..33..33..33f.333.33..3...3...3...3.f.3.3.3.............f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3.........................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\default.pal (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:RIFF (little-endian) data, palette, 1168 bytes, data size 1028, 256 entries, extra bytes 0x6f66666c
                                          Category:dropped
                                          Size (bytes):1168
                                          Entropy (8bit):2.551387347019812
                                          Encrypted:false
                                          SSDEEP:12:b126a96IlDkYTYcspSuB0MRG763GDwFGrZYOFBz3WI7KEpw3f6QL7nhem:Ax96Il9T3ISMg76KJrZtT2b5X
                                          MD5:0ABAFE3F69D053494405061DE2629C82
                                          SHA1:E414B6F1E9EB416B9895012D24110B844F9F56D1
                                          SHA-256:8075162DB275EB52F5D691B15FC0D970CB007F5BECE33CE5DB509EDF51C1F020
                                          SHA-512:63448F2BEF338EA44F3BF9EF35E594EF94B4259F3B2595D77A836E872129B879CEF912E23CF48421BABF1208275E21DA1FABFDC494958BCFCD391C78308EAA27
                                          Malicious:false
                                          Preview:RIFF....PAL data..........................................................f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3...............f...3..................f...3...............f..3.....f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3...................f...3..................f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3.....f...f...f...f.f.f.3.f...f...f...f..f.f.f.3.f...f...f...f...f.i.f.3.f...ff..ff..ff..fff.ff3.ff..f3..f3..f3..f3f.f33.f3..f...f...f...f.f.f.3.f...3...3...3...3.f.3.3.3...3...3...3..3.f.3.3.3...3...3...3...3.f.3.3.3...3f..3f..3f..3ff.3f3.3f..33..33..33..33f.333.33..3...3...3...3.f.3.3.3.............f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3.........................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\del4A51.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):290
                                          Entropy (8bit):4.860702759650306
                                          Encrypted:false
                                          SSDEEP:6:6zmivYkLpLVZhYHi5ZLdb6zmivYkL4bQLVZhYHi5ZHdLvy:SmivToaPWmivkMoa3a
                                          MD5:FE9E6633457C036725A273F9970C3748
                                          SHA1:96EBDA67BA82F7485DD0F0709AFFE5E77A979709
                                          SHA-256:64FD3AA1B5D31737668EC496B01DF983F42F9F0AEE91F3D1F7A052ED02A083EB
                                          SHA-512:DA30322654B48E62FCD450DC5CA91E8C239C6BB69051BDB1CBCCCC14137D96378278D4F60AE0D566B7FAD728E50EF1B2CCB9A4992E5BE47570A708F30663AA92
                                          Malicious:false
                                          Preview:netsh advfirewall firewall delete rule name="OZWebLauncherFireWall" program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe"..netsh advfirewall firewall delete rule name="OZWebLauncherUtilFireWall" program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe"....

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\del4A52.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):278
                                          Entropy (8bit):4.745297890297074
                                          Encrypted:false
                                          SSDEEP:6:6zmivYkLpLVZhYH20Ldb6zmivYkL4bQLVZhYH20HdLvy:SmivToTWmivkMoLa
                                          MD5:110A26CD66B9F9F182850E7E00458619
                                          SHA1:29979674FA8F63EFF5EDA9E706F0A46A8D877EBA
                                          SHA-256:AF3D30641532ECFBF2360D9851A7266BC83F683F207BD1A95F3A8F9005CB3C26
                                          SHA-512:9E78483B3001C98C5CE741EEBD3863CD364794C90EC82E25651A0B4028E93981A77340F7CDA2967FC7B9A11832FD93BCBECA6E2C25105F474D17DEE77483F1E2
                                          Malicious:false
                                          Preview:netsh advfirewall firewall delete rule name="OZWebLauncherFireWall" program="C:\Program Files\Forcs\OZWebLauncher\OZWebLauncher.exe"..netsh advfirewall firewall delete rule name="OZWebLauncherUtilFireWall" program="C:\Program Files\Forcs\OZWebLauncher\OZWebLauncherUtil.exe"....

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\deletefirewall.bat (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):290
                                          Entropy (8bit):4.860702759650306
                                          Encrypted:false
                                          SSDEEP:6:6zmivYkLpLVZhYHi5ZLdb6zmivYkL4bQLVZhYHi5ZHdLvy:SmivToaPWmivkMoa3a
                                          MD5:FE9E6633457C036725A273F9970C3748
                                          SHA1:96EBDA67BA82F7485DD0F0709AFFE5E77A979709
                                          SHA-256:64FD3AA1B5D31737668EC496B01DF983F42F9F0AEE91F3D1F7A052ED02A083EB
                                          SHA-512:DA30322654B48E62FCD450DC5CA91E8C239C6BB69051BDB1CBCCCC14137D96378278D4F60AE0D566B7FAD728E50EF1B2CCB9A4992E5BE47570A708F30663AA92
                                          Malicious:false
                                          Preview:netsh advfirewall firewall delete rule name="OZWebLauncherFireWall" program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe"..netsh advfirewall firewall delete rule name="OZWebLauncherUtilFireWall" program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe"....

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\deletefirewall32.bat (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):278
                                          Entropy (8bit):4.745297890297074
                                          Encrypted:false
                                          SSDEEP:6:6zmivYkLpLVZhYH20Ldb6zmivYkL4bQLVZhYH20HdLvy:SmivToTWmivkMoLa
                                          MD5:110A26CD66B9F9F182850E7E00458619
                                          SHA1:29979674FA8F63EFF5EDA9E706F0A46A8D877EBA
                                          SHA-256:AF3D30641532ECFBF2360D9851A7266BC83F683F207BD1A95F3A8F9005CB3C26
                                          SHA-512:9E78483B3001C98C5CE741EEBD3863CD364794C90EC82E25651A0B4028E93981A77340F7CDA2967FC7B9A11832FD93BCBECA6E2C25105F474D17DEE77483F1E2
                                          Malicious:false
                                          Preview:netsh advfirewall firewall delete rule name="OZWebLauncherFireWall" program="C:\Program Files\Forcs\OZWebLauncher\OZWebLauncher.exe"..netsh advfirewall firewall delete rule name="OZWebLauncherUtilFireWall" program="C:\Program Files\Forcs\OZWebLauncher\OZWebLauncherUtil.exe"....

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dot49BF.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1005568
                                          Entropy (8bit):7.880783246239561
                                          Encrypted:false
                                          SSDEEP:24576:3idS2cRQNb9dUcyezFSja7zEwA2BH6SEUVGDKX68zuQm6wwr5mAPepC:SQ2cRQh9GexmCxBxVV56CmWQax
                                          MD5:9E8253F0A993E53B4809DBD74B335227
                                          SHA1:F6BA6F03C65C3996A258F58324A917463B2D6FF4
                                          SHA-256:E434828818F81E6E1F5955E84CAEC08662BD154A80B24A71A2EDA530D8B2F66A
                                          SHA-512:404D67D59FCD767E65D86395B38D1A531465CEE5BB3C5CF3D1205975FF76D27D477FE8CC3842B8134F17B61292D8E2FFBA71134FE50A36AFD60B189B027F5AF0
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.]`r.33r.33r.33ih.3s.33U3^3q.33...3s.33...3Y.33...3`.33...3..33r.23..33...3g.33l..3s.33ih.37.33ih.3s.33ih.3s.33ih.3s.33Richr.33................PE..L..."x^O.........."..........^....................@..........................@......x.....@...... ..........................4............................>..........................................8Y..@............................................text...Z........................... ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc..j(.......*..................@..B........................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dotNetFx_45.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1005568
                                          Entropy (8bit):7.880783246239561
                                          Encrypted:false
                                          SSDEEP:24576:3idS2cRQNb9dUcyezFSja7zEwA2BH6SEUVGDKX68zuQm6wwr5mAPepC:SQ2cRQh9GexmCxBxVV56CmWQax
                                          MD5:9E8253F0A993E53B4809DBD74B335227
                                          SHA1:F6BA6F03C65C3996A258F58324A917463B2D6FF4
                                          SHA-256:E434828818F81E6E1F5955E84CAEC08662BD154A80B24A71A2EDA530D8B2F66A
                                          SHA-512:404D67D59FCD767E65D86395B38D1A531465CEE5BB3C5CF3D1205975FF76D27D477FE8CC3842B8134F17B61292D8E2FFBA71134FE50A36AFD60B189B027F5AF0
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.]`r.33r.33r.33ih.3s.33U3^3q.33...3s.33...3Y.33...3`.33...3..33r.23..33...3g.33l..3s.33ih.37.33ih.3s.33ih.3s.33ih.3s.33Richr.33................PE..L..."x^O.........."..........^....................@..........................@......x.....@...... ..........................4............................>..........................................8Y..@............................................text...Z........................... ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc..j(.......*..................@..B........................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isr4AC8.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                          Category:dropped
                                          Size (bytes):432880
                                          Entropy (8bit):7.972245581674079
                                          Encrypted:false
                                          SSDEEP:12288:bQaI0sMvcMcl2xwNKASn+T3BKrJ1qhfcL1B:bK0s6cMcXAAQ+1w1qAn
                                          MD5:67B3328F3CC34596EC941DDA8574F606
                                          SHA1:219A67104A18F71C0CCB7B9D73F435D76E44F584
                                          SHA-256:CB80BFDD8263BB9AFF04BDC7D6BE71AD09800895B616223D8F97048AA0A506F7
                                          SHA-512:5E81FAC5A4E48353BDD0A60E8882B4B51A79298124D9FE8235940643BF2E4BFB13A881841A69DC479E1658CD42C6772C76A761CC2BE8342122E53460357C5091
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I..{'T.{'T.{'T...T.{'Tr..T.{'T!..T.{'Tr..T.{'Tr..T.{'T...T.{'T...T.{'T.{&Twz'T...T.{'T!..T.{'T!..T.{'T!..T.{'T.{.T.{'T!..T.{'TRich.{'T................PE..L.....yY...........!.....b...6............................................... .......C..................................S...T........................~..................8....................................................=..@....................text............D......PEC2MO...... ....rsrc....@.......4...H.............. ....reloc...............|..............@...................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isrt.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                          Category:dropped
                                          Size (bytes):432880
                                          Entropy (8bit):7.972245581674079
                                          Encrypted:false
                                          SSDEEP:12288:bQaI0sMvcMcl2xwNKASn+T3BKrJ1qhfcL1B:bK0s6cMcXAAQ+1w1qAn
                                          MD5:67B3328F3CC34596EC941DDA8574F606
                                          SHA1:219A67104A18F71C0CCB7B9D73F435D76E44F584
                                          SHA-256:CB80BFDD8263BB9AFF04BDC7D6BE71AD09800895B616223D8F97048AA0A506F7
                                          SHA-512:5E81FAC5A4E48353BDD0A60E8882B4B51A79298124D9FE8235940643BF2E4BFB13A881841A69DC479E1658CD42C6772C76A761CC2BE8342122E53460357C5091
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I..{'T.{'T.{'T...T.{'Tr..T.{'T!..T.{'Tr..T.{'Tr..T.{'T...T.{'T...T.{'T.{&Twz'T...T.{'T!..T.{'T!..T.{'T!..T.{'T.{.T.{'T!..T.{'TRich.{'T................PE..L.....yY...........!.....b...6............................................... .......C..................................S...T........................~..................8....................................................=..@....................text............D......PEC2MO...... ....rsrc....@.......4...H.............. ....reloc...............|..............@...................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ozc4A3F.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):48
                                          Entropy (8bit):4.204448698502606
                                          Encrypted:false
                                          SSDEEP:3:iDVHAe+WA6nWZmrXpn:iDVHAe+WfWErZn
                                          MD5:4350D5130EB65AFDEEDDA296B703974E
                                          SHA1:C611C56D2F61E834B601539E96C144B6D1B3B8D9
                                          SHA-256:DE1C8D23BAE11503F84C7C02084D114C311773AE6FE9A30977ADB80E3F9C0582
                                          SHA-512:087EFD219B2987A681941EBA4198F480840F34DCB8F452451CC414DB2293A2E82EA0A44DF3D4B2EE2816BB6F89208A4F6D206B56FC1A53D7D6D6E8F39F0224A8
                                          Malicious:false
                                          Preview:pref("security.enterprise_roots.enabled", true);

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ozcert.js (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):48
                                          Entropy (8bit):4.204448698502606
                                          Encrypted:false
                                          SSDEEP:3:iDVHAe+WA6nWZmrXpn:iDVHAe+WfWErZn
                                          MD5:4350D5130EB65AFDEEDDA296B703974E
                                          SHA1:C611C56D2F61E834B601539E96C144B6D1B3B8D9
                                          SHA-256:DE1C8D23BAE11503F84C7C02084D114C311773AE6FE9A30977ADB80E3F9C0582
                                          SHA-512:087EFD219B2987A681941EBA4198F480840F34DCB8F452451CC414DB2293A2E82EA0A44DF3D4B2EE2816BB6F89208A4F6D206B56FC1A53D7D6D6E8F39F0224A8
                                          Malicious:false
                                          Preview:pref("security.enterprise_roots.enabled", true);

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\set493E.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):255186
                                          Entropy (8bit):7.384273267559334
                                          Encrypted:false
                                          SSDEEP:3072:jIvdrk/YBXdCyfKjgqjWNlZNvlac9s4HfWsO0L1SuA90mG/EJKtglG5QZ6vSDMSh:jIOYxdC98ZZ7L1SuA93bItscabFB5EY7
                                          MD5:FA701C7DAAC8CA35B83BA40529B7D776
                                          SHA1:98C6298261F6E74F0EB29861C2D408D5B0048161
                                          SHA-256:B944AF37E91CCD737A358D15B66D41D23B7CF2B95E207090D3608C727C953803
                                          SHA-512:A5EB1CE77299D78F50FA94CC151CA57E902872C5B1CADD06772167A8C7EFCE82F8CB2952FE8C88EBEC9A560035FE2003E10CEE24A7696C6AF02F177987522430
                                          Malicious:false
                                          Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aB!mQ.Y]A..M1#.)!.)........................................}...m..q]}}aMmmQ=].E-M.5.=.%.-......................u...........v.-.u.}uuA}....(..s.911%9w..O.....[.G#;._7.....0.TP$$@.....u..thX......`...8..mee=m.(....{c.{{.--..S.g_G7.k#+G##.....<..4$H...0 .......l.......P.E{}1e.w\.H...w....=.))..o..{3;W33.;_'.X.P....,.@(..d$........i..T...,...AYY)A......Sw..W....._._w'S;+;.`.........t4........i..\.....L...0...YYY.A...{o.......W_O.....7..O h.`,0........<. .l......}..L.....mi]UU)]...k .k........._.SoW.c.[.THl........$.<.....(...m...p.........9E].E....go$..._C.cW{....W..o<$.$D.\.4(L.........P...t...u..Au.T......,.c911.9w.W.[O..@.....3.W._8,ll%......(. .8..q}.Y..........X..(...MI-1cC..w{.[.......CkS/.....(8 ...... <$......(.....q..qq.iaaiisIU5AA5I.o..-%%.-g.GK.c........o8xL..... .\.D..........q.....q.ayyma...E]]1E..c|)=.))...7.;{C?..;S.....h..X

                                          C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setup.inx (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):255186
                                          Entropy (8bit):7.384273267559334
                                          Encrypted:false
                                          SSDEEP:3072:jIvdrk/YBXdCyfKjgqjWNlZNvlac9s4HfWsO0L1SuA90mG/EJKtglG5QZ6vSDMSh:jIOYxdC98ZZ7L1SuA93bItscabFB5EY7
                                          MD5:FA701C7DAAC8CA35B83BA40529B7D776
                                          SHA1:98C6298261F6E74F0EB29861C2D408D5B0048161
                                          SHA-256:B944AF37E91CCD737A358D15B66D41D23B7CF2B95E207090D3608C727C953803
                                          SHA-512:A5EB1CE77299D78F50FA94CC151CA57E902872C5B1CADD06772167A8C7EFCE82F8CB2952FE8C88EBEC9A560035FE2003E10CEE24A7696C6AF02F177987522430
                                          Malicious:false
                                          Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aB!mQ.Y]A..M1#.)!.)........................................}...m..q]}}aMmmQ=].E-M.5.=.%.-......................u...........v.-.u.}uuA}....(..s.911%9w..O.....[.G#;._7.....0.TP$$@.....u..thX......`...8..mee=m.(....{c.{{.--..S.g_G7.k#+G##.....<..4$H...0 .......l.......P.E{}1e.w\.H...w....=.))..o..{3;W33.;_'.X.P....,.@(..d$........i..T...,...AYY)A......Sw..W....._._w'S;+;.`.........t4........i..\.....L...0...YYY.A...{o.......W_O.....7..O h.`,0........<. .l......}..L.....mi]UU)]...k .k........._.SoW.c.[.THl........$.<.....(...m...p.........9E].E....go$..._C.cW{....W..o<$.$D.\.4(L.........P...t...u..Au.T......,.c911.9w.W.[O..@.....3.W._8,ll%......(. .8..q}.Y..........X..(...MI-1cC..w{.[.......CkS/.....(8 ...... <$......(.....q..qq.iaaiisIU5AA5I.o..-%%.-g.GK.c........o8xL..... .\.D..........q.....q.ayyma...E]]1E..c|)=.))...7.;{C?..;S.....h..X

                                          C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\97e828cd0105f5dc8974dc728e950457_9e146be9-c76a-4720-bcdb-53011b87bd06

                                          Download File
                                          Process:C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2251
                                          Entropy (8bit):7.645079781706718
                                          Encrypted:false
                                          SSDEEP:48:SXaqwNEtsUaeB5RIdhkRw651DhepRp6nzvV8YASGk3yGq90SyNYgMSQms0fz:SXhvWpeGh9lpRp6nrVhAlkiGeryNYRSL
                                          MD5:7A30103876575EE45B7BF9F6173771B8
                                          SHA1:179917B5E6E2FE1274AFA3AA9FA9E5DA263BA48E
                                          SHA-256:70EEE4F0DA75FDE3B7DED3B2BABD4BEC79ABE4A1CD08DFCB44AC4E605E9F32BB
                                          SHA-512:83BAA69203B7B34C90178902357E01728B9BFE937DAEEB24941178B0BDADD3E8B5A1B7F0F5C68413E3AD528129195D673DE3CDB962E6A55562099BCA7BDFEA6D
                                          Malicious:false
                                          Preview:........'...............P...............{19E435CC-91EC-41F7-897A-4CB8B1014FDE}.....................RSA1................s.....MH^.7$.7...l.....q =(.....L..a.......ujh..q.n.a.....W..V..a!&QI..,/.K.....X.1.8T..q..1~)......VC1i.O..f.X....Fj...z......[.0.... ..li.....D....".d#..q....1......2.@G..'7..`..Ko..JX.~>t.5.zG..=..,..8...?....&....f...uU..........@p.h.3.....................z..O......... ..N..m{(,G%....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....!.G...w...cg;C.Z.?...(I....;............. .......+..=.....:.b.T.'..N^s`..v...P....~._f..@.8..P.b.....sb;.R.......j<.;.....q...7.J.y. ....<..Z...G$....'@xk!..-.:Yh|C8...:8.+^.,....R.zR..X......H@.Og...Lr."z2.)...Q........_..s....q.p....]X..X..:..</*..]....O......<b....h8..d.z..2..;.[..&!_9......"....*y./..W......F'x..D....B.U...C......,_..9r....{.....C...o4...+4.<rS...]....R....9.{`..DQ}..'.......z..D...m.nd7....A......4..Vi)g.@}D`qR..,M.aBN@..t.m...C._...xk'6)p.../ON..~.K...

                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):55
                                          Entropy (8bit):4.306461250274409
                                          Encrypted:false
                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                          Malicious:false
                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                          C:\Windows\Temp\OZWLService.log

                                          Download File
                                          Process:C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):602
                                          Entropy (8bit):3.4539857304636254
                                          Encrypted:false
                                          SSDEEP:12:l76UAOOl76Iubicel76UAsZMlWlZ56rl76ELl7Suicel7OAOJ5+n:AhZAIPceAhikWl+Ae8jce9I5+n
                                          MD5:185DFFF43863E402606CC5D70DD8A916
                                          SHA1:5178953082C680C1ED28FE26C8394C0A57F782BC
                                          SHA-256:DE152FB672FA2EE2EB298E2CC2D9F6AEEFACBEAAE888994055362BF812F1C5B3
                                          SHA-512:91ED99CAA6F51EFE44DAA214F725EE6D742D33AE7B4E50B93BC958A848F4EE0D97B02C59E37E5F1FAB5C70184CC4141E28920EF9325CBC96C9D65F97C8FD6491
                                          Malicious:false
                                          Preview:[.2.4./.0.4./.2.6. .1.9.:.3.2.:.4.0.]. .:. .S.t.a.r.t. .O.Z.W.L.S.e.r.v.i.c.e... .....[.2.4./.0.4./.2.6. .1.9.:.3.2.:.4.0.]. .:. .O.Z.W.e.b.L.a.u.n.c.h.e.r.U.t.i.l. .i.s. .s.t.a.r.t.e.d... .....[.2.4./.0.4./.2.6. .1.9.:.3.2.:.4.0.]. .:. .S.t.a.r.t. .P.r.o.c.e.s.s. .S.e.s.s.i.o.n.I.D. .:. .1. . .....[.2.4./.0.4./.2.6. .1.9.:.3.2.:.4.0.]. .:. .C.u.r.r.e.n.t. .U.s.e.r. .-. .A.d.m.i.n. .....[.2.4./.0.4./.2.6. .1.9.:.3.2.:.4.1.]. .:. .O.Z.W.e.b.L.a.u.n.c.h.e.r. .i.s. .s.t.a.r.t.e.d... .....[.2.4./.0.4./.2.6. .1.9.:.3.2.:.4.1.]. .:. .S.t.a.r.t. .O.Z.W.e.b.L.a.u.n.c.h.e.r. .M.o.n.i.t.o.r.i.n.g... .....

                                          C:\Windows\Temp\OZWebLauncherUtil.log

                                          Download File
                                          Process:C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):416
                                          Entropy (8bit):5.064554701857866
                                          Encrypted:false
                                          SSDEEP:12:QRCy3QSOHRCyMKfGzGRCyRCHRCyMKfGz1:gngpxnMKfGzKnSnMKfGz1
                                          MD5:E159BA5D163E80029182CD54F1EE1C98
                                          SHA1:DA5FE7AA8F46D8BF429BCCF69726CF5C74EED612
                                          SHA-256:806CA3887526721F6FCDABD5C202C7BEC59B29A99C2825EFEF83A7B460DDF202
                                          SHA-512:104BF0B507CA6CCA6F67A56CB2F46E9BD0164F3347FCDA1227CB15214477167AE9EC3FBAB00C661DABB516C4928BB15E778D0F48BB336F2D2208C938C60C8A59
                                          Malicious:false
                                          Preview:OZWebLauncherUtil.exe Information: 0 : 26/04/2024 19:32:41 : Web root: C:\Program Files (x86)\FORCS\OZWebLauncher\..OZWebLauncherUtil.exe Information: 0 : 26/04/2024 19:32:41 : Server started listening on port 36479..OZWebLauncherUtil.exe Information: 0 : 26/04/2024 19:32:41 : Successfully loaded certificate..OZWebLauncherUtil.exe Information: 0 : 26/04/2024 19:32:41 : Server started listening on port 36509..

                                          C:\Windows\ZTUACControl.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):179752
                                          Entropy (8bit):6.5246371305408655
                                          Encrypted:false
                                          SSDEEP:3072:I+vSg4CdMtb4L61vPfqhnFJbqJZw2/q5R+5p0x5xNMRVK72Xx0t:Z4Cm14L6+nFgw2C5xx5xNMKqut
                                          MD5:642B14AEA1E552D4EA7CE8C6A7A25817
                                          SHA1:47C57C92D5EE6230407236F9412647A74828AC80
                                          SHA-256:6E912ECEDD220AF7A16A7AB7009CABA264845B0165DABBA36EFC53CB4611C844
                                          SHA-512:3B043777DB1D47FFD47ED276C3E6F834F3DF1DB4993FE2E150A57C76716E1EC7C7421FACBDEC6D27362D9729AA3A125D33D454D91D5E311DE9787E7A95FD8C5A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>J.._$.._$.._$..'..._$...I.._$..._.._$.._%.$_$..'..._$..'..._$..'..._$......_$..'..._$.Rich._$.........PE..L...}.qb...........!................,...............................................:...............................PC.......1...........#..............(...............................................@...............p............................text............................... ..`.orpc...3........................... ..`.rdata...t.......t..................@..@.data....:...P....... ..............@....rsrc....#.......$...>..............@..@.reloc..P-...........b..............@..B........................................................................................................................................................................................................................................................................................

                                          C:\Windows\ZTUE4B7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):179752
                                          Entropy (8bit):6.5246371305408655
                                          Encrypted:false
                                          SSDEEP:3072:I+vSg4CdMtb4L61vPfqhnFJbqJZw2/q5R+5p0x5xNMRVK72Xx0t:Z4Cm14L6+nFgw2C5xx5xNMKqut
                                          MD5:642B14AEA1E552D4EA7CE8C6A7A25817
                                          SHA1:47C57C92D5EE6230407236F9412647A74828AC80
                                          SHA-256:6E912ECEDD220AF7A16A7AB7009CABA264845B0165DABBA36EFC53CB4611C844
                                          SHA-512:3B043777DB1D47FFD47ED276C3E6F834F3DF1DB4993FE2E150A57C76716E1EC7C7421FACBDEC6D27362D9729AA3A125D33D454D91D5E311DE9787E7A95FD8C5A
                                          Malicious:false
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>J.._$.._$.._$..'..._$...I.._$..._.._$.._%.$_$..'..._$..'..._$..'..._$......_$..'..._$.Rich._$.........PE..L...}.qb...........!................,...............................................:...............................PC.......1...........#..............(...............................................@...............p............................text............................... ..`.orpc...3........................... ..`.rdata...t.......t..................@..@.data....:...P....... ..............@....rsrc....#.......$...>..............@..@.reloc..P-...........b..............@..B........................................................................................................................................................................................................................................................................................

                                          \Device\ConDrv

                                          Download File
                                          Process:C:\Windows\SysWOW64\CheckNetIsolation.exe
                                          File Type:ASCII text, with CR, LF line terminators
                                          Category:dropped
                                          Size (bytes):5
                                          Entropy (8bit):2.321928094887362
                                          Encrypted:false
                                          SSDEEP:3:hw:hw
                                          MD5:7F84511CFFF17FE4BC5172F5CF0F88F4
                                          SHA1:F2E7D37F3AA7FCDFB8D654F6FBF23CD9C3D3E176
                                          SHA-256:2B7EFF5D89F9365AC0663B29276405E3473484EA8C71C945C3B9827BC049B532
                                          SHA-512:ED93C62C80E0A29C96257FEC704B280E6D89C823C9AD6426A752EA06D46831704281F31082ACB5F2E7DBF6CC789E09AC7FCD64867A0FD19321E201C700EA3ABC
                                          Malicious:false
                                          Preview:OK...

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.860834384962176
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 95.94%
                                          • DirectShow filter (201580/2) 1.93%
                                          • Windows ActiveX control (116523/4) 1.12%
                                          • Win32 EXE PECompact compressed (v2.x) (59071/9) 0.57%
                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.40%
                                          File name:OnLine_Install_Dialog_UI_SSL.exe
                                          File size:11'588'408 bytes
                                          MD5:74db9f552ccae0af3640851c6960f079
                                          SHA1:44cc1e1e974e90982146719efd496c9721465a4a
                                          SHA256:c5494d160a1b3cdff381623216bdcc8aef9fc5a18565fd1a679a4e2eb8a7c056
                                          SHA512:e36aa21f79de68c72a8c5b7081396c3a734d297a0bc5f591fdaca96e9d60fbe03dead322ed5a2a00c075f7545ee7148037628d8849b9de8ca3069341936d1944
                                          SSDEEP:196608:8jkq5tgtRA/pkqskjW4J3vKkSVyL5IkaCvD076Zo+37fmoj78VccGjkq5tgtRAt:ZqJjW4xikSVyjZvDJGY+oHlj
                                          TLSH:1FC60103BA81903EE26606318C7F6E6086A97D775B2145DBB288FE1D2DF05D1B937B07
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^y....s...s...s.......s.......s.......s.......s.....Z.s..o....s...r...s..o....s.....7.s.......s.......s.......s.Rich..s........

                                          File Icon

                                          Icon Hash:55497933cc61714d

                                          Static PE Info

                                          General

                                          Entrypoint:0x45e61f
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x5979D664 [Thu Jul 27 12:02:44 2017 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:5
                                          OS Version Minor:1
                                          File Version Major:5
                                          File Version Minor:1
                                          Subsystem Version Major:5
                                          Subsystem Version Minor:1
                                          Import Hash:952608687d343553fa2ebbe1a801044c

                                          Authenticode Signature

                                          Signature Valid:true
                                          Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                          Signature Validation Error:The operation completed successfully
                                          Error Number:0
                                          Not Before, Not After
                                          • 07/04/2022 03:44:20 08/04/2023 03:44:20
                                          Subject Chain
                                          • CN="FORCS Co., Ltd.", O="FORCS Co., Ltd.", STREET="646, Nonhyeon-ro", L=Gangnam-gu, S=Seoul, C=KR, OID.1.3.6.1.4.1.311.60.2.1.3=KR, SERIALNUMBER=110111-3940221, OID.2.5.4.15=Private Organization
                                          Version:3
                                          Thumbprint MD5:0DD355D8B372C0923E14E1D36E29C1B7
                                          Thumbprint SHA-1:ED8B95F81D8B6E533E3D1BE80FB0A56755CE6971
                                          Thumbprint SHA-256:A0EB47AD773A8EDAFBF5C2055663BA6FBB4AF9867303ADEB30329A5ACCF05883
                                          Serial:01BB91EDCC77455B8697292F

                                          Entrypoint Preview

                                          Instruction
                                          call 00007F26DC80D1BFh
                                          jmp 00007F26DC7FF5AEh
                                          push ebp
                                          mov ebp, esp
                                          mov eax, dword ptr [ebp+14h]
                                          push esi
                                          test eax, eax
                                          je 00007F26DC7FF7AEh
                                          cmp dword ptr [ebp+08h], 00000000h
                                          jne 00007F26DC7FF785h
                                          call 00007F26DC7FE63Ch
                                          push 00000016h
                                          pop esi
                                          mov dword ptr [eax], esi
                                          call 00007F26DC806202h
                                          mov eax, esi
                                          jmp 00007F26DC7FF797h
                                          cmp dword ptr [ebp+10h], 00000000h
                                          je 00007F26DC7FF759h
                                          cmp dword ptr [ebp+0Ch], eax
                                          jnc 00007F26DC7FF77Bh
                                          call 00007F26DC7FE61Eh
                                          push 00000022h
                                          jmp 00007F26DC7FF752h
                                          push eax
                                          push dword ptr [ebp+10h]
                                          push dword ptr [ebp+08h]
                                          call 00007F26DC7FC098h
                                          add esp, 0Ch
                                          xor eax, eax
                                          pop esi
                                          pop ebp
                                          ret
                                          push ebp
                                          mov ebp, esp
                                          xor edx, edx
                                          mov eax, edx
                                          cmp dword ptr [ebp+0Ch], eax
                                          jbe 00007F26DC7FF783h
                                          mov ecx, dword ptr [ebp+08h]
                                          cmp word ptr [ecx], dx
                                          je 00007F26DC7FF77Bh
                                          inc eax
                                          add ecx, 02h
                                          cmp eax, dword ptr [ebp+0Ch]
                                          jc 00007F26DC7FF764h
                                          pop ebp
                                          ret
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          mov ecx, dword ptr [esp+0Ch]
                                          push edi
                                          test ecx, ecx
                                          je 00007F26DC7FF808h
                                          push esi
                                          push ebx
                                          mov ebx, ecx
                                          mov esi, dword ptr [esp+14h]
                                          test esi, 00000003h
                                          mov edi, dword ptr [esp+10h]
                                          jne 00007F26DC7FF77Dh
                                          shr ecx, 02h
                                          jne 00007F26DC7FF7FBh
                                          jmp 00007F26DC7FF799h
                                          mov al, byte ptr [esi]
                                          add esi, 01h
                                          mov byte ptr [edi], al
                                          add edi, 01h
                                          sub ecx, 01h
                                          je 00007F26DC7FF79Dh
                                          test al, al
                                          je 00007F26DC7FF7A1h
                                          test esi, 00000003h
                                          jne 00007F26DC7FF757h

                                          Rich Headers

                                          Programming Language:
                                          • [ C ] VS2012 UPD1 build 51106
                                          • [C++] VS2012 UPD1 build 51106
                                          • [RES] VS2012 UPD1 build 51106
                                          • [LNK] VS2012 UPD1 build 51106

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd420c0xdc.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xdc0000x4c374.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0xb0ae180x2520
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xae7000x38.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc34780x40.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0xae0000x674.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xd3a480x120.rdata
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000xac3bb0xac400386d4e83ddc03d283ce60ef8000a365dFalse0.47123321843251087data6.542037368452921IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0xae0000x2850e0x28600071ef44d162d59f09766d34c47d905acFalse0.42459607198142413data5.194098502397867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0xd70000x4c240x2600022a8788ffc1c09d3a398a6fdb88e32eFalse0.2922491776315789PGP symmetric key encrypted data - Plaintext or unencrypted data4.513958170455511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0xdc0000x4c3740x4c400fe42c7687b6fef9d6fea4552c5da961aFalse0.359820056352459data6.533701347593635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          GIF0xdced40x339fGIF image data, version 89a, 350 x 624EnglishUnited States0.9129020052970109
                                          PNG0xe02740x39edPNG image data, 360 x 150, 8-bit/color RGBA, non-interlaced0.9975723244992919
                                          PNG0xe3c640x2fc9PNG image data, 240 x 227, 8-bit/color RGBA, non-interlaced0.9968119022316685
                                          RT_BITMAP0xe6c300x14220Device independent bitmap graphic, 220 x 370 x 8, image size 814000.34390764454792394
                                          RT_BITMAP0xfae500x1b5cDevice independent bitmap graphic, 180 x 75 x 4, image size 69000.18046830382638493
                                          RT_BITMAP0xfc9ac0x38e4Device independent bitmap graphic, 180 x 75 x 8, image size 135000.26689096402087337
                                          RT_BITMAP0x1002900x1238Device independent bitmap graphic, 60 x 60 x 8, image size 36000.23499142367066894
                                          RT_BITMAP0x1014c80x6588Device independent bitmap graphic, 161 x 152 x 8, image size 24928, resolution 3796 x 3796 px/m, 256 important colors0.3035934133579563
                                          RT_BITMAP0x107a500x11f88Device independent bitmap graphic, 161 x 152 x 24, image size 73568, resolution 3780 x 3780 px/m0.12790729268557766
                                          RT_ICON0x1199d80x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.21341463414634146
                                          RT_ICON0x11a0400x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.34139784946236557
                                          RT_ICON0x11a3280x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.5202702702702703
                                          RT_ICON0x11a4500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.47334754797441364
                                          RT_ICON0x11b2f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.6101083032490975
                                          RT_ICON0x11bba00x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.596820809248555
                                          RT_ICON0x11c1080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2932572614107884
                                          RT_ICON0x11e6b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4343339587242026
                                          RT_ICON0x11f7580x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7198581560283688
                                          RT_ICON0x11fbc00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.35618279569892475
                                          RT_ICON0x11fea80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.42473118279569894
                                          RT_DIALOG0x1201900x1cedata0.48917748917748916
                                          RT_DIALOG0x1203600x266data0.4527687296416938
                                          RT_DIALOG0x1205c80x2b0data0.438953488372093
                                          RT_DIALOG0x1208780x54data0.6904761904761905
                                          RT_DIALOG0x1208cc0x34data0.8846153846153846
                                          RT_DIALOG0x1209000xd6data0.6495327102803738
                                          RT_DIALOG0x1209d80x114data0.5036231884057971
                                          RT_DIALOG0x120aec0xd6data0.5841121495327103
                                          RT_DIALOG0x120bc40x246data0.4690721649484536
                                          RT_DIALOG0x120e0c0x3c8data0.4194214876033058
                                          RT_DIALOG0x1211d40x14edata0.5359281437125748
                                          RT_DIALOG0x1213240x1e8data0.49385245901639346
                                          RT_DIALOG0x12150c0x1c6data0.5286343612334802
                                          RT_DIALOG0x1216d40x1eedata0.49190283400809715
                                          RT_DIALOG0x1218c40x7cdata0.7580645161290323
                                          RT_DIALOG0x1219400x3bcdata0.4372384937238494
                                          RT_DIALOG0x121cfc0x158data0.5581395348837209
                                          RT_DIALOG0x121e540x1dadata0.5168776371308017
                                          RT_DIALOG0x1220300x10adata0.6015037593984962
                                          RT_DIALOG0x12213c0xdedata0.6441441441441441
                                          RT_DIALOG0x12221c0x1d4data0.5085470085470085
                                          RT_DIALOG0x1223f00x1dcdata0.5210084033613446
                                          RT_DIALOG0x1225cc0x294data0.48787878787878786
                                          RT_STRING0x1228600x160dataEnglishUnited States0.5340909090909091
                                          RT_STRING0x1229c00x23edataEnglishUnited States0.40418118466898956
                                          RT_STRING0x122c000x378dataEnglishUnited States0.4222972972972973
                                          RT_STRING0x122f780x252dataEnglishUnited States0.4393939393939394
                                          RT_STRING0x1231cc0x1f4dataEnglishUnited States0.442
                                          RT_STRING0x1233c00x66adataEnglishUnited States0.3617539585870889
                                          RT_STRING0x123a2c0x366dataEnglishUnited States0.41379310344827586
                                          RT_STRING0x123d940x27edataEnglishUnited States0.4561128526645768
                                          RT_STRING0x1240140x518dataEnglishUnited States0.39800613496932513
                                          RT_STRING0x12452c0x882dataEnglishUnited States0.3002754820936639
                                          RT_STRING0x124db00x23edataEnglishUnited States0.45121951219512196
                                          RT_STRING0x124ff00x3badataEnglishUnited States0.3280922431865828
                                          RT_STRING0x1253ac0x12cdataEnglishUnited States0.5266666666666666
                                          RT_STRING0x1254d80x4adataEnglishUnited States0.6756756756756757
                                          RT_STRING0x1255240xdadataEnglishUnited States0.6100917431192661
                                          RT_STRING0x1256000x110dataEnglishUnited States0.5845588235294118
                                          RT_STRING0x1257100x20adataEnglishUnited States0.4521072796934866
                                          RT_STRING0x12591c0xbaMatlab v4 mat-file (little endian) P, numeric, rows 0, columns 0EnglishUnited States0.5860215053763441
                                          RT_STRING0x1259d80xa8dataEnglishUnited States0.6607142857142857
                                          RT_STRING0x125a800x12adataEnglishUnited States0.5201342281879194
                                          RT_STRING0x125bac0x422dataEnglishUnited States0.2741020793950851
                                          RT_STRING0x125fd00x5c2dataEnglishUnited States0.37720488466757124
                                          RT_STRING0x1265940x40dataEnglishUnited States0.671875
                                          RT_STRING0x1265d40xcaadataEnglishUnited States0.2313386798272671
                                          RT_STRING0x1272800x284dataEnglishUnited States0.4363354037267081
                                          RT_GROUP_ICON0x1275040x84data0.6363636363636364
                                          RT_GROUP_ICON0x1275880x14data1.25
                                          RT_GROUP_ICON0x12759c0x14data1.25
                                          RT_VERSION0x1275b00x478data0.42482517482517484
                                          RT_MANIFEST0x127a280x626XML 1.0 document, ASCII text, with CRLF line terminators0.44472681067344344
                                          RT_MANIFEST0x1280500x323XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (743), with CRLF line terminatorsEnglishUnited States0.5255292652552926

                                          Imports

                                          DLLImport
                                          COMCTL32.dll
                                          KERNEL32.dllIsBadReadPtr, CompareStringW, CompareStringA, GetSystemDefaultLangID, GetUserDefaultLangID, ExpandEnvironmentStringsW, GetCurrentDirectoryW, FileTimeToLocalFileTime, GetFileTime, SetFileAttributesW, HeapAlloc, HeapFree, GetProcessHeap, CopyFileW, GetWindowsDirectoryW, InterlockedDecrement, InterlockedIncrement, GetTempPathW, CreateFileW, LoadLibraryA, GetSystemDirectoryA, FindResourceW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, GetPrivateProfileIntW, LockResource, LoadResource, MultiByteToWideChar, MoveFileExW, WriteProcessMemory, VirtualProtectEx, GetSystemDirectoryW, FlushInstructionCache, SetThreadContext, GetThreadContext, ResumeThread, TerminateProcess, ExitProcess, LoadLibraryW, lstrcatW, lstrcpynW, lstrcmpiW, LoadLibraryExW, FreeLibrary, FindResourceExW, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, VirtualQuery, GetSystemInfo, GetSystemTimeAsFileTime, CreateEventW, CreateMutexW, ReleaseMutex, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, QueryPerformanceFrequency, SetErrorMode, RaiseException, FreeResource, GetPrivateProfileSectionNamesA, GetPrivateProfileStringA, GetPrivateProfileIntA, lstrcatA, lstrcmpiA, MulDiv, FlushFileBuffers, WriteConsoleW, SetStdHandle, OutputDebugStringW, SetConsoleCtrlHandler, SetFilePointerEx, GetConsoleMode, WriteFile, SetFilePointer, GetFileSize, GetFileAttributesW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, FindFirstFileW, FindClose, CreateDirectoryW, VerLanguageNameW, IsValidLocale, GetLocaleInfoW, WideCharToMultiByte, lstrcpyA, GetTickCount, ExitThread, CreateThread, GetExitCodeProcess, ReadFile, GetCommandLineW, FormatMessageW, LocalFree, SizeofResource, GetVersionExW, GetCurrentProcess, WaitForSingleObject, SetLastError, GetLastError, DuplicateHandle, RemoveDirectoryW, DeleteFileW, SetCurrentDirectoryW, lstrlenW, lstrcpyW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, CreateProcessW, Sleep, CloseHandle, GetSystemDefaultUILanguage, ReadConsoleW, GetConsoleCP, EnumSystemLocalesW, GetUserDefaultLCID, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetFileType, HeapReAlloc, GetStdHandle, HeapSize, AreFileApisANSI, GetModuleHandleExW, GetStringTypeW, GetCurrentThreadId, GetCPInfo, GetOEMCP, IsValidCodePage, CreateSemaphoreW, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FatalAppExitA, GetACP, IsProcessorFeaturePresent, IsDebuggerPresent, RtlUnwind, lstrcpynA, LocalAlloc, FindNextFileW, WritePrivateProfileSectionW, GetPrivateProfileSectionW, lstrcmpW, GetShortPathNameW, GetCurrentThread, QueryPerformanceCounter, lstrcmpA, SystemTimeToFileTime, ResetEvent, SetEvent, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, GetDateFormatW, GetTimeFormatW, GetTempFileNameW, GetEnvironmentVariableW, CompareFileTime, InterlockedExchange, LoadLibraryExA, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, LCMapStringW, GetVersion, GetCurrentProcessId, GetLocalTime, lstrlenA, GetProcessTimes, OpenProcess, SetFileTime
                                          USER32.dllDialogBoxIndirectParamW, MoveWindow, SendMessageW, CharUpperBuffW, WaitForInputIdle, wsprintfW, GetDlgItem, SetDlgItemTextW, SetActiveWindow, SetForegroundWindow, SetWindowTextW, GetWindowRect, MessageBoxW, GetWindowLongW, SetWindowLongW, LoadIconW, TranslateMessage, DispatchMessageW, PeekMessageW, EndDialog, SystemParametersInfoW, GetWindow, FillRect, GetSysColor, MapWindowPoints, RemovePropW, GetPropW, SetPropW, EndPaint, BeginPaint, EnableMenuItem, GetSystemMetrics, SetFocus, ExitWindowsEx, CharUpperW, wsprintfA, CallWindowProcW, CreateWindowExW, DrawIcon, DrawTextW, UpdateWindow, GetWindowDC, InvalidateRect, DrawFocusRect, CopyRect, InflateRect, EnumChildWindows, GetClassNameW, MapDialogRect, RegisterClassExW, GetDlgItemTextW, IntersectRect, MonitorFromPoint, DefWindowProcW, GetMessageW, LoadStringW, LoadImageW, ReleaseDC, GetDC, CreateDialogParamW, GetParent, GetWindowTextW, CharNextW, GetDesktopWindow, GetClientRect, IsWindowEnabled, CreateDialogIndirectParamW, IsWindowVisible, IsDialogMessageW, FindWindowExW, ScreenToClient, EnableWindow, MsgWaitForMultipleObjects, SendDlgItemMessageW, SetWindowPos, ShowWindow, DestroyWindow, IsWindow, PostMessageW
                                          GDI32.dllSetTextColor, SetBkMode, SetBkColor, SaveDC, RestoreDC, CreateSolidBrush, UnrealizeObject, CreateHalftonePalette, GetDIBColorTable, SelectPalette, SelectObject, RealizePalette, GetSystemPaletteEntries, GetDeviceCaps, DeleteDC, CreatePalette, CreateCompatibleDC, BitBlt, GetObjectW, TranslateCharsetInfo, DeleteObject, CreateFontIndirectW, CreateCompatibleBitmap, CreateDCW, CreatePatternBrush, GetStockObject, GetTextExtentPoint32W, DeleteMetaFile, CreateDIBitmap, CreateBitmap, CreateRectRgn, PatBlt, PlayMetaFile, SelectClipRgn, SetMapMode, SetMetaFileBitsEx, SetPixel, StretchBlt, SetStretchBltMode, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, TextOutW
                                          ADVAPI32.dllCryptSignHashW, RegEnumValueW, RegQueryValueExW, SetEntriesInAclW, RegQueryInfoKeyW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateWellKnownSid, RegSetValueExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegOpenKeyW, OpenProcessToken, AdjustTokenPrivileges, AllocateAndInitializeSid, FreeSid, LookupPrivilegeValueW, RegOverridePredefKey, RegCreateKeyW, RegEnumKeyW, OpenThreadToken, GetTokenInformation, EqualSid, CryptAcquireContextW, CryptReleaseContext, CryptDeriveKey, CryptDestroyKey, CryptSetHashParam, CryptGetHashParam, CryptExportKey, CryptImportKey, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptVerifySignatureW
                                          SHELL32.dllSHGetPathFromIDListW, SHGetSpecialFolderLocation, SHGetMalloc, ShellExecuteExW
                                          ole32.dllCoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc, CoCreateInstance, CoInitializeSecurity, ProgIDFromCLSID, CreateStreamOnHGlobal, CoInitializeEx, CoUninitialize, GetRunningObjectTable, CreateItemMoniker, CoLoadLibrary, CoCreateGuid, StringFromGUID2
                                          OLEAUT32.dllVariantChangeType, VarBstrCmp, CreateErrorInfo, SetErrorInfo, UnRegisterTypeLib, RegisterTypeLib, LoadTypeLib, VariantInit, VariantClear, VarUI4FromStr, SysAllocString, SysFreeString, SysStringLen, SysAllocStringLen, SysReAllocStringLen, GetErrorInfo, SysStringByteLen, VarBstrCat, SysAllocStringByteLen
                                          RPCRT4.dllUuidCreate, RpcStringFreeW, UuidFromStringW, UuidToStringW
                                          gdiplus.dllGdipFree, GdipDrawImageRectI, GdipSetInterpolationMode, GdipDeleteGraphics, GdipCreateFromHDC, GdipCreateBitmapFromResource, GdipCreateBitmapFromFileICM, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromFile, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdiplusStartup, GdipGetImageWidth, GdipGetImageHeight, GdipAlloc

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          No network behavior found

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:19:31:53
                                          Start date:26/04/2024
                                          Path:C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe"
                                          Imagebase:0x400000
                                          File size:11'588'408 bytes
                                          MD5 hash:74DB9F552CCAE0AF3640851C6960F079
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:19:31:54
                                          Start date:26/04/2024
                                          Path:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe -package:"C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\" -tempdisk1folder:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\" -IS_OriginalLauncher:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe"
                                          Imagebase:0x400000
                                          File size:1'193'984 bytes
                                          MD5 hash:1B3150F66F03B0DA4EFCCDD9F079E5F7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:19:31:57
                                          Start date:26/04/2024
                                          Path:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E314697-D110-4002-B63C-61B432079D77}
                                          Imagebase:0x7ff7d9430000
                                          File size:182'008 bytes
                                          MD5 hash:8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:19:31:57
                                          Start date:26/04/2024
                                          Path:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1856CA6F-3A7F-472E-B337-2E3FA07FC85C}
                                          Imagebase:0x7ff7d9430000
                                          File size:182'008 bytes
                                          MD5 hash:8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:19:31:57
                                          Start date:26/04/2024
                                          Path:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F0A08E8-A0D1-45AD-AF2B-F10D703CD02A}
                                          Imagebase:0x7ff7d9430000
                                          File size:182'008 bytes
                                          MD5 hash:8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:19:31:57
                                          Start date:26/04/2024
                                          Path:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAB69511-4FCB-4C17-80A3-43394505337C}
                                          Imagebase:0x7ff7d9430000
                                          File size:182'008 bytes
                                          MD5 hash:8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:19:31:57
                                          Start date:26/04/2024
                                          Path:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10BFDE1A-F312-4E1F-BEA2-24F4DCA4D57F}
                                          Imagebase:0x7ff7d9430000
                                          File size:182'008 bytes
                                          MD5 hash:8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:19:32:01
                                          Start date:26/04/2024
                                          Path:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54B59A05-F3F9-4E3A-8D72-1C938585C9B4}
                                          Imagebase:0x7ff7d9430000
                                          File size:182'008 bytes
                                          MD5 hash:8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:19:32:01
                                          Start date:26/04/2024
                                          Path:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe
                                          Imagebase:0x1b0000
                                          File size:1'747'272 bytes
                                          MD5 hash:644CC925D18E5326744499E5560CFC95
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:19:32:01
                                          Start date:26/04/2024
                                          Path:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe
                                          Imagebase:0xf50000
                                          File size:1'747'304 bytes
                                          MD5 hash:40BFA09CEEE186F28232846DA91C5D98
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:19:32:02
                                          Start date:26/04/2024
                                          Path:C:\Windows\System32\VSSVC.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\vssvc.exe
                                          Imagebase:0x7ff6b97a0000
                                          File size:1'495'040 bytes
                                          MD5 hash:875046AD4755396636A68F4A9EDB22A4
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:12
                                          Start time:19:32:02
                                          Start date:26/04/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\svchost.exe -k swprv
                                          Imagebase:0x7ff6eef20000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:16
                                          Start time:19:32:25
                                          Start date:26/04/2024
                                          Path:C:\Windows\System32\SrTasks.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
                                          Imagebase:0x7ff65fe50000
                                          File size:59'392 bytes
                                          MD5 hash:2694D2D28C368B921686FE567BD319EB
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:19:32:25
                                          Start date:26/04/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:19:32:33
                                          Start date:26/04/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q
                                          Imagebase:0x240000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:19:32:33
                                          Start date:26/04/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:20
                                          Start time:19:32:33
                                          Start date:26/04/2024
                                          Path:C:\Windows\SysWOW64\netsh.exe
                                          Wow64 process (32bit):true
                                          Commandline:netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
                                          Imagebase:0x1560000
                                          File size:82'432 bytes
                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:21
                                          Start time:19:32:34
                                          Start date:26/04/2024
                                          Path:C:\Windows\SysWOW64\netsh.exe
                                          Wow64 process (32bit):true
                                          Commandline:netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow
                                          Imagebase:0x1560000
                                          File size:82'432 bytes
                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:22
                                          Start time:19:32:34
                                          Start date:26/04/2024
                                          Path:C:\Windows\SysWOW64\CheckNetIsolation.exe
                                          Wow64 process (32bit):true
                                          Commandline:CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
                                          Imagebase:0x570000
                                          File size:26'112 bytes
                                          MD5 hash:712F673ACF999A475D49976CC0ADE71E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:23
                                          Start time:19:32:34
                                          Start date:26/04/2024
                                          Path:C:\Windows\SysWOW64\regsvr32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dll
                                          Imagebase:0xa40000
                                          File size:20'992 bytes
                                          MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:24
                                          Start time:19:32:34
                                          Start date:26/04/2024
                                          Path:C:\Windows\SysWOW64\regsvr32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\regsvr32 /s C:\Windows\ZTUACControl.dll
                                          Imagebase:0xa40000
                                          File size:20'992 bytes
                                          MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:25
                                          Start time:19:32:34
                                          Start date:26/04/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.bat /s /v/q
                                          Imagebase:0x240000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:26
                                          Start time:19:32:34
                                          Start date:26/04/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:27
                                          Start time:19:32:34
                                          Start date:26/04/2024
                                          Path:C:\Windows\SysWOW64\regsvr32.exe
                                          Wow64 process (32bit):true
                                          Commandline:regsvr32 /s c:\Windows\ZTUACControl.dll
                                          Imagebase:0xa40000
                                          File size:20'992 bytes
                                          MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:28
                                          Start time:19:32:35
                                          Start date:26/04/2024
                                          Path:C:\Windows\SysWOW64\timeout.exe
                                          Wow64 process (32bit):true
                                          Commandline:timeout /t 5
                                          Imagebase:0x10000
                                          File size:25'088 bytes
                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:29
                                          Start time:19:32:35
                                          Start date:26/04/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:30
                                          Start time:19:32:40
                                          Start date:26/04/2024
                                          Path:C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe"
                                          Imagebase:0xbd0000
                                          File size:420'640 bytes
                                          MD5 hash:3946001DADB4BABAA32C30074AD3525E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:31
                                          Start time:19:32:40
                                          Start date:26/04/2024
                                          Path:C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe"
                                          Imagebase:0xdc0000
                                          File size:353'568 bytes
                                          MD5 hash:5CAF8DE84007ED7C692891788F10B025
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:33
                                          Start time:19:32:41
                                          Start date:26/04/2024
                                          Path:C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe"
                                          Imagebase:0xbc0000
                                          File size:476'448 bytes
                                          MD5 hash:361BB9069EA7DA381B953A71C0413F05
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:34
                                          Start time:19:32:41
                                          Start date:26/04/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                          Imagebase:0x7ff6eef20000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:35
                                          Start time:19:32:43
                                          Start date:26/04/2024
                                          Path:C:\Windows\SysWOW64\timeout.exe
                                          Wow64 process (32bit):true
                                          Commandline:timeout /t 5
                                          Imagebase:0x10000
                                          File size:25'088 bytes
                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:36
                                          Start time:19:32:43
                                          Start date:26/04/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:4.1%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:12.4%
                                            Total number of Nodes:2000
                                            Total number of Limit Nodes:36
                                            execution_graph 70100 41e051 70101 41e05d __EH_prolog3_GS 70100->70101 70128 4095e2 70101->70128 70129 4095ef 70128->70129 70130 409607 70129->70130 70515 407b10 70129->70515 70132 41e830 70130->70132 70133 41e83f __EH_prolog3_GS 70132->70133 70547 44bdfa 70133->70547 70135 41e84c 70557 4091b8 70135->70557 70139 41e893 70568 44da4d 70139->70568 70142 41f00b 70609 44bf62 70142->70609 70143 4091b8 73 API calls 70145 41e8c9 70143->70145 70147 4091b8 73 API calls 70145->70147 70149 41e8e6 70147->70149 70516 407b29 70515->70516 70517 407c0c 70515->70517 70519 407b36 70516->70519 70520 407b69 70516->70520 70543 459fcd 69 API calls 3 library calls 70517->70543 70521 407c16 70519->70521 70525 407b42 70519->70525 70522 407c20 70520->70522 70523 407b75 70520->70523 70544 459fcd 69 API calls 3 library calls 70521->70544 70545 459f9f 69 API calls 2 library calls 70522->70545 70531 407b87 _memmove 70523->70531 70532 4081c0 70523->70532 70538 4080f0 70525->70538 70530 407b60 70530->70130 70531->70130 70533 4081d8 SysAllocStringLen 70532->70533 70537 40821b _memmove 70533->70537 70535 408247 70535->70531 70536 40823f SysFreeString 70536->70535 70537->70535 70537->70536 70539 40818d 70538->70539 70542 408105 _memmove 70538->70542 70546 459fcd 69 API calls 3 library calls 70539->70546 70541 408197 70541->70530 70542->70530 70543->70521 70544->70522 70546->70541 70548 44be06 __EH_prolog3 70547->70548 70642 44bca8 70548->70642 70550 44be13 70646 404200 70550->70646 70552 44be38 70553 4091b8 73 API calls 70552->70553 70554 44be53 70553->70554 70555 4091b8 73 API calls 70554->70555 70556 44be86 ~_Task_impl 70555->70556 70556->70135 70558 4091c4 70557->70558 70709 408f6d 70558->70709 70560 4091e9 70561 408e82 70560->70561 70562 408e8e __EH_prolog3 70561->70562 70563 408ea6 GetLastError 70562->70563 70564 408ec0 70563->70564 70738 40922e 70564->70738 70567 408ef0 ~_Task_impl 70567->70139 70569 44da5c __EH_prolog3_GS 70568->70569 70741 44cbb0 70569->70741 70574 4095e2 71 API calls 70575 44da9d 70574->70575 70576 4095e2 71 API calls 70575->70576 70577 44daa9 70576->70577 70578 408e82 Mailbox 73 API calls 70577->70578 70579 44daf3 70578->70579 70748 44d5e6 70579->70748 70582 44dd96 70773 409c7e 70582->70773 70583 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 70596 44db23 70583->70596 70585 44dda1 70586 401b80 Mailbox 4 API calls 70585->70586 70588 44dda9 70586->70588 70587 44dd83 70591 401b80 Mailbox 4 API calls 70587->70591 70590 401b80 Mailbox 4 API calls 70588->70590 70589 4095e2 71 API calls 70589->70596 70592 44ddb1 70590->70592 70591->70582 70593 45b878 Mailbox 6 API calls 70592->70593 70594 41e8a1 70593->70594 70594->70142 70594->70143 70596->70587 70596->70589 70598 40a017 80 API calls 70596->70598 70602 401b80 GetLastError SysFreeString SysFreeString SetLastError Mailbox 70596->70602 70604 40aabc 73 API calls 70596->70604 70608 458dee GetLastError SysFreeString SysFreeString SetLastError Mailbox 70596->70608 70777 409fa9 70596->70777 70782 408ef3 70596->70782 70789 44d865 80 API calls 70596->70789 70790 458da8 100 API calls 70596->70790 70791 44babc 108 API calls 2 library calls 70596->70791 70792 44d9df 110 API calls 70596->70792 70793 457ede GetLastError SetLastError Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 70596->70793 70794 44ba62 77 API calls 2 library calls 70596->70794 70795 44d971 110 API calls 70596->70795 70598->70596 70602->70596 70604->70596 70608->70596 70610 401b80 Mailbox 4 API calls 70609->70610 70643 44bcb4 __EH_prolog3 70642->70643 70649 44c4a7 70643->70649 70645 44bcd5 ~_Task_impl 70645->70550 70647 40421a GetLastError SetLastError 70646->70647 70648 40420d 70646->70648 70647->70552 70648->70647 70661 45c169 70649->70661 70651 44c4b7 70651->70645 70652 44c4ae std::exception::exception 70652->70651 70671 45a466 RaiseException 70652->70671 70654 459f4c Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception 70672 45a466 RaiseException 70654->70672 70656 459f70 70673 45c729 68 API calls std::exception::_Copy_str 70656->70673 70658 459f89 70674 45a466 RaiseException 70658->70674 70660 459f9e 70663 45c171 70661->70663 70664 45c18b 70663->70664 70666 45c18d std::exception::exception 70663->70666 70675 45d6bb 70663->70675 70692 466890 DecodePointer 70663->70692 70664->70652 70693 45a466 RaiseException 70666->70693 70668 45c1b7 70694 45c1d6 99 API calls 2 library calls 70668->70694 70670 45c1d1 70670->70652 70671->70654 70672->70656 70673->70658 70674->70660 70676 45d736 70675->70676 70682 45d6c7 70675->70682 70703 466890 DecodePointer 70676->70703 70678 45d73c 70704 45d506 68 API calls __getptd_noexit 70678->70704 70681 45d6fa RtlAllocateHeap 70681->70682 70691 45d72e 70681->70691 70682->70681 70684 45d722 70682->70684 70685 45d6d2 70682->70685 70689 45d720 70682->70689 70700 466890 DecodePointer 70682->70700 70701 45d506 68 API calls __getptd_noexit 70684->70701 70685->70682 70695 46a155 68 API calls __NMSG_WRITE 70685->70695 70696 46a1b2 68 API calls 6 library calls 70685->70696 70697 469aed 70685->70697 70702 45d506 68 API calls __getptd_noexit 70689->70702 70691->70663 70692->70663 70693->70668 70694->70670 70695->70685 70696->70685 70705 469abb GetModuleHandleExW 70697->70705 70700->70682 70701->70689 70702->70691 70703->70678 70704->70691 70706 469ad4 GetProcAddress 70705->70706 70707 469aeb ExitProcess 70705->70707 70706->70707 70708 469ae6 70706->70708 70708->70707 70710 408f79 __EH_prolog3 70709->70710 70711 408f91 GetLastError 70710->70711 70715 409281 70711->70715 70714 408fdc ~_Task_impl 70714->70560 70718 406a00 70715->70718 70717 408fbc SetLastError 70717->70714 70719 406a0f 70718->70719 70721 406a1d 70718->70721 70720 4075b0 71 API calls 70719->70720 70722 406a18 70720->70722 70721->70721 70725 4075b0 70721->70725 70722->70717 70724 406a3c 70724->70717 70726 407606 70725->70726 70731 4075be 70725->70731 70727 407616 70726->70727 70728 40769f 70726->70728 70730 4081c0 Mailbox 2 API calls 70727->70730 70733 407628 _memmove 70727->70733 70737 459f9f 69 API calls 2 library calls 70728->70737 70730->70733 70731->70726 70734 4075e5 70731->70734 70733->70724 70735 407b10 Mailbox 71 API calls 70734->70735 70736 407600 70735->70736 70736->70724 70739 407b10 Mailbox 71 API calls 70738->70739 70740 408ed0 SetLastError 70739->70740 70740->70567 70744 44cbbc 70741->70744 70742 44cbca 70745 44cb4a 70742->70745 70744->70742 70796 44bf20 4 API calls 3 library calls 70744->70796 70797 44c56d 70745->70797 70749 44d5f2 __EH_prolog3_GS 70748->70749 70750 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 70749->70750 70751 44d61e 70750->70751 70752 408e82 Mailbox 73 API calls 70751->70752 70753 44d644 70752->70753 70802 433f0a 70753->70802 70755 44d701 70756 401b80 Mailbox 4 API calls 70755->70756 70757 44d709 70756->70757 70759 401b80 Mailbox 4 API calls 70757->70759 70760 44d711 70759->70760 70761 45b878 Mailbox 6 API calls 70760->70761 70763 44d719 70761->70763 70763->70582 70763->70583 70765 401b80 Mailbox 4 API calls 70770 44d649 70765->70770 70766 44d6bf 70766->70755 70767 40aabc 73 API calls 70766->70767 70768 44d6ec 70767->70768 70769 424fb5 108 API calls 70768->70769 70771 44d6f9 70769->70771 70770->70755 70770->70765 70770->70766 70820 40aabc 70770->70820 70823 424fb5 70770->70823 70834 40dcce 80 API calls __wsetenvp 70770->70834 70772 401b80 Mailbox 4 API calls 70771->70772 70772->70755 70774 409c88 70773->70774 70775 409c9c 70773->70775 70774->70775 70776 401b80 Mailbox 4 API calls 70774->70776 70775->70585 70776->70774 70778 409fc2 70777->70778 70779 409fb5 SysFreeString 70777->70779 70780 4080f0 Mailbox 69 API calls 70778->70780 70779->70778 70781 409fd0 70780->70781 70781->70596 70784 408eff __EH_prolog3 70782->70784 70783 408f17 GetLastError 70785 408f31 70783->70785 70784->70783 71026 409256 70785->71026 70788 408f6a ~_Task_impl 70788->70596 70789->70596 70790->70596 70791->70596 70792->70596 70793->70596 70794->70596 70795->70596 70796->70744 70798 44c5a3 70797->70798 70801 44c580 70797->70801 70798->70574 70799 44c56d Mailbox 4 API calls 70799->70801 70800 401b80 Mailbox 4 API calls 70800->70801 70801->70798 70801->70799 70801->70800 70803 433f19 __EH_prolog3_GS 70802->70803 70835 416831 70803->70835 70805 433f37 70806 408e82 Mailbox 73 API calls 70805->70806 70807 433f57 70806->70807 70841 424632 70807->70841 70809 433f7c 70810 401b80 Mailbox 4 API calls 70809->70810 70813 433f8a 70810->70813 70811 433fb5 70867 4176d4 70811->70867 70813->70811 70873 434698 133 API calls 2 library calls 70813->70873 70815 433fd8 70816 401b80 Mailbox 4 API calls 70815->70816 70817 433fe0 70816->70817 70818 45b878 Mailbox 6 API calls 70817->70818 70819 433fe7 70818->70819 70819->70770 70821 408ef3 73 API calls 70820->70821 70822 40aae9 70821->70822 70822->70770 70824 424fc6 70823->70824 70825 424ffc 70823->70825 70824->70825 70827 424fca 70824->70827 70826 42500a 70825->70826 70994 4234ba 70825->70994 70829 415462 73 API calls 70826->70829 70830 424fe5 70827->70830 70831 4234ba 108 API calls 70827->70831 70833 424ff6 70829->70833 71002 415462 70830->71002 70831->70830 70833->70770 70834->70770 70836 41683d __EH_prolog3 70835->70836 70837 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 70836->70837 70838 41686b 70837->70838 70839 45c169 Mailbox 100 API calls 70838->70839 70840 416875 ~_Task_impl 70839->70840 70840->70805 70842 42463e __EH_prolog3 70841->70842 70874 423878 70842->70874 70845 45c169 Mailbox 100 API calls 70846 42464c 70845->70846 70847 4095e2 71 API calls 70846->70847 70848 42466c 70847->70848 70890 4244bc 70848->70890 70851 4246b6 70852 45c169 Mailbox 100 API calls 70851->70852 70854 4246c0 70852->70854 70856 4246e0 70854->70856 70922 416a04 110 API calls 3 library calls 70854->70922 70923 44fcba 111 API calls Mailbox 70856->70923 70857 424682 70898 441b7a GetModuleHandleW GetProcAddress 70857->70898 70862 424714 GetLastError 70866 4246ac ~_Task_impl 70862->70866 70863 4246a5 70906 42432c 70863->70906 70864 424710 70864->70862 70864->70866 70866->70809 70868 4176e0 __EH_prolog3 70867->70868 70869 423878 Mailbox 110 API calls 70868->70869 70870 4176f4 70869->70870 70871 401b80 Mailbox 4 API calls 70870->70871 70872 4176fc ~_Task_impl 70871->70872 70872->70815 70873->70811 70875 423887 __EH_prolog3_GS 70874->70875 70876 423905 70875->70876 70877 42388f InterlockedDecrement 70875->70877 70878 45b878 Mailbox 6 API calls 70876->70878 70877->70876 70881 42389c 70877->70881 70879 423916 70878->70879 70879->70845 70880 4238b1 70880->70876 70882 4238b7 FindCloseChangeNotification 70880->70882 70881->70880 70924 42393f InterlockedDecrement ResetEvent InterlockedDecrement Mailbox 70881->70924 70882->70876 70884 4238c4 70882->70884 70885 408e82 Mailbox 73 API calls 70884->70885 70886 4238df 70885->70886 70925 416910 105 API calls 3 library calls 70886->70925 70888 4238f4 70926 45a466 RaiseException 70888->70926 70891 4244c5 70890->70891 70927 45b637 70891->70927 70894 4244f3 70895 4244fc 70894->70895 70896 45b637 __wcsnicmp 80 API calls 70895->70896 70897 42450b 70896->70897 70897->70851 70897->70857 70899 441bc2 GetModuleHandleW GetProcAddress 70898->70899 70900 441b9d CreateFileW 70898->70900 70902 441bd7 70899->70902 70905 441bdf 70899->70905 70903 42469a 70900->70903 70938 412f8a 69 API calls 70902->70938 70903->70862 70903->70863 70905->70903 70907 424338 __EH_prolog3_catch 70906->70907 70939 425464 70907->70939 70911 425464 107 API calls 70913 4243bc 70911->70913 70915 4252ec 107 API calls 70913->70915 70921 424375 70913->70921 70917 4243d2 70915->70917 70916 424368 70916->70911 70916->70921 70919 415549 121 API calls 70917->70919 70918 4252ec 107 API calls 70920 42442c ~_Task_impl 70918->70920 70919->70921 70920->70866 70921->70918 70922->70856 70923->70864 70924->70880 70925->70888 70926->70876 70928 45b6d5 70927->70928 70929 45b649 70927->70929 70937 45b6eb 80 API calls 3 library calls 70928->70937 70934 4244d4 70929->70934 70935 45d506 68 API calls __getptd_noexit 70929->70935 70932 45b662 70936 4650d6 9 API calls __wcsnicmp 70932->70936 70934->70851 70934->70894 70935->70932 70936->70934 70937->70934 70938->70905 70946 425473 __EH_prolog3_GS 70939->70946 70940 4254d8 GetFileSize 70941 425535 70940->70941 70942 4254e9 GetLastError 70940->70942 70943 45b878 Mailbox 6 API calls 70941->70943 70942->70941 70951 4254c7 70942->70951 70944 424345 70943->70944 70944->70916 70953 4252ec 70944->70953 70945 408e82 Mailbox 73 API calls 70945->70951 70946->70940 70946->70941 70947 408e82 Mailbox 73 API calls 70946->70947 70949 4254b3 70947->70949 70983 416ce9 105 API calls 3 library calls 70949->70983 70951->70945 70984 45a466 RaiseException 70951->70984 70985 416974 104 API calls 3 library calls 70951->70985 70956 4252fb __EH_prolog3_GS 70953->70956 70954 42535f SetFilePointer 70955 42540a 70954->70955 70962 42534e 70954->70962 70957 45b878 Mailbox 6 API calls 70955->70957 70956->70954 70956->70955 70961 408e82 Mailbox 73 API calls 70956->70961 70959 424357 70957->70959 70958 4253b9 GetLastError 70958->70955 70958->70962 70968 415549 70959->70968 70960 408e82 73 API calls Mailbox 70960->70962 70963 425339 70961->70963 70962->70958 70962->70960 70987 45a466 RaiseException 70962->70987 70988 416910 105 API calls 3 library calls 70962->70988 70989 416974 104 API calls 3 library calls 70962->70989 70986 416ce9 105 API calls 3 library calls 70963->70986 70969 415558 __EH_prolog3_GS 70968->70969 70970 4155ce ReadFile 70969->70970 70990 450260 15 API calls 70969->70990 70972 415620 70970->70972 70980 4155bd 70970->70980 70973 45b878 Mailbox 6 API calls 70972->70973 70976 41562b 70973->70976 70974 415586 70974->70972 70977 408e82 Mailbox 73 API calls 70974->70977 70975 408e82 Mailbox 73 API calls 70975->70980 70976->70916 70979 4155a9 70977->70979 70991 416ce9 105 API calls 3 library calls 70979->70991 70980->70975 70992 45a466 RaiseException 70980->70992 70993 416910 105 API calls 3 library calls 70980->70993 70983->70951 70984->70940 70985->70951 70986->70962 70987->70954 70988->70962 70989->70962 70990->70974 70991->70980 70992->70970 70993->70980 70995 4234d7 70994->70995 70996 4234fb 70994->70996 70997 423502 70995->70997 70998 4234e9 70995->70998 70996->70826 71014 459f9f 69 API calls 2 library calls 70997->71014 71006 42341d 70998->71006 71003 41546e __EH_prolog3 71002->71003 71004 408e82 Mailbox 73 API calls 71003->71004 71005 415493 ~_Task_impl 71003->71005 71004->71005 71005->70833 71007 423429 __EH_prolog3_catch 71006->71007 71015 414c55 71007->71015 71011 42344e 71012 423482 ~_Task_impl 71011->71012 71013 401b80 Mailbox 4 API calls 71011->71013 71012->70996 71013->71011 71016 414c61 71015->71016 71017 414c71 71015->71017 71016->71017 71018 45c169 Mailbox 100 API calls 71016->71018 71019 41513e 71017->71019 71018->71017 71022 4151c6 71019->71022 71021 415159 71021->71011 71023 4151d2 __EH_prolog3_catch 71022->71023 71024 415216 ~_Task_impl 71023->71024 71025 415462 73 API calls 71023->71025 71024->71021 71025->71023 71027 407b10 Mailbox 71 API calls 71026->71027 71028 408f4a SetLastError 71027->71028 71028->70788 71447 45e5d4 71448 45e58e 71447->71448 71449 45e590 71448->71449 71450 45e519 71448->71450 71452 45e592 71449->71452 71453 45e56e 71449->71453 71451 45e527 71450->71451 71536 469c13 68 API calls 3 library calls 71450->71536 71471 46bf3f 71451->71471 71456 45e59e 71452->71456 71540 469cde 68 API calls _doexit 71452->71540 71539 469c3e 68 API calls _doexit 71453->71539 71461 45e573 ___lock_fhandle 71456->71461 71541 469c2f 68 API calls _doexit 71456->71541 71458 45e52d 71464 45e538 71458->71464 71537 469c13 68 API calls 3 library calls 71458->71537 71485 469c4d 71464->71485 71465 45e540 71466 45e54b __wwincmdln 71465->71466 71538 469c13 68 API calls 3 library calls 71465->71538 71493 425fcc SetErrorMode SetErrorMode CoInitializeEx 71466->71493 71472 46bf58 __wsetenvp 71471->71472 71476 46bf50 71471->71476 71542 469f4c 71472->71542 71474 46bfd8 71549 45d646 68 API calls 2 library calls 71474->71549 71476->71458 71477 469f4c __calloc_crt 68 API calls 71481 46bf81 __wsetenvp 71477->71481 71478 46bffd 71550 45d646 68 API calls 2 library calls 71478->71550 71481->71474 71481->71476 71481->71477 71481->71478 71482 46c014 71481->71482 71548 45cd5d 68 API calls __wcsnicmp 71481->71548 71551 465101 8 API calls 2 library calls 71482->71551 71484 46c020 71484->71458 71486 469c59 __IsNonwritableInCurrentImage 71485->71486 71562 46b7de 71486->71562 71488 469c77 __initterm_e 71491 469cb4 __IsNonwritableInCurrentImage 71488->71491 71565 45ca1c 71488->71565 71490 469c98 71490->71491 71568 445f68 71490->71568 71491->71465 71625 4455d3 GetVersionExW 71493->71625 71497 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 71498 42603a 71497->71498 71499 40a14b 72 API calls 71498->71499 71500 42604e 71499->71500 71501 40a0f0 75 API calls 71500->71501 71502 426059 GetModuleFileNameW 71501->71502 71503 409574 97 API calls 71502->71503 71504 426073 71503->71504 71628 43b52c 71504->71628 71509 4091b8 73 API calls 71510 4260b1 71509->71510 71511 4091b8 73 API calls 71510->71511 71512 4260c9 71511->71512 71747 43bb71 71512->71747 71539->71461 71540->71456 71541->71461 71545 469f53 71542->71545 71544 469f90 71544->71481 71545->71544 71546 469f71 Sleep 71545->71546 71552 47a041 71545->71552 71547 469f88 71546->71547 71547->71544 71547->71545 71548->71481 71549->71476 71550->71476 71551->71484 71553 47a04c 71552->71553 71557 47a067 71552->71557 71554 47a058 71553->71554 71553->71557 71560 45d506 68 API calls __getptd_noexit 71554->71560 71555 47a077 HeapAlloc 71555->71557 71558 47a05d 71555->71558 71557->71555 71557->71558 71561 466890 DecodePointer 71557->71561 71558->71545 71560->71558 71561->71557 71563 46b7e1 EncodePointer 71562->71563 71563->71563 71564 46b7fb 71563->71564 71564->71488 71573 45c926 71565->71573 71567 45ca27 71567->71490 71616 445f81 71568->71616 71572 445f76 71572->71490 71574 45c932 ___lock_fhandle 71573->71574 71581 469dc6 71574->71581 71580 45c955 ___lock_fhandle 71580->71567 71600 46323d 71581->71600 71583 45c937 71584 45c966 DecodePointer DecodePointer 71583->71584 71585 45c943 71584->71585 71586 45c993 71584->71586 71597 45c960 71585->71597 71586->71585 71609 469f1b 69 API calls __wcsnicmp 71586->71609 71588 45c9a5 71589 45c9f6 EncodePointer EncodePointer 71588->71589 71590 45c9d0 71588->71590 71591 45c9c3 71588->71591 71589->71585 71590->71585 71593 45c9ca 71590->71593 71610 469fdf 72 API calls __realloc_crt 71591->71610 71593->71590 71595 45c9e4 EncodePointer 71593->71595 71611 469fdf 72 API calls __realloc_crt 71593->71611 71595->71589 71596 45c9de 71596->71585 71596->71595 71612 469dcf 71597->71612 71601 463261 EnterCriticalSection 71600->71601 71602 46324e 71600->71602 71601->71583 71607 4632e5 68 API calls 9 library calls 71602->71607 71604 463254 71604->71601 71608 469c13 68 API calls 3 library calls 71604->71608 71607->71604 71609->71588 71610->71593 71611->71596 71615 4633c1 LeaveCriticalSection 71612->71615 71614 45c965 71614->71580 71615->71614 71622 44a2d3 GetModuleHandleW GetProcAddress 71616->71622 71618 445f6d 71618->71572 71619 445f9d 71618->71619 71620 44a2d3 4 API calls 71619->71620 71621 445fac 71620->71621 71621->71572 71623 44a2f4 GetSystemInfo 71622->71623 71624 44a2fc GetNativeSystemInfo 71622->71624 71623->71618 71624->71618 71626 45a457 __fltout2 6 API calls 71625->71626 71627 42600b #17 71626->71627 71627->71497 71629 43b53b __EH_prolog3_GS 71628->71629 71630 4091b8 73 API calls 71629->71630 71631 43b556 71630->71631 71871 4484c2 71631->71871 71633 43b922 71635 45b878 Mailbox 6 API calls 71633->71635 71637 426079 71635->71637 71636 4091b8 73 API calls 71638 43b590 71636->71638 71723 40e057 71637->71723 71639 4091b8 73 API calls 71638->71639 71640 43b5a6 71639->71640 71878 448bff 10 API calls Mailbox 71640->71878 71642 43b5b4 71643 4091b8 73 API calls 71642->71643 71644 43b5e2 71643->71644 71645 4091b8 73 API calls 71644->71645 71646 43b602 71645->71646 71647 4091b8 73 API calls 71646->71647 71648 43b619 71647->71648 71649 448d7a 108 API calls 71648->71649 71650 43b62e 71649->71650 71651 4095e2 71 API calls 71650->71651 71652 43b646 71651->71652 71653 401b80 Mailbox 4 API calls 71652->71653 71654 43b655 71653->71654 71655 43b6b1 71654->71655 71656 43b65d 71654->71656 71657 45c169 Mailbox 100 API calls 71655->71657 71879 43a837 188 API calls 4 library calls 71656->71879 71662 43b6b8 _memset 71657->71662 71659 43b66a GetCurrentProcessId 71880 40dd64 121 API calls 71659->71880 71881 41b6fc InitializeCriticalSectionAndSpinCount GetLastError 71662->71881 71664 43b69f 71665 401b80 Mailbox 4 API calls 71664->71665 71665->71655 71666 43b6dc 71667 408e82 Mailbox 73 API calls 71666->71667 71668 43b6fc 71667->71668 71882 441e34 71668->71882 71671 43b70c 71672 4091b8 73 API calls 71671->71672 71673 43b723 71672->71673 71933 43bdd3 167 API calls 3 library calls 71673->71933 71675 43b728 71676 4091b8 73 API calls 71675->71676 71677 43b73c 71676->71677 71934 43bdd3 167 API calls 3 library calls 71677->71934 71679 43b741 GetLocalTime 71680 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 71679->71680 71681 43b768 71680->71681 71935 40dd64 121 API calls 71681->71935 71683 43b79b 71684 408e82 Mailbox 73 API calls 71683->71684 71685 43b7b3 71684->71685 71936 43bdd3 167 API calls 3 library calls 71685->71936 71687 43b7b8 71688 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 71687->71688 71689 43b7d5 71688->71689 71690 40a14b 72 API calls 71689->71690 71691 43b7ee 71690->71691 71692 40a0f0 75 API calls 71691->71692 71693 43b7fc GetModuleFileNameW 71692->71693 71694 409574 97 API calls 71693->71694 71695 43b815 71694->71695 71937 40dd64 121 API calls 71695->71937 71697 43b82f 71698 408e82 Mailbox 73 API calls 71697->71698 71699 43b84b 71698->71699 71938 43bdd3 167 API calls 3 library calls 71699->71938 71701 43b850 71939 43b19f 100 API calls 2 library calls 71701->71939 71703 43b85e 71940 40dd64 121 API calls 71703->71940 71705 43b8a7 71706 408e82 Mailbox 73 API calls 71705->71706 71707 43b8c3 71706->71707 71941 43bdd3 167 API calls 3 library calls 71707->71941 71709 43b8c8 71710 4091b8 73 API calls 71709->71710 71711 43b8dc 71710->71711 71942 43bdd3 167 API calls 3 library calls 71711->71942 71713 43b8e1 71714 4091b8 73 API calls 71713->71714 71715 43b8f5 71714->71715 71943 43bdd3 167 API calls 3 library calls 71715->71943 71717 43b8fa 71944 43c503 InterlockedDecrement 71717->71944 71719 43b912 71720 401b80 Mailbox 4 API calls 71719->71720 71721 43b91a 71720->71721 71722 401b80 Mailbox 4 API calls 71721->71722 71722->71633 71724 40e066 __EH_prolog3_GS 71723->71724 71725 408e82 Mailbox 73 API calls 71724->71725 71726 40e08b 71725->71726 71727 40e0dc 71726->71727 72013 40df46 97 API calls 3 library calls 71726->72013 71968 40a206 71727->71968 71731 40e09e 71732 40aabc 73 API calls 71731->71732 71734 40e0b9 71732->71734 71733 40aabc 73 API calls 71735 40e0fd 71733->71735 71736 4095e2 71 API calls 71734->71736 71737 401b80 Mailbox 4 API calls 71735->71737 71738 40e0c6 71736->71738 71739 40e105 71737->71739 71740 401b80 Mailbox 4 API calls 71738->71740 71741 401b80 Mailbox 4 API calls 71739->71741 71742 40e0d1 71740->71742 71743 40e10d 71741->71743 71745 401b80 Mailbox 4 API calls 71742->71745 71744 45b878 Mailbox 6 API calls 71743->71744 71746 40e114 71744->71746 71745->71727 71746->71509 71748 43bb80 __EH_prolog3_catch_GS 71747->71748 71749 43bd8a 71748->71749 71751 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 71748->71751 71750 401b80 Mailbox 4 API calls 71749->71750 71752 43bd92 71750->71752 71753 43bbb6 71751->71753 71754 401b80 Mailbox 4 API calls 71752->71754 72041 40dd64 121 API calls 71753->72041 71756 43bd9a 71754->71756 72038 45b887 71756->72038 71757 43bbe0 71759 408e82 Mailbox 73 API calls 71757->71759 71761 43bbf7 71759->71761 72042 43bdd3 167 API calls 3 library calls 71761->72042 71763 43bbfc 71764 40a14b 72 API calls 71763->71764 71765 43bc13 71764->71765 71766 40a0f0 75 API calls 71765->71766 71767 43bc22 71766->71767 72043 45e7c4 104 API calls __vsnwprintf_l 71767->72043 71769 43bc35 71770 409574 97 API calls 71769->71770 71771 43bc47 71770->71771 71772 40a629 74 API calls 71771->71772 71773 43bc55 71772->71773 71774 401b80 Mailbox 4 API calls 71773->71774 71775 43bc5d 71774->71775 71776 40a629 74 API calls 71775->71776 71777 43bc6b 71776->71777 71778 401b80 Mailbox 4 API calls 71777->71778 71779 43bc73 71778->71779 71780 408f6d 73 API calls 71779->71780 71781 43bc8e 71780->71781 71782 408f6d 73 API calls 71781->71782 71783 43bcb3 71782->71783 72044 425219 87 API calls 71783->72044 71785 43bcca 71786 401b80 Mailbox 4 API calls 71785->71786 71787 43bcd5 71786->71787 71788 401b80 Mailbox 4 API calls 71787->71788 71789 43bce1 71788->71789 71790 408f6d 73 API calls 71789->71790 71791 43bd02 71790->71791 71792 408f6d 73 API calls 71791->71792 71793 43bd21 71792->71793 72045 425219 87 API calls 71793->72045 71795 43bd38 71796 401b80 Mailbox 4 API calls 71795->71796 71797 43bd40 71796->71797 71798 401b80 Mailbox 4 API calls 71797->71798 71799 43bd4f __wsetenvp 71798->71799 72046 40dad9 71799->72046 71801 43bd65 71802 408e82 Mailbox 73 API calls 71801->71802 71803 43bd7a 71802->71803 72057 43bdd3 167 API calls 3 library calls 71803->72057 71805 43bd7f 71872 4018f0 4 API calls 71871->71872 71873 4484f1 71872->71873 71874 4018c0 RegCloseKey 71873->71874 71875 4484fb 71874->71875 71876 401b80 Mailbox 4 API calls 71875->71876 71877 43b560 71876->71877 71877->71633 71877->71636 71878->71642 71879->71659 71880->71664 71881->71666 71883 441e43 __EH_prolog3_GS 71882->71883 71884 441e92 71883->71884 71956 424d42 89 API calls 71883->71956 71886 408e82 Mailbox 73 API calls 71884->71886 71888 441eae 71886->71888 71887 441e56 71887->71884 71889 441e5a 71887->71889 71945 4437bf 71888->71945 71891 408e82 Mailbox 73 API calls 71889->71891 71893 441e79 71891->71893 71892 441eb3 71894 441ed3 GetLastError 71892->71894 71898 441e7e 71892->71898 71957 442017 164 API calls 3 library calls 71893->71957 71896 441ee4 71894->71896 71897 442007 71894->71897 71896->71897 71900 441ef6 71896->71900 71901 441fbb 71896->71901 71899 401b80 Mailbox 4 API calls 71897->71899 71902 401b80 Mailbox 4 API calls 71898->71902 71903 441e8b 71899->71903 71958 43eaa1 GetLastError SetLastError Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 71900->71958 71901->71898 71904 441fc5 71901->71904 71902->71903 71908 45b878 Mailbox 6 API calls 71903->71908 71906 408e82 Mailbox 73 API calls 71904->71906 71909 441fe0 71906->71909 71907 441f01 71910 408e82 Mailbox 73 API calls 71907->71910 71911 43b701 71908->71911 71964 416974 104 API calls 3 library calls 71909->71964 71913 441f2f 71910->71913 71911->71633 71911->71671 71959 443199 100 API calls 2 library calls 71913->71959 71914 441ff6 71965 45a466 RaiseException 71914->71965 71917 441f34 71918 441f92 GetLastError 71917->71918 71919 441f3e 71917->71919 71920 42382a FindClose 71918->71920 71960 42382a 71919->71960 71923 441fa5 71920->71923 71924 401b80 Mailbox 4 API calls 71923->71924 71925 441fb0 71924->71925 71926 401b80 Mailbox 4 API calls 71925->71926 71926->71901 71927 42382a FindClose 71928 441f7a 71927->71928 71929 401b80 Mailbox 4 API calls 71928->71929 71930 441f82 71929->71930 71931 401b80 Mailbox 4 API calls 71930->71931 71932 441f8d 71931->71932 71932->71898 71933->71675 71934->71679 71935->71683 71936->71687 71937->71697 71938->71701 71939->71703 71940->71705 71941->71709 71942->71713 71943->71717 71944->71719 71966 45b896 71945->71966 71947 4437cb GetModuleHandleW GetProcAddress 71948 4437fd GetModuleHandleW GetProcAddress 71947->71948 71949 4437ed GetFileAttributesW 71947->71949 71950 443821 71948->71950 71951 443816 71948->71951 71949->71950 71952 401b80 Mailbox 4 API calls 71950->71952 71967 412f8a 69 API calls 71951->71967 71955 44382b ~_Task_impl 71952->71955 71954 44381e 71954->71950 71955->71892 71956->71887 71957->71898 71958->71907 71959->71917 71961 423842 71960->71961 71962 423832 71960->71962 71961->71927 71962->71961 71963 42383b FindClose 71962->71963 71963->71961 71964->71914 71965->71897 71966->71947 71967->71954 71969 40a215 __EH_prolog3_GS 71968->71969 71970 408e82 Mailbox 73 API calls 71969->71970 71971 40a23a 71970->71971 72014 40aa25 71971->72014 71973 40a25a 71974 40a26c 71973->71974 72019 40a3f4 94 API calls 3 library calls 71973->72019 71976 4091b8 73 API calls 71974->71976 71977 40a2b0 71976->71977 71978 40a2c7 71977->71978 71979 401b80 Mailbox 4 API calls 71977->71979 71980 40a307 71978->71980 71982 40a2dc 71978->71982 71979->71978 71981 4095e2 71 API calls 71980->71981 71983 40a305 71981->71983 71984 40aabc 73 API calls 71982->71984 71985 40a338 71983->71985 72020 40a528 71983->72020 71986 40a2ec 71984->71986 71987 40a3bd 71985->71987 71990 408f6d 73 API calls 71985->71990 71988 4095e2 71 API calls 71986->71988 71991 408e82 Mailbox 73 API calls 71987->71991 71992 40a2f9 71988->71992 71994 40a354 71990->71994 71995 40a3d7 71991->71995 71996 401b80 Mailbox 4 API calls 71992->71996 72029 40a3f4 94 API calls 3 library calls 71994->72029 71999 401b80 Mailbox 4 API calls 71995->71999 71996->71983 71997 401b80 Mailbox 4 API calls 71997->71985 72000 40a3e2 71999->72000 72001 401b80 Mailbox 4 API calls 72000->72001 72002 40a3ea 72001->72002 72004 45b878 Mailbox 6 API calls 72002->72004 72003 40a369 72005 40a017 80 API calls 72003->72005 72006 40a3f1 72004->72006 72007 40a391 72005->72007 72006->71733 72008 40a3a6 72007->72008 72030 40a6ad 72 API calls 72007->72030 72010 401b80 Mailbox 4 API calls 72008->72010 72011 40a3b1 72010->72011 72012 401b80 Mailbox 4 API calls 72011->72012 72012->71987 72013->71731 72015 40aa36 72014->72015 72016 40aa3f 72014->72016 72015->71973 72016->72015 72018 45b637 __wcsnicmp 80 API calls 72016->72018 72031 409f7d 80 API calls 72016->72031 72018->72016 72019->71974 72032 40a629 72020->72032 72023 401b80 Mailbox 4 API calls 72024 40a556 72023->72024 72025 408e82 Mailbox 73 API calls 72024->72025 72026 40a56d 72025->72026 72027 45a457 __fltout2 6 API calls 72026->72027 72028 40a330 72027->72028 72028->71997 72029->72003 72030->72008 72031->72016 72033 40a642 72032->72033 72034 40a650 72033->72034 72035 409fa9 70 API calls 72033->72035 72036 408e82 Mailbox 73 API calls 72034->72036 72035->72034 72037 40a54e 72036->72037 72037->72023 72039 45a457 __fltout2 6 API calls 72038->72039 72040 45b891 72039->72040 72040->72040 72041->71757 72042->71763 72043->71769 72044->71785 72045->71795 72047 40dae9 72046->72047 72048 40db0b 72047->72048 72049 40daed 72047->72049 72050 40db71 72048->72050 72051 40db1b 72048->72051 72055 40da0c 72 API calls 72049->72055 72059 459f9f 69 API calls 2 library calls 72050->72059 72056 40db09 Mailbox 72051->72056 72058 407c30 72 API calls 2 library calls 72051->72058 72055->72056 72056->71801 72057->71805 72058->72056 72093 426010 72094 426015 #17 72093->72094 72132 41bfb9 72093->72132 72096 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 72094->72096 72097 42603a 72096->72097 72098 40a14b 72 API calls 72097->72098 72099 42604e 72098->72099 72100 40a0f0 75 API calls 72099->72100 72101 426059 GetModuleFileNameW 72100->72101 72102 409574 97 API calls 72101->72102 72103 426073 72102->72103 72104 43b52c 229 API calls 72103->72104 72105 426079 72104->72105 72106 40e057 97 API calls 72105->72106 72107 426088 72106->72107 72108 4091b8 73 API calls 72107->72108 72109 4260b1 72108->72109 72110 4091b8 73 API calls 72109->72110 72111 4260c9 72110->72111 72112 43bb71 189 API calls 72111->72112 72113 4260ce 72112->72113 72114 401b80 Mailbox 4 API calls 72113->72114 72115 4260d9 72114->72115 72116 4091b8 73 API calls 72115->72116 72117 4260f8 72116->72117 72118 408e82 Mailbox 73 API calls 72117->72118 72119 426115 72118->72119 72120 416235 2 API calls 72119->72120 72121 426128 72120->72121 72122 417333 79 API calls 72121->72122 72123 42613c 72122->72123 72124 409334 226 API calls 72123->72124 72125 426147 72124->72125 72126 401b80 Mailbox 4 API calls 72125->72126 72127 42614f 72126->72127 72128 426153 CoUninitialize 72127->72128 72129 426159 72127->72129 72128->72129 72130 45a457 __fltout2 6 API calls 72129->72130 72131 426168 72130->72131 72133 41bffe _memset 72132->72133 72134 41c083 InitializeSecurityDescriptor 72133->72134 72135 41c0a0 CreateWellKnownSid 72134->72135 72143 41c099 72134->72143 72136 41c0c6 CreateWellKnownSid 72135->72136 72135->72143 72137 41c0e3 CreateWellKnownSid 72136->72137 72136->72143 72140 41c100 CreateWellKnownSid 72137->72140 72137->72143 72138 45a457 __fltout2 6 API calls 72139 41c2aa 72138->72139 72139->72094 72141 41c121 CreateWellKnownSid 72140->72141 72140->72143 72142 41c142 SetEntriesInAclW 72141->72142 72141->72143 72142->72143 72144 41c21a 72142->72144 72143->72138 72144->72143 72145 41c222 SetSecurityDescriptorOwner 72144->72145 72145->72143 72146 41c23b SetSecurityDescriptorGroup 72145->72146 72146->72143 72147 41c254 SetSecurityDescriptorDacl 72146->72147 72147->72143 72148 41c26e CoInitializeSecurity 72147->72148 72148->72143 72149 450f31 72150 450f40 __EH_prolog3_catch_GS 72149->72150 72151 450f60 MoveFileExW 72150->72151 72152 451252 72151->72152 72153 450f7d GetLastError 72151->72153 72154 401b80 Mailbox 4 API calls 72152->72154 72155 450f8c 72153->72155 72156 45124a GetLastError 72153->72156 72157 45125a 72154->72157 72158 450fa4 72155->72158 72159 450f92 72155->72159 72156->72152 72161 401b80 Mailbox 4 API calls 72157->72161 72245 450e4e 93 API calls 2 library calls 72158->72245 72162 406a00 71 API calls 72159->72162 72164 451262 72161->72164 72165 450f9f 72162->72165 72163 450fb3 72246 450d51 93 API calls 2 library calls 72163->72246 72167 45b887 6 API calls 72164->72167 72170 408e82 Mailbox 73 API calls 72165->72170 72168 451269 72167->72168 72169 450fc8 72171 408e82 Mailbox 73 API calls 72169->72171 72172 45105f __wsetenvp 72170->72172 72173 450fe4 72171->72173 72176 40dad9 72 API calls 72172->72176 72247 451e0f 122 API calls 4 library calls 72173->72247 72175 450ff7 72248 43cd31 78 API calls 2 library calls 72175->72248 72178 451079 72176->72178 72226 451e0f 122 API calls 4 library calls 72178->72226 72179 451009 72181 4095e2 71 API calls 72179->72181 72183 451019 72181->72183 72182 451088 72184 40b99a 72 API calls 72182->72184 72186 401b80 Mailbox 4 API calls 72183->72186 72185 451095 72184->72185 72187 401b80 Mailbox 4 API calls 72185->72187 72188 451024 72186->72188 72189 4510a4 72187->72189 72190 401b80 Mailbox 4 API calls 72188->72190 72192 45c169 Mailbox 100 API calls 72189->72192 72191 45102f 72190->72191 72193 401b80 Mailbox 4 API calls 72191->72193 72194 4510c3 72192->72194 72195 451037 72193->72195 72227 43e467 72194->72227 72197 401b80 Mailbox 4 API calls 72195->72197 72199 451042 72197->72199 72201 401b80 Mailbox 4 API calls 72199->72201 72201->72165 72202 4510f2 72203 401b80 Mailbox 4 API calls 72202->72203 72204 451104 72203->72204 72205 416831 102 API calls 72204->72205 72206 45110f 72205->72206 72207 424632 156 API calls 72206->72207 72208 451132 72207->72208 72209 423878 Mailbox 110 API calls 72208->72209 72210 45113d 72209->72210 72250 450e91 106 API calls 3 library calls 72210->72250 72212 451146 72251 451da0 106 API calls 3 library calls 72212->72251 72214 451154 72215 4176d4 Mailbox 114 API calls 72214->72215 72216 451165 72215->72216 72217 401b80 Mailbox 4 API calls 72216->72217 72218 45116d GetPrivateProfileSectionW 72217->72218 72223 451195 72218->72223 72219 4511fa lstrcpyW lstrlenW WritePrivateProfileSectionW 72220 45123d 72219->72220 72222 401b80 Mailbox 4 API calls 72220->72222 72221 45c169 Mailbox 100 API calls 72221->72223 72224 451246 72222->72224 72223->72219 72223->72221 72225 4511c4 GetPrivateProfileSectionW 72223->72225 72224->72152 72224->72156 72225->72223 72226->72182 72252 45b8c9 72227->72252 72229 43e476 GetWindowsDirectoryW 72230 43e4b2 72229->72230 72231 43e496 72229->72231 72233 408f6d 73 API calls 72230->72233 72253 40b827 101 API calls 4 library calls 72231->72253 72235 43e4e3 72233->72235 72234 43e4a1 72254 45a466 RaiseException 72234->72254 72255 42c2c4 72 API calls 72235->72255 72238 43e4f7 72239 408e82 Mailbox 73 API calls 72238->72239 72240 43e506 72239->72240 72241 401b80 Mailbox 4 API calls 72240->72241 72242 43e511 72241->72242 72243 45b878 Mailbox 6 API calls 72242->72243 72244 43e518 72243->72244 72249 450c01 78 API calls 2 library calls 72244->72249 72245->72163 72246->72169 72247->72175 72248->72179 72249->72202 72250->72212 72251->72214 72252->72229 72253->72234 72254->72230 72255->72238 72256 41cc74 72257 41cc83 __EH_prolog3_GS 72256->72257 72258 416831 102 API calls 72257->72258 72259 41cc90 72258->72259 72282 40d131 72259->72282 72262 408e82 Mailbox 73 API calls 72263 41ccc7 72262->72263 72264 424632 156 API calls 72263->72264 72265 41cceb 72264->72265 72266 401b80 Mailbox 4 API calls 72265->72266 72267 41ccf3 72266->72267 72268 401b80 Mailbox 4 API calls 72267->72268 72269 41ccff 72268->72269 72270 425464 107 API calls 72269->72270 72271 41cd18 72270->72271 72272 41cd5d 72271->72272 72276 40d131 73 API calls 72271->72276 72273 4176d4 Mailbox 114 API calls 72272->72273 72274 41cd6c 72273->72274 72275 45b878 Mailbox 6 API calls 72274->72275 72278 41cd73 72275->72278 72277 41cd37 72276->72277 72285 41ad2a 72277->72285 72281 401b80 Mailbox 4 API calls 72281->72272 72283 408e82 Mailbox 73 API calls 72282->72283 72284 40d15a 72283->72284 72284->72262 72294 41cf22 CreateFileW 72285->72294 72288 41ad6c 72290 405170 Mailbox FindCloseChangeNotification 72288->72290 72291 41ad81 72290->72291 72292 405170 Mailbox FindCloseChangeNotification 72291->72292 72293 41ad89 72292->72293 72293->72281 72295 41cf57 72294->72295 72296 41cf6d CreateFileMappingW 72294->72296 72297 405170 Mailbox FindCloseChangeNotification 72295->72297 72298 41d094 GetLastError 72296->72298 72299 41cf87 72296->72299 72300 41cf5f 72297->72300 72307 41d058 72298->72307 72301 405170 Mailbox FindCloseChangeNotification 72299->72301 72300->72296 72300->72298 72302 41cf8f GetSystemInfo MapViewOfFile 72301->72302 72302->72298 72303 41cfb8 72302->72303 72306 41cfd1 IsBadReadPtr 72303->72306 72303->72307 72304 405170 Mailbox FindCloseChangeNotification 72305 41d0ac 72304->72305 72308 405170 Mailbox FindCloseChangeNotification 72305->72308 72306->72307 72309 41cfe9 72306->72309 72307->72304 72310 41ad54 72308->72310 72309->72307 72311 41cfff UnmapViewOfFile MapViewOfFile 72309->72311 72310->72288 72315 41a625 72310->72315 72312 41d01d 72311->72312 72312->72307 72313 41d035 IsBadReadPtr 72312->72313 72313->72307 72314 41d04d 72313->72314 72314->72307 72316 41a639 72315->72316 72319 41a1f5 72316->72319 72318 41a654 72318->72288 72320 41a217 VirtualQuery 72319->72320 72322 41a304 72319->72322 72329 41afcf 72320->72329 72322->72318 72324 41a249 72324->72322 72327 41a2d2 GetSystemInfo MapViewOfFile 72324->72327 72325 41afcf CompareStringA 72326 41a26d 72325->72326 72326->72324 72328 41afcf CompareStringA 72326->72328 72327->72322 72328->72324 72330 41afe8 CompareStringA 72329->72330 72332 41a23e 72329->72332 72331 41b002 72330->72331 72330->72332 72331->72330 72331->72332 72332->72324 72332->72325 72333 4198b7 72334 4198c3 __EH_prolog3 72333->72334 72335 450826 114 API calls 72334->72335 72336 4198cc 72335->72336 72337 4198d0 72336->72337 72338 4198db 72336->72338 72347 4448bb 72337->72347 72340 4091b8 73 API calls 72338->72340 72341 4198f4 72340->72341 72342 4091b8 73 API calls 72341->72342 72343 419909 72342->72343 72399 444e82 208 API calls 3 library calls 72343->72399 72345 4198d8 ~_Task_impl 72346 419917 72346->72345 72400 45b8c9 72347->72400 72349 4448ca AllocateAndInitializeSid 72350 444927 72349->72350 72351 444941 AllocateAndInitializeSid 72349->72351 72352 4091b8 73 API calls 72350->72352 72351->72350 72353 444961 AllocateAndInitializeSid 72351->72353 72359 44493c 72352->72359 72353->72350 72354 444981 _memset 72353->72354 72355 444990 SetEntriesInAclW 72354->72355 72355->72350 72356 444a32 72355->72356 72357 444a65 InitializeSecurityDescriptor 72356->72357 72358 444a4c 72356->72358 72361 444a70 72357->72361 72362 444a8a SetSecurityDescriptorDacl 72357->72362 72360 4091b8 73 API calls 72358->72360 72367 45b878 Mailbox 6 API calls 72359->72367 72360->72359 72364 4091b8 73 API calls 72361->72364 72362->72361 72363 444aa4 72362->72363 72365 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 72363->72365 72364->72359 72366 444ad2 72365->72366 72368 40a14b 72 API calls 72366->72368 72369 444c0b 72367->72369 72370 444aeb 72368->72370 72369->72345 72371 40a0f0 75 API calls 72370->72371 72372 444afa GetTempPathW 72371->72372 72373 409574 97 API calls 72372->72373 72374 444b12 72373->72374 72401 444791 UuidCreate 72374->72401 72377 40b2a8 80 API calls 72378 444b34 72377->72378 72406 40b22b 72378->72406 72381 40b99a 72 API calls 72382 444b57 72381->72382 72383 401b80 Mailbox 4 API calls 72382->72383 72384 444b5f 72383->72384 72385 401b80 Mailbox 4 API calls 72384->72385 72386 444b6a 72385->72386 72387 401b80 Mailbox 4 API calls 72386->72387 72388 444b79 72387->72388 72389 408e82 Mailbox 73 API calls 72388->72389 72390 444b9d 72389->72390 72422 441b01 72390->72422 72392 444ba2 72393 444bc0 72392->72393 72394 444ba9 72392->72394 72433 40a1af 72393->72433 72395 4091b8 73 API calls 72394->72395 72397 444bbe 72395->72397 72398 401b80 Mailbox 4 API calls 72397->72398 72398->72359 72399->72346 72400->72349 72442 4442c5 72401->72442 72404 45a457 __fltout2 6 API calls 72405 4447d9 72404->72405 72405->72377 72407 40b237 __EH_prolog3_GS 72406->72407 72408 408e82 Mailbox 73 API calls 72407->72408 72409 40b25e 72408->72409 72464 40dab2 72409->72464 72413 40b276 72414 408e82 Mailbox 73 API calls 72413->72414 72415 40b290 72414->72415 72416 401b80 Mailbox 4 API calls 72415->72416 72417 40b298 72416->72417 72418 401b80 Mailbox 4 API calls 72417->72418 72419 40b2a0 72418->72419 72420 45b878 Mailbox 6 API calls 72419->72420 72421 40b2a7 72420->72421 72421->72381 72474 45b896 72422->72474 72424 441b0d GetModuleHandleW GetProcAddress 72425 441b32 CreateDirectoryW 72424->72425 72426 441b43 GetModuleHandleW GetProcAddress 72424->72426 72427 441b68 72425->72427 72426->72427 72428 441b5c 72426->72428 72430 401b80 Mailbox 4 API calls 72427->72430 72475 412f8a 69 API calls 72428->72475 72432 441b72 ~_Task_impl 72430->72432 72431 441b64 72431->72427 72432->72392 72434 409cb2 74 API calls 72433->72434 72435 40a1d5 72434->72435 72436 401b80 Mailbox 4 API calls 72435->72436 72437 40a1dd 72436->72437 72438 408e82 Mailbox 73 API calls 72437->72438 72439 40a1f4 72438->72439 72440 45a457 __fltout2 6 API calls 72439->72440 72441 40a202 72440->72441 72441->72397 72443 4442d1 __EH_prolog3_GS 72442->72443 72444 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 72443->72444 72445 444300 UuidToStringW 72444->72445 72446 406a00 71 API calls 72445->72446 72447 44432f 72446->72447 72456 449c16 72447->72456 72449 444337 RpcStringFreeW 72450 408e82 Mailbox 73 API calls 72449->72450 72451 444353 72450->72451 72452 401b80 Mailbox 4 API calls 72451->72452 72453 44435b 72452->72453 72454 45b878 Mailbox 6 API calls 72453->72454 72455 444362 72454->72455 72455->72404 72457 449c22 __EH_prolog3 72456->72457 72458 40a14b 72 API calls 72457->72458 72459 449c2e 72458->72459 72460 40a0f0 75 API calls 72459->72460 72461 449c3d CharUpperW 72460->72461 72462 409574 97 API calls 72461->72462 72463 449c51 ~_Task_impl 72462->72463 72463->72449 72465 40dac3 __wsetenvp 72464->72465 72466 40dad9 72 API calls 72465->72466 72467 40b26b 72466->72467 72468 40b69c 72467->72468 72469 40b6a8 __EH_prolog3 72468->72469 72470 40b6c0 GetLastError 72469->72470 72471 40922e Mailbox 71 API calls 72470->72471 72472 40b6de SetLastError 72471->72472 72473 40b6fe ~_Task_impl 72472->72473 72473->72413 72474->72424 72475->72431 72476 45e462 72477 45e46e ___lock_fhandle 72476->72477 72513 4635a3 GetStartupInfoW 72477->72513 72480 45e473 72515 46a8b9 GetProcessHeap 72480->72515 72481 45e4cb 72482 45e4d6 72481->72482 72569 45e5f8 68 API calls 3 library calls 72481->72569 72516 464ebe 72482->72516 72514 4635b9 72513->72514 72514->72480 72515->72481 72576 469d50 EncodePointer EncodePointer __init_pointers __initp_misc_winsig 72516->72576 72569->72482 72580 420ee5 72582 420eec 72580->72582 72581 420fd1 72738 40fb3d 72581->72738 72582->72581 72596 420f12 __wsetenvp 72582->72596 72584 420ff0 72741 40d1d8 73 API calls Mailbox 72584->72741 72586 42100e 72742 419797 253 API calls 3 library calls 72586->72742 72588 421019 72743 418cda RtlUnwind _longjmp 72588->72743 72590 421021 72744 40d191 73 API calls Mailbox 72590->72744 72591 420fa1 72592 408e82 Mailbox 73 API calls 72591->72592 72594 420fc3 72592->72594 72630 421722 72594->72630 72595 421036 72598 421041 CreateMutexW 72595->72598 72599 42103f 72595->72599 72596->72591 72600 40a017 80 API calls 72596->72600 72602 401b80 Mailbox 4 API calls 72598->72602 72599->72598 72607 420f86 __wsetenvp 72600->72607 72601 420fca 72604 401b80 Mailbox 4 API calls 72601->72604 72603 421067 WaitForSingleObject 72602->72603 72605 42107c 72603->72605 72606 421120 72604->72606 72745 40d268 186 API calls 3 library calls 72605->72745 72608 401b80 Mailbox 4 API calls 72606->72608 72607->72591 72609 40dad9 72 API calls 72607->72609 72611 421128 72608->72611 72609->72591 72613 401b80 Mailbox 4 API calls 72611->72613 72612 421094 72614 4210b1 72612->72614 72615 406a00 71 API calls 72612->72615 72618 421133 _memmove 72613->72618 72616 408e82 Mailbox 73 API calls 72614->72616 72615->72614 72617 4210db 72616->72617 72746 40d922 187 API calls 2 library calls 72617->72746 72619 401b80 Mailbox 4 API calls 72618->72619 72621 421635 72619->72621 72623 401b80 Mailbox 4 API calls 72621->72623 72622 4210fc 72624 401b80 Mailbox 4 API calls 72622->72624 72625 42163d 72623->72625 72626 421107 72624->72626 72627 45b878 Mailbox 6 API calls 72625->72627 72628 405170 Mailbox FindCloseChangeNotification 72626->72628 72629 421644 72627->72629 72628->72601 72631 421731 __EH_prolog3_GS 72630->72631 72632 40d131 73 API calls 72631->72632 72633 421751 72632->72633 72634 40e057 97 API calls 72633->72634 72635 421766 72634->72635 72636 40fb3d 73 API calls 72635->72636 72637 421782 72636->72637 72638 40b91e 80 API calls 72637->72638 72639 421792 72638->72639 72640 408e82 Mailbox 73 API calls 72639->72640 72641 4217b5 72640->72641 72642 401b80 Mailbox 4 API calls 72641->72642 72643 4217bd 72642->72643 72644 401b80 Mailbox 4 API calls 72643->72644 72645 4217c8 72644->72645 72646 401b80 Mailbox 4 API calls 72645->72646 72647 4217d3 72646->72647 72648 401b80 Mailbox 4 API calls 72647->72648 72649 4217df 72648->72649 72650 408e82 Mailbox 73 API calls 72649->72650 72651 421800 72650->72651 72652 40d131 73 API calls 72651->72652 72653 421819 72652->72653 72747 418e75 72653->72747 72656 421828 72657 401b80 Mailbox 4 API calls 72656->72657 72659 421b36 72657->72659 72658 40d131 73 API calls 72660 421847 72658->72660 72661 401b80 Mailbox 4 API calls 72659->72661 72795 4248a5 72660->72795 72663 421b3e 72661->72663 72665 45b878 Mailbox 6 API calls 72663->72665 72666 421b45 72665->72666 72666->72601 72667 401b80 Mailbox 4 API calls 72668 421864 72667->72668 72669 40fb3d 73 API calls 72668->72669 72670 421879 72669->72670 72671 40a1af 78 API calls 72670->72671 72672 42188b 72671->72672 72673 40d131 73 API calls 72672->72673 72674 4218a6 72673->72674 72675 40a206 97 API calls 72674->72675 72676 4218ba 72675->72676 72677 40a1af 78 API calls 72676->72677 72678 4218cc 72677->72678 72679 40b22b 80 API calls 72678->72679 72680 4218ea 72679->72680 72837 413c81 72680->72837 72683 40b22b 80 API calls 72684 421915 72683->72684 72685 413c81 78 API calls 72684->72685 72686 421927 72685->72686 72687 40b22b 80 API calls 72686->72687 72688 42193d 72687->72688 72689 413c81 78 API calls 72688->72689 72690 42194f 72689->72690 72691 40b22b 80 API calls 72690->72691 72692 421968 72691->72692 72693 40b22b 80 API calls 72692->72693 72739 408e82 Mailbox 73 API calls 72738->72739 72740 40fb66 72739->72740 72740->72584 72741->72586 72742->72588 72743->72590 72744->72595 72745->72612 72746->72622 72748 418e84 __EH_prolog3_GS _memmove 72747->72748 72933 4043d0 72748->72933 72753 418eea __setjmp3 72754 41906a 72753->72754 72755 4091b8 73 API calls 72753->72755 72756 4190e9 72754->72756 72757 419079 72754->72757 72758 418f49 72755->72758 72761 4091b8 73 API calls 72756->72761 72759 4091b8 73 API calls 72757->72759 72760 4091b8 73 API calls 72758->72760 72762 4190ba 72759->72762 72763 418f6a 72760->72763 72764 419129 72761->72764 72765 4091b8 73 API calls 72762->72765 72766 43bb71 189 API calls 72763->72766 72767 4091b8 73 API calls 72764->72767 72768 4190db 72765->72768 72769 418f73 72766->72769 72770 41914a 72767->72770 72772 43bb71 189 API calls 72768->72772 72773 40ab22 84 API calls 72769->72773 72771 43bb71 189 API calls 72770->72771 72778 4190e4 _memmove 72771->72778 72772->72778 72774 418f80 72773->72774 72775 41900b 72774->72775 72776 408e82 Mailbox 73 API calls 72774->72776 72775->72757 72781 408e82 Mailbox 73 API calls 72775->72781 72777 418fb0 72776->72777 72779 441e34 182 API calls 72777->72779 72780 401b80 Mailbox 4 API calls 72778->72780 72782 418fb5 72779->72782 72783 419173 72780->72783 72784 419059 72781->72784 72782->72775 72787 408e82 Mailbox 73 API calls 72782->72787 72786 401b80 Mailbox 4 API calls 72783->72786 73003 417eff 108 API calls 3 library calls 72784->73003 72788 41917b 72786->72788 72789 418fe0 72787->72789 72790 45b878 Mailbox 6 API calls 72788->72790 72791 408e82 Mailbox 73 API calls 72789->72791 72792 419182 72790->72792 72793 419002 72791->72793 72792->72656 72792->72658 72953 44160b 72793->72953 72796 4248b4 __EH_prolog3_GS 72795->72796 72798 4248fc 72796->72798 73165 415af8 94 API calls 2 library calls 72796->73165 72800 424925 72798->72800 72801 401b80 Mailbox 4 API calls 72798->72801 72799 4248dc 72803 40a017 80 API calls 72799->72803 72802 424a9f 72800->72802 72804 424992 72800->72804 72805 424938 72800->72805 72801->72800 72806 408e82 Mailbox 73 API calls 72802->72806 72803->72798 72808 4235f1 80 API calls 72804->72808 73166 4090b1 95 API calls 3 library calls 72805->73166 72809 424ab6 72806->72809 72811 42498d 72808->72811 72812 45b878 Mailbox 6 API calls 72809->72812 72810 424951 73167 412fd5 72 API calls 72810->73167 72816 4249c4 72811->72816 72819 401b80 Mailbox 4 API calls 72811->72819 72814 42185c 72812->72814 72814->72667 72815 42496e 72818 408e82 Mailbox 73 API calls 72815->72818 72817 4249dd 72816->72817 72820 401b80 Mailbox 4 API calls 72816->72820 72821 4249fa 72817->72821 72822 401b80 Mailbox 4 API calls 72817->72822 72818->72811 72819->72816 72820->72817 72823 424a00 72821->72823 72824 424a55 72821->72824 72822->72821 73168 4090b1 95 API calls 3 library calls 72823->73168 72826 409cb2 74 API calls 72824->72826 72827 424a50 72826->72827 72830 424a7b 72827->72830 72832 401b80 Mailbox 4 API calls 72827->72832 72828 424a19 73169 41291c 72 API calls 72828->73169 72833 424a8b 72830->72833 72835 401b80 Mailbox 4 API calls 72830->72835 72831 424a37 72834 408e82 Mailbox 73 API calls 72831->72834 72832->72830 72833->72802 72836 401b80 Mailbox 4 API calls 72833->72836 72834->72827 72835->72833 72836->72802 72838 413c8d __EH_prolog3_GS 72837->72838 72839 408e82 Mailbox 73 API calls 72838->72839 72840 413cb4 72839->72840 72841 40b99a 72 API calls 72840->72841 72842 413cc1 72841->72842 72843 408e82 Mailbox 73 API calls 72842->72843 72844 413cd7 72843->72844 72845 401b80 Mailbox 4 API calls 72844->72845 72846 413cdf 72845->72846 72847 45b878 Mailbox 6 API calls 72846->72847 72848 413ce6 72847->72848 72848->72683 72934 40441c GetLastError SetLastError 72933->72934 72935 40440f 72933->72935 72936 404462 72934->72936 72937 404468 72934->72937 72935->72934 73016 45a6c3 79 API calls __mbstrlen_l 72936->73016 73004 405950 72937->73004 72940 40447e 72941 404496 GetLastError 72940->72941 72942 45a7d5 72941->72942 72943 4044b1 SysFreeString 72942->72943 72944 4044c5 SysFreeString 72943->72944 72945 4044ca SetLastError 72943->72945 72944->72945 72946 45a457 __fltout2 6 API calls 72945->72946 72947 404508 lstrcpyW 72946->72947 72948 401ac0 GetLastError 72947->72948 72949 45a7d5 72948->72949 72950 401adf SysFreeString 72949->72950 72951 401af3 SysFreeString 72950->72951 72952 401af8 SetLastError 72950->72952 72951->72952 72952->72753 72954 44161a __EH_prolog3_catch_GS 72953->72954 72955 408e82 Mailbox 73 API calls 72954->72955 72956 44164e 72955->72956 73096 4470db 72956->73096 72958 441653 72959 4416a1 72958->72959 72960 44165a GetLastError 72958->72960 72961 40a206 97 API calls 72959->72961 72962 408e82 Mailbox 73 API calls 72960->72962 72963 4416b3 72961->72963 72964 441681 72962->72964 72965 441e34 182 API calls 72963->72965 73116 4496be 75 API calls 3 library calls 72964->73116 72985 4416b8 72965->72985 72967 441686 72968 401b80 Mailbox 4 API calls 72967->72968 72969 441691 72968->72969 72970 401b80 Mailbox 4 API calls 72969->72970 73002 441699 72970->73002 72971 416831 102 API calls 72971->72985 72972 45b887 6 API calls 72973 4416a0 72972->72973 72973->72775 72974 401b80 GetLastError SysFreeString SysFreeString SetLastError Mailbox 72974->72985 72975 441767 72976 408e82 Mailbox 73 API calls 72975->72976 72978 441789 72976->72978 73117 4496be 75 API calls 3 library calls 72978->73117 72979 425464 107 API calls 72979->72985 72981 44178e 72982 4176d4 Mailbox 114 API calls 72981->72982 72982->72967 72983 408e82 73 API calls Mailbox 72983->72985 72984 424632 156 API calls 72984->72985 72985->72967 72985->72971 72985->72974 72985->72975 72985->72979 72985->72983 72985->72984 72986 4418e8 72985->72986 72989 44190f 72985->72989 72991 45c169 Mailbox 100 API calls 72985->72991 72994 415549 121 API calls 72985->72994 72997 4176d4 114 API calls Mailbox 72985->72997 72998 441abd GetLastError 72985->72998 73104 43af40 72985->73104 73118 4451ac 106 API calls 3 library calls 72985->73118 73120 4496ea 106 API calls 3 library calls 72985->73120 72987 408e82 Mailbox 73 API calls 72986->72987 72988 44190a 72987->72988 73119 4496be 75 API calls 3 library calls 72988->73119 72992 4176d4 Mailbox 114 API calls 72989->72992 72991->72985 72993 441921 72992->72993 72993->72775 72994->72985 72997->72985 72999 401b80 Mailbox 4 API calls 72998->72999 73000 441ad0 72999->73000 73001 401b80 Mailbox 4 API calls 73000->73001 73001->73002 73002->72972 73003->72754 73005 405992 73004->73005 73006 40599f GetLastError SetLastError 73004->73006 73005->73006 73017 406a50 GetLastError SetLastError 73006->73017 73008 4059ff 73009 405a1a GetLastError 73008->73009 73010 45a7d5 73009->73010 73011 405a35 SysFreeString 73010->73011 73012 405a49 SysFreeString 73011->73012 73013 405a4e SetLastError SetLastError 73011->73013 73012->73013 73014 45a457 __fltout2 6 API calls 73013->73014 73015 405a92 73014->73015 73015->72940 73016->72937 73028 4076b0 73017->73028 73021 406b3f SetLastError GetLastError 73022 45a7d5 73021->73022 73023 406b7e SysFreeString 73022->73023 73024 406b94 SysFreeString 73023->73024 73025 406b9a SetLastError 73023->73025 73024->73025 73026 45a457 __fltout2 6 API calls 73025->73026 73027 406bde 73026->73027 73027->73008 73029 4077a0 73028->73029 73030 40770b 73028->73030 73032 4078a6 GetLastError 73029->73032 73033 4077cd 73029->73033 73030->73029 73031 407717 MultiByteToWideChar 73030->73031 73073 459adf 73031->73073 73035 406eb0 71 API calls 73032->73035 73074 45a76c 68 API calls __wcsnicmp 73033->73074 73037 407902 SetLastError 73035->73037 73039 407942 73037->73039 73040 40794c 73037->73040 73043 406630 71 API calls 73039->73043 73088 401a60 GetLastError SysFreeString SysFreeString SetLastError 73040->73088 73043->73040 73045 4077ec GetLastError 73075 406eb0 73045->73075 73048 407848 SetLastError 73050 407885 73048->73050 73051 40788f 73048->73051 73049 45a457 __fltout2 6 API calls 73052 406b02 GetLastError 73049->73052 73053 406630 71 API calls 73050->73053 73087 401a60 GetLastError SysFreeString SysFreeString SetLastError 73051->73087 73056 406630 73052->73056 73053->73051 73055 407790 73055->73049 73057 406649 73056->73057 73058 40672c 73056->73058 73060 406656 73057->73060 73061 406689 73057->73061 73093 459fcd 69 API calls 3 library calls 73058->73093 73062 406736 73060->73062 73066 406662 73060->73066 73063 406740 73061->73063 73064 406695 73061->73064 73094 459fcd 69 API calls 3 library calls 73062->73094 73095 459f9f 69 API calls 2 library calls 73063->73095 73072 4066a7 _memmove 73064->73072 73092 4079f0 SysAllocStringLen SysFreeString _memmove 73064->73092 73091 406ff0 69 API calls 2 library calls 73066->73091 73071 406680 73071->73021 73072->73021 73074->73045 73076 406f06 73075->73076 73081 406ebe 73075->73081 73077 406f16 73076->73077 73078 406f9f 73076->73078 73084 406f28 _memmove 73077->73084 73089 4079f0 SysAllocStringLen SysFreeString _memmove 73077->73089 73090 459f9f 69 API calls 2 library calls 73078->73090 73081->73076 73083 406ee5 73081->73083 73085 406630 71 API calls 73083->73085 73084->73048 73086 406f00 73085->73086 73086->73048 73087->73055 73088->73055 73089->73084 73091->73071 73092->73072 73093->73062 73094->73063 73097 4470e7 __EH_prolog3 73096->73097 73098 40a206 97 API calls 73097->73098 73099 4470fc 73098->73099 73121 4425a8 73099->73121 73102 401b80 Mailbox 4 API calls 73103 44710e ~_Task_impl 73102->73103 73103->72958 73162 45b8c9 73104->73162 73106 43af4f WriteFile 73107 43afb8 73106->73107 73108 43af78 73106->73108 73109 45b878 Mailbox 6 API calls 73107->73109 73110 408e82 Mailbox 73 API calls 73108->73110 73111 43afc3 73109->73111 73112 43af93 73110->73112 73111->72985 73163 416910 105 API calls 3 library calls 73112->73163 73114 43afa7 73164 45a466 RaiseException 73114->73164 73116->72967 73117->72981 73118->72985 73119->72989 73120->72985 73122 4425b4 __EH_prolog3_GS 73121->73122 73123 40a1af 78 API calls 73122->73123 73124 4425c5 73123->73124 73125 401b80 Mailbox 4 API calls 73124->73125 73126 4425cd 73125->73126 73127 404200 Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error 2 API calls 73126->73127 73134 4425f9 73127->73134 73128 40a017 80 API calls 73128->73134 73129 40aabc 73 API calls 73129->73134 73130 401b80 Mailbox 4 API calls 73132 44270e 73130->73132 73133 401b80 Mailbox 4 API calls 73132->73133 73135 442716 73133->73135 73134->73128 73134->73129 73137 40b99a 72 API calls 73134->73137 73140 401b80 Mailbox 4 API calls 73134->73140 73141 408e82 Mailbox 73 API calls 73134->73141 73142 441b01 78 API calls 73134->73142 73143 4426a4 GetLastError 73134->73143 73150 442702 73134->73150 73151 42967f 73134->73151 73160 43f429 80 API calls Mailbox 73134->73160 73138 45b878 Mailbox 6 API calls 73135->73138 73137->73134 73139 44271d 73138->73139 73139->73102 73140->73134 73141->73134 73142->73134 73143->73134 73144 4426d6 73143->73144 73145 408e82 Mailbox 73 API calls 73144->73145 73146 4426f2 73145->73146 73161 4496be 75 API calls 3 library calls 73146->73161 73148 4426f7 73149 401b80 Mailbox 4 API calls 73148->73149 73149->73150 73150->73130 73152 4091b8 73 API calls 73151->73152 73153 4296a6 73152->73153 73154 40ab22 84 API calls 73153->73154 73155 4296ad 73154->73155 73156 401b80 Mailbox 4 API calls 73155->73156 73157 4296bf 73156->73157 73158 45a457 __fltout2 6 API calls 73157->73158 73159 4296cd 73158->73159 73159->73134 73160->73134 73161->73148 73162->73106 73163->73114 73164->73107 73165->72799 73166->72810 73167->72815 73168->72828 73169->72831 73200 41b249 73201 41b258 __EH_prolog3_GS 73200->73201 73202 41b3f7 73201->73202 73203 41b27d 73201->73203 73205 40fb3d 73 API calls 73202->73205 73204 40fb3d 73 API calls 73203->73204 73206 41b2bf 73204->73206 73207 41b409 73205->73207 73208 40a528 78 API calls 73206->73208 73209 40a528 78 API calls 73207->73209 73210 41b2ce 73208->73210 73211 41b41b 73209->73211 73212 40a14b 72 API calls 73210->73212 73213 40a14b 72 API calls 73211->73213 73215 41b2e1 73212->73215 73214 41b42f 73213->73214 73216 40d131 73 API calls 73214->73216 73217 40d131 73 API calls 73215->73217 73218 41b44a 73216->73218 73219 41b2fc 73217->73219 73220 40a14b 72 API calls 73218->73220 73221 40a14b 72 API calls 73219->73221 73222 41b45e 73220->73222 73223 41b30f 73221->73223 73225 40a0f0 75 API calls 73222->73225 73224 40a0f0 75 API calls 73223->73224 73226 41b320 73224->73226 73227 41b46f 73225->73227 73228 40a0f0 75 API calls 73226->73228 73229 40a0f0 75 API calls 73227->73229 73230 41b32d 73228->73230 73231 41b47c 73229->73231 73313 425659 73230->73313 73233 425659 257 API calls 73231->73233 73235 41b490 73233->73235 73237 409574 97 API calls 73235->73237 73236 409574 97 API calls 73238 41b35a 73236->73238 73239 41b49f 73237->73239 73240 401b80 Mailbox 4 API calls 73238->73240 73241 401b80 Mailbox 4 API calls 73239->73241 73243 41b365 73240->73243 73242 41b4aa 73241->73242 73244 409574 97 API calls 73242->73244 73245 409574 97 API calls 73243->73245 73246 41b4b9 73244->73246 73247 41b374 73245->73247 73248 401b80 Mailbox 4 API calls 73246->73248 73249 401b80 Mailbox 4 API calls 73247->73249 73250 41b4c1 73248->73250 73251 41b37c 73249->73251 73252 401b80 Mailbox 4 API calls 73250->73252 73253 401b80 Mailbox 4 API calls 73251->73253 73254 41b3f0 73252->73254 73255 41b38b 73253->73255 73259 40d131 73 API calls 73254->73259 73422 41550d 108 API calls 73255->73422 73257 41b3b2 73423 41550d 108 API calls 73257->73423 73261 41b4e2 73259->73261 73260 41b3d6 73262 409c7e Mailbox 4 API calls 73260->73262 73263 4248a5 107 API calls 73261->73263 73264 41b3e1 73262->73264 73265 41b4fa 73263->73265 73266 409c7e Mailbox 4 API calls 73264->73266 73267 401b80 Mailbox 4 API calls 73265->73267 73266->73254 73268 41b502 73267->73268 73269 40b2a8 80 API calls 73268->73269 73270 41b517 73269->73270 73271 40b99a 72 API calls 73270->73271 73272 41b52a 73271->73272 73273 401b80 Mailbox 4 API calls 73272->73273 73274 41b536 73273->73274 73275 408f6d 73 API calls 73274->73275 73276 41b55a 73275->73276 73277 40fb3d 73 API calls 73276->73277 73278 41b570 73277->73278 73279 40b91e 80 API calls 73278->73279 73280 41b586 73279->73280 73281 401b80 Mailbox 4 API calls 73280->73281 73282 41b58e 73281->73282 73283 401b80 Mailbox 4 API calls 73282->73283 73284 41b59a 73283->73284 73285 408e82 Mailbox 73 API calls 73284->73285 73286 41b5b7 73285->73286 73287 441e34 182 API calls 73286->73287 73288 41b5bc 73287->73288 73289 41b5f7 73288->73289 73291 40fb3d 73 API calls 73288->73291 73290 408e82 Mailbox 73 API calls 73289->73290 73292 41b618 73290->73292 73293 41b5d8 73291->73293 73424 4222ac 75 API calls 3 library calls 73292->73424 73295 4095e2 71 API calls 73293->73295 73297 41b5e8 73295->73297 73296 41b62e 73298 408f6d 73 API calls 73296->73298 73299 401b80 Mailbox 4 API calls 73297->73299 73300 41b653 73298->73300 73299->73289 73301 40b91e 80 API calls 73300->73301 73302 41b675 73301->73302 73425 422204 75 API calls 3 library calls 73302->73425 73304 41b68b 73305 401b80 Mailbox 4 API calls 73304->73305 73306 41b696 73305->73306 73307 401b80 Mailbox 4 API calls 73306->73307 73308 41b6a1 73307->73308 73309 401b80 Mailbox 4 API calls 73308->73309 73310 41b6ac 73309->73310 73311 45b878 Mailbox 6 API calls 73310->73311 73312 41b6b1 73311->73312 73314 425668 __EH_prolog3_GS 73313->73314 73315 41ad2a 14 API calls 73314->73315 73316 425696 73315->73316 73426 4169db 73316->73426 73322 4256c7 73323 425ee9 73322->73323 73453 425414 73322->73453 73561 41770a 10 API calls 3 library calls 73323->73561 73327 425efd 73330 45b878 Mailbox 6 API calls 73327->73330 73328 425708 73329 42382a FindClose 73328->73329 73334 425713 73329->73334 73331 41b34b 73330->73331 73331->73236 73332 42382a FindClose 73332->73323 73333 425765 73336 425414 SetFilePointer 73333->73336 73334->73333 73335 4091b8 73 API calls 73334->73335 73337 425744 73335->73337 73338 42577e 73336->73338 73339 424fb5 108 API calls 73337->73339 73456 42508b 73338->73456 73341 425756 73339->73341 73342 401b80 Mailbox 4 API calls 73341->73342 73342->73333 73343 425e92 73344 4091b8 73 API calls 73343->73344 73414 4256fe 73343->73414 73346 425eb8 73344->73346 73345 42508b 16 API calls 73347 4257cc lstrcpyW lstrlenW 73345->73347 73348 424fb5 108 API calls 73346->73348 73349 425414 SetFilePointer 73347->73349 73350 425eca 73348->73350 73351 4257fa 73349->73351 73352 401b80 Mailbox 4 API calls 73350->73352 73353 42508b 16 API calls 73351->73353 73352->73414 73354 42580b lstrcpyW lstrlenW 73353->73354 73355 425414 SetFilePointer 73354->73355 73356 425839 73355->73356 73357 42508b 16 API calls 73356->73357 73358 42584a lstrcpyW lstrlenW 73357->73358 73359 425414 SetFilePointer 73358->73359 73360 425878 73359->73360 73361 42508b 16 API calls 73360->73361 73461 41a986 73360->73461 73361->73360 73367 4258d5 73477 423c2c 73367->73477 73491 415d19 73367->73491 73499 417173 GetLastError SysFreeString SetLastError GetLastError 73367->73499 73369 425933 lstrcpyW lstrcatW SysStringLen 73370 425a3e lstrcatW 73369->73370 73371 42596c lstrcatW 73369->73371 73372 415ebe 5 API calls 73370->73372 73373 415ebe 5 API calls 73371->73373 73374 425a79 73372->73374 73375 4259a6 GetFileAttributesW 73373->73375 73517 424095 73374->73517 73387 4259c5 73375->73387 73377 417173 Mailbox 6 API calls 73377->73370 73380 417173 Mailbox 6 API calls 73415 425792 73380->73415 73381 408f6d 73 API calls 73381->73387 73382 425ac1 lstrcpynW 73558 4251bc 19 API calls Mailbox 73382->73558 73384 4169db 2 API calls 73384->73415 73385 424fb5 108 API calls 73385->73387 73386 423c2c 41 API calls 73391 425ae6 73386->73391 73387->73377 73387->73381 73387->73385 73389 401b80 Mailbox 4 API calls 73387->73389 73502 41ce7e 73387->73502 73388 415ebe 5 API calls 73388->73415 73389->73387 73390 415d19 5 API calls 73390->73391 73391->73386 73391->73390 73393 417173 Mailbox 6 API calls 73391->73393 73394 425b2d lstrcmpiW 73393->73394 73395 425b40 lstrcmpiW 73394->73395 73394->73415 73396 425b56 SysStringLen 73395->73396 73395->73415 73396->73415 73397 425414 SetFilePointer 73397->73415 73398 417173 6 API calls Mailbox 73398->73415 73401 42508b 16 API calls 73401->73415 73402 425e6f 73404 417173 Mailbox 6 API calls 73402->73404 73406 425e7a 73404->73406 73405 425f8f WriteFile 73405->73415 73408 417173 Mailbox 6 API calls 73406->73408 73407 424107 42 API calls 73409 425cbe lstrcmpiW 73407->73409 73411 425e85 73408->73411 73412 417173 Mailbox 6 API calls 73409->73412 73410 425e47 73560 41770a 10 API calls 3 library calls 73410->73560 73413 417173 Mailbox 6 API calls 73411->73413 73412->73415 73413->73414 73414->73332 73415->73343 73415->73345 73415->73382 73415->73384 73415->73388 73415->73397 73415->73398 73415->73401 73415->73405 73415->73407 73415->73410 73416 425cf1 lstrcpyW lstrcatW lstrcatW 73415->73416 73417 408f6d 73 API calls 73415->73417 73419 424fb5 108 API calls 73415->73419 73420 401b80 Mailbox 4 API calls 73415->73420 73421 425d73 DeleteFileW lstrcpyW 73415->73421 73528 4247f2 73415->73528 73544 423917 73415->73544 73550 424107 73415->73550 73559 41770a 10 API calls 3 library calls 73415->73559 73416->73415 73417->73415 73419->73415 73420->73415 73421->73415 73422->73257 73423->73260 73424->73296 73425->73304 73562 416f06 73426->73562 73429 416ed5 73430 416ee1 73429->73430 73431 415ebe 5 API calls 73430->73431 73432 416ef9 73431->73432 73433 424725 73432->73433 73434 424731 __EH_prolog3 73433->73434 73435 423917 Mailbox 4 API calls 73434->73435 73436 42473d 73435->73436 73574 423728 73436->73574 73441 424797 73442 45c169 Mailbox 100 API calls 73441->73442 73444 4247a1 73442->73444 73443 4239f9 13 API calls 73445 42476f 73443->73445 73446 4247c2 73444->73446 73588 416a04 110 API calls 3 library calls 73444->73588 73445->73441 73447 424773 CreateFileW 73445->73447 73589 44fcba 111 API calls Mailbox 73446->73589 73449 4247de 73447->73449 73451 417173 Mailbox 6 API calls 73449->73451 73452 4247e8 ~_Task_impl 73451->73452 73452->73322 73454 425437 FindFirstFileW 73453->73454 73455 425425 SetFilePointer 73453->73455 73454->73328 73454->73414 73455->73454 73457 4250b1 73456->73457 73458 42509b ReadFile 73456->73458 73594 450260 15 API calls 73457->73594 73459 4250c0 73458->73459 73459->73415 73595 402ce0 73461->73595 73463 41a9a8 73601 4255e9 73463->73601 73466 401ac0 Mailbox 4 API calls 73467 41a9bd 73466->73467 73468 45a457 __fltout2 6 API calls 73467->73468 73469 41a9ca lstrlenW 73468->73469 73470 415ebe 73469->73470 73471 415eca __EH_prolog3 73470->73471 73472 415ee3 GetLastError 73471->73472 73473 408892 3 API calls 73472->73473 73474 415f04 73473->73474 73475 415f0f SetLastError 73474->73475 73476 415f2c ~_Task_impl 73475->73476 73476->73367 73478 423c38 __EH_prolog3 73477->73478 73642 424284 73478->73642 73483 423c80 73673 416746 GetLastError SetLastError SetLastError SysStringByteLen SysAllocStringByteLen 73483->73673 73484 423c61 SysStringLen 73484->73483 73486 423c6e 73484->73486 73663 4167a4 73486->73663 73487 423c7e 73489 417173 Mailbox 6 API calls 73487->73489 73490 423c96 ~_Task_impl 73489->73490 73490->73367 73492 415d25 __EH_prolog3 73491->73492 73493 415d3e GetLastError 73492->73493 73494 41669a 73493->73494 73495 415d61 SetLastError 73494->73495 73496 418e56 2 API calls 73495->73496 73497 415d84 SetLastError 73496->73497 73498 415d9a ~_Task_impl 73497->73498 73498->73367 73500 45a7d5 73499->73500 73501 4171d9 SysFreeString SetLastError 73500->73501 73501->73369 73503 41ce8a __EH_prolog3 73502->73503 73711 415f99 73503->73711 73505 41ce94 73717 423d3d 73505->73717 73508 417173 Mailbox 6 API calls 73510 41ceb9 73508->73510 73509 424150 11 API calls 73509->73510 73510->73509 73511 41cf12 73510->73511 73734 415d9d 73510->73734 73744 4171f3 6 API calls 73511->73744 73516 41cf1a ~_Task_impl 73516->73387 73518 423c2c 41 API calls 73517->73518 73519 4240ac SysStringLen 73518->73519 73520 417173 Mailbox 6 API calls 73519->73520 73521 4240bf 73520->73521 73749 425270 73521->73749 73524 4240e7 SysStringLen 73525 4240de 73524->73525 73526 4167a4 17 API calls 73525->73526 73527 4240fe lstrcmpiW 73526->73527 73527->73380 73529 4247fe __EH_prolog3 73528->73529 73530 423917 Mailbox 4 API calls 73529->73530 73531 42480a 73530->73531 73532 423728 3 API calls 73531->73532 73533 424818 73532->73533 73534 4239f9 13 API calls 73533->73534 73535 424829 73534->73535 73536 42488c 73535->73536 73537 4239f9 13 API calls 73535->73537 73538 417173 Mailbox 6 API calls 73536->73538 73539 42483e 73537->73539 73540 42489b ~_Task_impl 73538->73540 73539->73536 73541 423728 3 API calls 73539->73541 73543 424851 Sleep 73539->73543 73540->73415 73542 42486a CreateFileW 73541->73542 73542->73536 73542->73539 73543->73539 73545 423921 73544->73545 73546 423926 73544->73546 73755 42393f InterlockedDecrement ResetEvent InterlockedDecrement Mailbox 73545->73755 73548 423935 73546->73548 73549 42392c FindCloseChangeNotification 73546->73549 73548->73415 73549->73548 73551 424113 __EH_prolog3 73550->73551 73552 423c2c 41 API calls 73551->73552 73553 424122 SysStringLen 73552->73553 73554 4167a4 17 API calls 73553->73554 73555 42413d 73554->73555 73556 417173 Mailbox 6 API calls 73555->73556 73557 424145 ~_Task_impl 73556->73557 73557->73415 73558->73391 73559->73415 73560->73402 73561->73327 73563 416f12 73562->73563 73566 415f2f 73563->73566 73565 4169f2 73565->73429 73568 415f3b __EH_prolog3 73566->73568 73567 415f54 GetLastError 73572 41669a 73567->73572 73568->73567 73570 415f79 SetLastError 73571 415f96 ~_Task_impl 73570->73571 73571->73565 73573 4166aa 73572->73573 73573->73570 73575 42374d 73574->73575 73576 42373a 73574->73576 73580 4239f9 73575->73580 73577 423745 73576->73577 73578 42373e SysFreeString 73576->73578 73590 418e56 73577->73590 73578->73577 73581 423a16 73580->73581 73585 423a09 73580->73585 73582 423a2b SysStringLen 73581->73582 73581->73585 73593 423b03 10 API calls 2 library calls 73582->73593 73584 423a6a 73584->73585 73586 423aa1 SysStringLen 73584->73586 73585->73441 73585->73443 73586->73585 73587 423ab7 SysStringLen 73586->73587 73587->73585 73588->73446 73589->73449 73591 418e62 SysStringByteLen SysAllocStringByteLen 73590->73591 73592 418e5e 73590->73592 73591->73575 73592->73575 73593->73584 73594->73459 73596 402d11 73595->73596 73597 402d1e GetLastError 73595->73597 73596->73597 73598 402d63 73597->73598 73599 406eb0 71 API calls 73598->73599 73600 402d89 SetLastError 73599->73600 73600->73463 73602 4255f8 73601->73602 73607 45dcc0 73602->73607 73605 41a9b5 73605->73466 73608 45dcd7 73607->73608 73612 45d9f2 73608->73612 73611 45d506 68 API calls __getptd_noexit 73611->73605 73626 45a62a 73612->73626 73614 45da29 73634 45d506 68 API calls __getptd_noexit 73614->73634 73617 45da3e 73636 46516c GetStringTypeW 73617->73636 73618 45da2e 73635 4650d6 9 API calls __wcsnicmp 73618->73635 73621 45da57 73625 45da74 wcstoxq strtoxq __aulldvrm 73621->73625 73637 46516c GetStringTypeW 73621->73637 73624 42560c 73624->73605 73624->73611 73625->73624 73638 45d506 68 API calls __getptd_noexit 73625->73638 73627 45a63b 73626->73627 73633 45a688 73626->73633 73639 464d84 68 API calls 2 library calls 73627->73639 73629 45a640 73630 45a669 73629->73630 73640 46418f 76 API calls 5 library calls 73629->73640 73630->73633 73641 464511 70 API calls 5 library calls 73630->73641 73633->73614 73633->73617 73634->73618 73635->73624 73636->73621 73637->73621 73638->73624 73639->73629 73640->73630 73641->73633 73643 415ebe 5 API calls 73642->73643 73644 42429a 73643->73644 73674 424237 73644->73674 73647 417173 Mailbox 6 API calls 73648 423c4b 73647->73648 73649 423ca1 73648->73649 73686 42452a SysStringLen 73649->73686 73652 423cba 73688 424205 23 API calls Mailbox 73652->73688 73653 423cdc 73690 425f07 13 API calls 73653->73690 73656 423cc7 73660 423cd6 73656->73660 73689 424205 23 API calls Mailbox 73656->73689 73657 423ce1 73657->73660 73691 424205 23 API calls Mailbox 73657->73691 73661 4167a4 17 API calls 73660->73661 73662 423c59 73661->73662 73662->73483 73662->73484 73664 4167b0 __EH_prolog3 73663->73664 73665 415f2f 2 API calls 73664->73665 73666 4167d0 73665->73666 73692 42556b SysStringLen 73666->73692 73673->73487 73675 424277 73674->73675 73676 424244 73674->73676 73675->73647 73677 424258 73676->73677 73678 42424c SysStringLen 73676->73678 73677->73675 73680 424150 73677->73680 73678->73677 73681 424199 73680->73681 73682 42415f SysStringLen 73680->73682 73681->73677 73682->73681 73683 424178 73682->73683 73683->73681 73685 423b03 10 API calls 2 library calls 73683->73685 73685->73683 73687 423cb4 73686->73687 73687->73652 73687->73653 73688->73656 73689->73660 73690->73657 73691->73660 73693 42558d 73692->73693 73696 415e4a 73693->73696 73697 415e56 __EH_prolog3 73696->73697 73698 415e6f GetLastError 73697->73698 73703 41612f 73698->73703 73700 415e93 73704 41613c 73703->73704 73705 416158 73703->73705 73706 416148 SysAllocStringLen 73704->73706 73707 41613e 73704->73707 73710 408936 SysStringLen RaiseException __CxxThrowException@8 73705->73710 73706->73705 73706->73707 73707->73700 73709 416169 _memset 73709->73700 73710->73709 73712 415fa5 __EH_prolog3 73711->73712 73713 415fbe GetLastError 73712->73713 73714 41669a 73713->73714 73715 415fe3 SetLastError 73714->73715 73716 416000 ~_Task_impl 73715->73716 73716->73505 73718 42452a SysStringLen 73717->73718 73719 423d4e 73718->73719 73720 423d54 73719->73720 73721 423d75 73719->73721 73745 424205 23 API calls Mailbox 73720->73745 73747 425f07 13 API calls 73721->73747 73724 423d7a 73726 423d92 73724->73726 73727 423d81 73724->73727 73725 423d61 73729 423d70 73725->73729 73746 424205 23 API calls Mailbox 73725->73746 73726->73729 73748 424205 23 API calls Mailbox 73726->73748 73730 415ebe 5 API calls 73727->73730 73733 42556b 6 API calls 73729->73733 73731 41cea6 SysStringLen 73730->73731 73731->73508 73733->73731 73735 415da9 __EH_prolog3 73734->73735 73736 415dc2 GetLastError 73735->73736 73737 41669a 73736->73737 73738 415de7 SetLastError 73737->73738 73744->73516 73745->73725 73746->73729 73747->73724 73748->73729 73750 4240d5 73749->73750 73751 42527d SysStringLen 73749->73751 73750->73524 73750->73525 73752 425290 73751->73752 73752->73750 73754 423b03 10 API calls 2 library calls 73752->73754 73754->73752 73755->73546

                                            Executed Functions

                                            Function 00425659 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 537stringfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 425659-4256c9 call 45b8c9 call 41ad2a call 4169db call 416ed5 call 424725 11 425eeb 0->11 12 4256cf-4256fc call 425414 FindFirstFileW 0->12 14 425eee-425f04 call 41770a call 45b878 11->14 18 425708-425728 call 42382a call 459adf 12->18 19 4256fe-425703 12->19 29 425765-4257a2 call 425414 call 42508b 18->29 30 42572a-425760 call 4091b8 call 424fb5 call 401b80 18->30 22 425ede-425ee9 call 42382a 19->22 22->14 40 425e92-425e9a 29->40 41 4257a8-425966 call 425414 call 42508b lstrcpyW lstrlenW call 425414 call 42508b lstrcpyW lstrlenW call 425414 call 42508b lstrcpyW lstrlenW call 425414 call 42508b call 41a986 lstrlenW call 415ebe call 423c2c call 415d19 call 417173 lstrcpyW lstrcatW SysStringLen 29->41 30->29 43 425ed5-425edc call 45a7d5 40->43 44 425e9c-425ed0 call 4091b8 call 424fb5 call 401b80 40->44 77 425a3e-425abb lstrcatW call 415ebe call 424095 lstrcmpiW call 417173 41->77 78 42596c-4259c3 lstrcatW call 415ebe GetFileAttributesW 41->78 43->22 44->43 94 425ac1-425b3e lstrcpynW call 4251bc call 423c2c call 415d19 call 417173 lstrcmpiW 77->94 95 425b9c 77->95 84 4259c5-4259d2 call 41ce7e 78->84 85 425a2f-425a39 call 417173 78->85 90 4259d7-4259de 84->90 85->77 90->85 91 4259e0-425a2a call 408f6d call 424fb5 call 401b80 90->91 91->85 118 425b40-425b54 lstrcmpiW 94->118 119 425b79-425b8a call 417173 94->119 97 425b9e-425be4 call 4169db call 415ebe call 4247f2 95->97 115 425e54-425e5a call 45a7d5 97->115 116 425bea-425bf6 97->116 129 425e5f-425e90 call 41770a call 417173 * 3 115->129 120 425c47-425c49 116->120 121 425bf8-425c2e call 425414 call 42508b call 425f8f 116->121 118->119 125 425b56-425b73 SysStringLen 118->125 119->97 137 425b8c-425b8f 119->137 122 425c4b-425c7b call 425414 call 42508b call 425f8f 120->122 123 425c89-425ceb call 423917 call 424107 * 2 lstrcmpiW call 417173 * 2 120->123 152 425c33-425c36 121->152 153 425c80-425c83 122->153 173 425cf1-425d71 lstrcpyW lstrcatW * 2 call 43960e * 2 call 4395fe call 43961e * 2 123->173 174 425d9a-425da4 123->174 125->119 129->22 137->97 142 425b91-425b97 137->142 147 425e00-425e3a call 417173 * 3 142->147 147->40 172 425e3c-425e42 147->172 157 425e47-425e52 call 45a7d5 152->157 158 425c3c-425c45 152->158 153->123 153->157 157->129 158->120 158->121 172->41 193 425d73-425d8e DeleteFileW lstrcpyW 173->193 194 425d94 173->194 175 425df1-425dfb call 41770a 174->175 176 425da6-425de1 call 408f6d call 424fb5 174->176 175->147 185 425de6-425dec call 401b80 176->185 185->175 193->194 194->174
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00425663
                                              • Part of subcall function 00424725: __EH_prolog3.LIBCMT ref: 0042472C
                                              • Part of subcall function 00424725: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000008,https://,00000000,00000000,00000007,http://,00000000,?), ref: 00424786
                                              • Part of subcall function 00425414: SetFilePointer.KERNELBASE(000000FF,?,000000FF,?), ref: 0042542F
                                            • FindFirstFileW.KERNELBASE(?,?,00000001,?,00000000), ref: 004256E9
                                            • lstrcpyW.KERNEL32(?,00000000), ref: 004257D4
                                            • lstrlenW.KERNEL32(?), ref: 004257E1
                                            • lstrcpyW.KERNEL32(?,00000000), ref: 00425813
                                            • lstrlenW.KERNEL32(?), ref: 00425820
                                            • lstrcpyW.KERNEL32(?,00000000), ref: 0042584F
                                            • lstrlenW.KERNEL32(?), ref: 00425859
                                              • Part of subcall function 0042382A: FindClose.KERNELBASE(?,00000000,00441FA5), ref: 0042383D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Filelstrcpylstrlen$Find$CloseCreateFirstH_prolog3H_prolog3_Pointer
                                            • String ID: .cab$@/L$data$data1.cab
                                            • API String ID: 2212002782-3499192638
                                            • Opcode ID: fe741993f32d52125c74e27ec33420d86ad049216b346b2bc1969e2130828dbf
                                            • Instruction ID: fb7dcdbb61c0b39fab6b97eda141d987a6e2fe3132a9a7eded4b9dbfcae1609a
                                            • Opcode Fuzzy Hash: fe741993f32d52125c74e27ec33420d86ad049216b346b2bc1969e2130828dbf
                                            • Instruction Fuzzy Hash: 3B326071A0026C9ADB20EBA1DC45FDEB778AF46304F4045EAE40AA3591DF785F84CF5A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043B52C Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 290timeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043B536
                                              • Part of subcall function 00448D7A: __EH_prolog3_GS.LIBCMT ref: 00448D81
                                              • Part of subcall function 00448D7A: RegQueryValueExW.KERNELBASE(?,?,00000000,00000008,00000000,@/L,0000005C,0041AB68,?,-80000001,?,?), ref: 00448DF6
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            • GetCurrentProcessId.KERNEL32(bin,00000000), ref: 0043B683
                                            • _memset.LIBCMT ref: 0043B6C3
                                            • GetLocalTime.KERNEL32(?), ref: 0043B748
                                              • Part of subcall function 0043A837: __EH_prolog3_GS.LIBCMT ref: 0043A841
                                              • Part of subcall function 0043A837: _memset.LIBCMT ref: 0043A866
                                              • Part of subcall function 0043A837: SHGetSpecialFolderLocation.SHELL32(00000000,@/L,?,?,00000000,00000000), ref: 0043A884
                                              • Part of subcall function 0043A837: SHGetPathFromIDListW.SHELL32(?,?), ref: 0043A8A2
                                              • Part of subcall function 0043A837: SHGetMalloc.SHELL32(?), ref: 0043A8AF
                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 0043B800
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_$ErrorFreeLastString_memset$CurrentFileFolderFromListLocalLocationMallocModuleNamePathProcessQuerySpecialTimeValue
                                            • String ID: TraceData:$%s%s%d.%s$(c) Copyright 2004 InstallShield Software Corporation (All Rights Reserved)$@/L$@/L$@/L$Category|SubCategory|Details$FileNamePath$FormatVersion=00000112$ISlogit$SetupExe: %ls$SetupExeVersion: %ld.%ld.%ld.%ld$TraceStarted: %.2ld/%.2ld/%.2ld %.2ld:%.2ld:%.2ld$TraceStd$bin$d]K$setuptrace
                                            • API String ID: 2855092573-4001883202
                                            • Opcode ID: b0a4c338d41c295db01f7ad49529b55174035f04ce03d89dd44ca09e354fe153
                                            • Instruction ID: 3d2c0ecb5225ad2b930c800e3017c8f0c72d876dafc2baba95723155e1d2cc0b
                                            • Opcode Fuzzy Hash: b0a4c338d41c295db01f7ad49529b55174035f04ce03d89dd44ca09e354fe153
                                            • Instruction Fuzzy Hash: A0A195B1D00119ABDB10EB95CC46FEEBB7CAF05714F1001AFF905A7182EB785A44CBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004448BB Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 239memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004448C5
                                            • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000014C,004198D8,?), ref: 00444921
                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0044495B
                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000221,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0044497B
                                            • _memset.LIBCMT ref: 0044498B
                                            • SetEntriesInAclW.ADVAPI32 ref: 00444A24
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AllocateInitialize$EntriesH_prolog3__memset
                                            • String ID: @/L$@/L
                                            • API String ID: 2297503650-2149722323
                                            • Opcode ID: c716c318ff44b971f9bd01b71486d43a11bafda00394c27f897eb47f420a2ece
                                            • Instruction ID: 168844c671850aa8acec424d43c3e3616bec41bfd67e47923ee4d1d4a20378bf
                                            • Opcode Fuzzy Hash: c716c318ff44b971f9bd01b71486d43a11bafda00394c27f897eb47f420a2ece
                                            • Instruction Fuzzy Hash: 059124B0D002599EEB11DF95CC85FEEB7B8AF18704F4040EEE509B6191DBB85A848F69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00450887 Relevance: 18.1, APIs: 12, Instructions: 138threadmemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 827 450887-4508c0 GetCurrentThread OpenThreadToken 828 4508c2-4508c9 GetLastError 827->828 829 4508fd-450913 GetTokenInformation 827->829 832 4508e0-4508e3 828->832 833 4508cb-4508de GetCurrentProcess OpenProcessToken GetLastError 828->833 830 450915-45091f call 4509e1 829->830 831 450924-450929 GetLastError 829->831 843 4509d1-4509d2 830->843 831->830 837 45092b-450947 call 45c169 GetTokenInformation 831->837 834 4508e5 832->834 835 4508f6-4508f8 832->835 833->832 838 4508e7-4508f1 call 4509e1 834->838 835->829 839 4508fa-4508fb 835->839 847 45094c-450975 AllocateAndInitializeSid 837->847 848 450949-45094a 837->848 845 4509d3-4509e0 call 45a457 838->845 839->838 843->845 847->848 851 450977-45097e 847->851 849 4509bd-4509c0 call 4509e1 848->849 857 4509c5-4509cf call 45a2fe 849->857 853 4509b1-4509ba FreeSid 851->853 854 450980 851->854 853->849 856 450983-450990 EqualSid 854->856 858 450992-450998 856->858 859 45099c-4509a0 856->859 857->843 858->856 861 45099a 858->861 862 4509a2-4509ab 859->862 863 4509ad 859->863 861->853 862->853 862->863 863->853
                                            APIs
                                            • GetCurrentThread.KERNEL32 ref: 004508AB
                                            • OpenThreadToken.ADVAPI32(00000000,?,?,0045083B,00000001,00000001), ref: 004508B2
                                            • GetLastError.KERNEL32(?,?,0045083B,00000001,00000001), ref: 004508C2
                                            • GetCurrentProcess.KERNEL32(00000008,00000001,?,?,0045083B,00000001,00000001), ref: 004508D1
                                            • OpenProcessToken.ADVAPI32(00000000,?,?,0045083B,00000001,00000001), ref: 004508D8
                                            • GetLastError.KERNEL32(?,?,0045083B,00000001,00000001), ref: 004508DE
                                            • GetTokenInformation.KERNELBASE(00000001,00000002,00000000,00000000,?,?,?,?,0045083B,00000001,00000001), ref: 0045090F
                                            • GetLastError.KERNEL32(?,?,0045083B,00000001,00000001), ref: 00450924
                                            • GetTokenInformation.KERNELBASE(00000001,00000002,00000000,?,?,?,?,0045083B,00000001,00000001), ref: 00450943
                                            • AllocateAndInitializeSid.ADVAPI32(00000001,00000002,00000020,00000223,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0045083B,00000001,00000001), ref: 0045096D
                                            • EqualSid.ADVAPI32(00000004,?,?,?,0045083B,00000001,00000001), ref: 00450988
                                            • FreeSid.ADVAPI32(?,?,?,0045083B,00000001,00000001), ref: 004509B4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeInitialize
                                            • String ID:
                                            • API String ID: 884311744-0
                                            • Opcode ID: fa403c2c8a22f01a5c007e6db7771f1f11fc34f0d529aea89a912cd43928b6b5
                                            • Instruction ID: b3435590b7724b8fb763c90f05a53a234fe44bf457c41d70f53487cd3cfa1901
                                            • Opcode Fuzzy Hash: fa403c2c8a22f01a5c007e6db7771f1f11fc34f0d529aea89a912cd43928b6b5
                                            • Instruction Fuzzy Hash: 2541F6B5904219AFEF109BA1DC85FBF7BBCEF05305F10442AF901A2193D6788D49CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00425FCC Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 101COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • SetErrorMode.KERNELBASE(00000000), ref: 00425FF0
                                            • SetErrorMode.KERNELBASE(00000000), ref: 00425FF8
                                            • CoInitializeEx.OLE32(00000000,00000002), ref: 00425FFE
                                              • Part of subcall function 004455D3: GetVersionExW.KERNEL32(?), ref: 004455F7
                                            • #17.COMCTL32 ref: 00426015
                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00426062
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorMode$FileInitializeModuleNameVersion
                                            • String ID: @/L$@/L$EXE=%s$EXEProcessBegin$ISSetupInit
                                            • API String ID: 1856150884-1180914206
                                            • Opcode ID: 1f2c51feeb113955e9bd91a2b7e297ffdd715c1f2d96d394ea757a7c58cc2b20
                                            • Instruction ID: 49ee131d2c6c14ddb2ee0931906a32ff461b3aad57ecbfe64d40510d5b71d258
                                            • Opcode Fuzzy Hash: 1f2c51feeb113955e9bd91a2b7e297ffdd715c1f2d96d394ea757a7c58cc2b20
                                            • Instruction Fuzzy Hash: 513165B15002086BDB04EBA1DD46FEE77799F45704F4000AEF605AB1D2DFB85A44CBAA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041CF22 Relevance: 13.6, APIs: 9, Instructions: 144fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000), ref: 0041CF4B
                                            • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000), ref: 0041CF74
                                            • GetSystemInfo.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?,?,0041AD54,?,?,?), ref: 0041CF96
                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?,?,00000000), ref: 0041CFA8
                                            • IsBadReadPtr.KERNEL32(?,000000F8,?,00000000,?,?,?,?,?,?,?,?,?,0041AD54,?,?), ref: 0041CFDF
                                            • UnmapViewOfFile.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,0041AD54,?,?,?), ref: 0041D000
                                            • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,00000000), ref: 0041D010
                                            • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0041AD54,?,?,?,?), ref: 0041D094
                                            • IsBadReadPtr.KERNEL32(?,000000F8,?,00000000,?,?,?,?,?,?,?,?,?,0041AD54,?,?), ref: 0041D043
                                              • Part of subcall function 00405170: FindCloseChangeNotification.KERNELBASE(?,?,0041781D), ref: 00405183
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: File$View$CreateRead$ChangeCloseErrorFindInfoLastMappingNotificationSystemUnmap
                                            • String ID:
                                            • API String ID: 4059205213-0
                                            • Opcode ID: b361bc07e0d3ad07dce9cb873b320832fb538301f77cedf8724d4f0d5a86891d
                                            • Instruction ID: 1d51cd8d086f613c9da9948f2c1a6f690b32e3ce424fba7af812f89d14476e72
                                            • Opcode Fuzzy Hash: b361bc07e0d3ad07dce9cb873b320832fb538301f77cedf8724d4f0d5a86891d
                                            • Instruction Fuzzy Hash: FD5160B0E00219AFDB14DF65C885AAFBFB8FF09748F50406AE915A7290D7749E41CB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041E830 Relevance: 42.6, APIs: 1, Strings: 23, Instructions: 572COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041E83A
                                              • Part of subcall function 0044BDFA: __EH_prolog3.LIBCMT ref: 0044BE01
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0044DA4D: __EH_prolog3_GS.LIBCMT ref: 0044DA57
                                              • Part of subcall function 0044E0D6: __EH_prolog3_GS.LIBCMT ref: 0044E0E0
                                              • Part of subcall function 004090B1: __EH_prolog3_GS.LIBCMT ref: 004090B8
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 0044DFF7: __EH_prolog3_GS.LIBCMT ref: 0044DFFE
                                              • Part of subcall function 0041E108: __EH_prolog3_GS.LIBCMT ref: 0041E112
                                              • Part of subcall function 0040B2A8: __EH_prolog3_GS.LIBCMT ref: 0040B2AF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_$ErrorLast$FreeH_prolog3String
                                            • String ID: %$@/L$AllUsers$CheckMD5$CompanyName$CompanyURL$ErrorReportURL$InstallGUID$LauncherName$LogMode$MediaFormat$Product$ProductCode$ProductGUID$ScriptDriven$ShowPasswordDialog$Skin$SmallProgress$SplashTime$Startup$cmdline$http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s$setup.exe
                                            • API String ID: 806320983-2088667960
                                            • Opcode ID: 31f754f2cd5b838df9ab238fe3e7f42f67d510738a877af28ee4a5d012b18bea
                                            • Instruction ID: d0b572ee2ee85a1741b3f3b92f37e59d9c28d760f179574b644976fe918189f3
                                            • Opcode Fuzzy Hash: 31f754f2cd5b838df9ab238fe3e7f42f67d510738a877af28ee4a5d012b18bea
                                            • Instruction Fuzzy Hash: 4522B731A01259BEEB04F7A5C956BEDBBB8AF05704F4000DEE504671C2DBB85F48CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418E75 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 229stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00418E7F
                                            • _memmove.LIBCMT ref: 00418EA4
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 00418ED9
                                            • __setjmp3.LIBCMT ref: 00418EFA
                                            • _memmove.LIBCMT ref: 00419163
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00417EFF: __EH_prolog3.LIBCMT ref: 00417F06
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeH_prolog3String_memmove$H_prolog3___setjmp3lstrcpy
                                            • String ID: @/L$@/L$CopyDisk1FileToTempBegin$CopyDisk1FileToTempEnd$Failure$ISSetupDLLOp$Result=%sError=0x%08lxCopied=%ldSourceFile=%sTargetFile=%s$Result=%sCopied=%ldSourceFile=%sTargetFile=%s$SourceFile=%sTargetFile=%s$Success$setup.cpp
                                            • API String ID: 720208508-1089413182
                                            • Opcode ID: cd7b4d8d0d5b7560498350fb1c5e62d063158d755eb43b9d838c93e5098efd9e
                                            • Instruction ID: 062987b381fab29ed39045fae4b0a3f623b42c973eb7f709b5c6a6387a1f3e91
                                            • Opcode Fuzzy Hash: cd7b4d8d0d5b7560498350fb1c5e62d063158d755eb43b9d838c93e5098efd9e
                                            • Instruction Fuzzy Hash: F091B1B1900218EBDB10EF55CC46FDE7BB8AF05708F50419FF909A7141DBB89A48CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041BFB9 Relevance: 25.7, APIs: 17, Instructions: 234COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _memset.LIBCMT ref: 0041BFF9
                                            • _memset.LIBCMT ref: 0041C016
                                            • _memset.LIBCMT ref: 0041C030
                                            • _memset.LIBCMT ref: 0041C04A
                                            • _memset.LIBCMT ref: 0041C064
                                            • _memset.LIBCMT ref: 0041C07E
                                            • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0041C08F
                                            • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 0041C0C0
                                            • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 0041C0DD
                                            • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0041C0FA
                                            • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 0041C117
                                            • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 0041C138
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _memset$CreateKnownWell$DescriptorInitializeSecurity
                                            • String ID:
                                            • API String ID: 520831841-0
                                            • Opcode ID: 45b932497ae50f25b3d509d89c8eac2ed41aa6b69056bb56c1a86ce22cf307ac
                                            • Instruction ID: 09a9ff13bd7ead82815606be7f2904bc22e582a76c39c0dc913cfcecf0a334bb
                                            • Opcode Fuzzy Hash: 45b932497ae50f25b3d509d89c8eac2ed41aa6b69056bb56c1a86ce22cf307ac
                                            • Instruction Fuzzy Hash: B891DBB1D4122CAEDB20CFA5DCC4BDEBBBCBB08340F4045ABA51DE6241D7749A848F64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00446326 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 256processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00446330
                                            • _memset.LIBCMT ref: 004463CA
                                            • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000044,004D9A00,?,00000000), ref: 00446442
                                            • GetLastError.KERNEL32 ref: 0044645D
                                            • _memset.LIBCMT ref: 004464BD
                                            • ShellExecuteExW.SHELL32(0000003C), ref: 0044658C
                                            • WaitForInputIdle.USER32(?,000003E8), ref: 00446607
                                            • GetExitCodeProcess.KERNELBASE(?,004D99FC), ref: 0044662B
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00446635
                                              • Part of subcall function 004248A5: __EH_prolog3_GS.LIBCMT ref: 004248AF
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232
                                              • Part of subcall function 00413C81: __EH_prolog3_GS.LIBCMT ref: 00413C88
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last$FreeProcessString_memset$CodeCreateExecuteExitIdleInputShellWait
                                            • String ID: <$@/L$@/L$D
                                            • API String ID: 3263116737-3077052391
                                            • Opcode ID: c8776acc5bf638b66418db6b317af7dcb395e8d09d32ba947ab1e5a88792fd9c
                                            • Instruction ID: 6ca43683aa3a212a707171b667779d572eef4d51c58aedf755840db3885de9f0
                                            • Opcode Fuzzy Hash: c8776acc5bf638b66418db6b317af7dcb395e8d09d32ba947ab1e5a88792fd9c
                                            • Instruction Fuzzy Hash: CDA1A871800148EEDB11EFA5CC45FDE7B78AF55304F10416FF816A7292EB785A48CBAA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409334 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 179sleepfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 685 409334-409353 call 45b8c9 688 409359-40935e 685->688 689 40955f-409573 call 409c7e * 2 call 45b878 685->689 691 409453-409459 688->691 692 409364 688->692 693 409551-409555 691->693 694 40945f 691->694 696 409367-40936b 692->696 693->689 697 409557-40955e call 40971c 693->697 698 409462-409466 694->698 700 409371 696->700 701 40936d-40936f 696->701 697->689 704 409468-40946a 698->704 705 40946c 698->705 702 409373-4093ee call 408f6d call 4091b8 * 2 call 43bb71 call 401b80 700->702 701->702 731 4093f0-409416 call 408e82 call 441e34 702->731 709 40946e-4094e9 call 408f6d call 4091b8 * 2 call 43bb71 call 401b80 704->709 705->709 732 4094eb-409514 call 408e82 call 441e34 709->732 740 409441-40944d 731->740 741 409418-40941c 731->741 745 409516-40951a 732->745 746 40953f-40954b 732->746 740->691 740->696 743 409422 741->743 744 40941e-409420 741->744 747 409424-40942d DeleteFileW 743->747 744->747 748 409520 745->748 749 40951c-40951e 745->749 746->693 746->698 747->740 751 40942f-409435 747->751 750 409522-40952b RemoveDirectoryW 748->750 749->750 750->746 752 40952d-409533 750->752 751->740 753 409437-40943f Sleep 751->753 752->746 754 409535-40953d Sleep 752->754 753->731 754->732
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040933B
                                            • DeleteFileW.KERNELBASE(00000005), ref: 00409425
                                            • Sleep.KERNEL32(00000064), ref: 00409439
                                            • RemoveDirectoryW.KERNELBASE(?), ref: 00409523
                                            • Sleep.KERNEL32(00000064), ref: 00409537
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Sleep$DeleteDirectoryFileH_prolog3_Remove
                                            • String ID: @/L$@/L$DeleterDeleteFile$DeleterDeleteFolder$File=%s$Folder=%s$ISSetupDLLOp
                                            • API String ID: 3597207528-1788094262
                                            • Opcode ID: 40a59446a58a66fb3e525c3ff83d78acf7368a725c635db993cfcf0e09d90449
                                            • Instruction ID: af3b64f140a85ca38516f2fc63b6e00b9358a94bc8629c28dcb65221a5758ee9
                                            • Opcode Fuzzy Hash: 40a59446a58a66fb3e525c3ff83d78acf7368a725c635db993cfcf0e09d90449
                                            • Instruction Fuzzy Hash: E961ED75A04204EFDF00EFA5C946BADBB74AF15308F54406EE9107B1C2C7B89D4AC79A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00421722 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 301COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0042172C
                                              • Part of subcall function 0040E057: __EH_prolog3_GS.LIBCMT ref: 0040E061
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00418E75: __EH_prolog3_GS.LIBCMT ref: 00418E7F
                                              • Part of subcall function 00418E75: _memmove.LIBCMT ref: 00418EA4
                                              • Part of subcall function 00418E75: lstrcpyW.KERNEL32(?,-00000004), ref: 00418ED9
                                              • Part of subcall function 00418E75: __setjmp3.LIBCMT ref: 00418EFA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last$FreeString$H_prolog3__setjmp3_memmovelstrcpy
                                            • String ID: -IS_OriginalLauncher:$ -media_path:"$" -tempdisk1folder:"$&$@/L$@/L$@/L$open$|-L
                                            • API String ID: 2038878933-763899853
                                            • Opcode ID: 2494be354a985138483c66bde5a956afd0138eaf43c73fd476be39a059025695
                                            • Instruction ID: fb5689bc14f6d42f248b0329b192f7670a0179ba6e0a8268893ddccc92b58586
                                            • Opcode Fuzzy Hash: 2494be354a985138483c66bde5a956afd0138eaf43c73fd476be39a059025695
                                            • Instruction Fuzzy Hash: 2EC1A071910158AEDB15EBA5CC55BEEB7B8AF18344F0400EEF409A3192EB786F48CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00441B01 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 40libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00441B08
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryW,00000000,0044269D), ref: 00441B25
                                            • GetProcAddress.KERNEL32(00000000), ref: 00441B28
                                            • CreateDirectoryW.KERNELBASE(@/L,00000001), ref: 00441B3F
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryA), ref: 00441B4D
                                            • GetProcAddress.KERNEL32(00000000), ref: 00441B50
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc$CreateDirectoryH_prolog3
                                            • String ID: @/L$CreateDirectoryA$CreateDirectoryW$kernel32.dll
                                            • API String ID: 662308948-3360337979
                                            • Opcode ID: fdfb3521f710bff9fd83bdadc5a0edee52d24d1746d097b2a669540433ea7db8
                                            • Instruction ID: b1c665df828f0f440f157cb71fb04a9db391db4a6d36b46aabb71bb12b0827f4
                                            • Opcode Fuzzy Hash: fdfb3521f710bff9fd83bdadc5a0edee52d24d1746d097b2a669540433ea7db8
                                            • Instruction Fuzzy Hash: 1DF0AF30640314ABDF14AFB6CC95E9E7B78EF54B41B51402EB80597160DB7CEA45C7AC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004437BF Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 004437C6
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesW,00000000,00441EB3,?,?,?,?,?,?,?,?,?,?,?,004097FA), ref: 004437E0
                                            • GetProcAddress.KERNEL32(00000000), ref: 004437E3
                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,004097FA), ref: 004437F9
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesA,?,?,?,?,?,?,?,?,?,?,?,004097FA), ref: 00443807
                                            • GetProcAddress.KERNEL32(00000000), ref: 0044380A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc$AttributesFileH_prolog3
                                            • String ID: GetFileAttributesA$GetFileAttributesW$kernel32.dll
                                            • API String ID: 3512441749-1399581607
                                            • Opcode ID: b85165ea86fdc975b851c57e26976d7a3fd7a01e57c2aac18914b16de7f7a04c
                                            • Instruction ID: 3088d5ed7bf6eec272a4b6ba293ed67cf6ec91cb0f4024647908f381bc384104
                                            • Opcode Fuzzy Hash: b85165ea86fdc975b851c57e26976d7a3fd7a01e57c2aac18914b16de7f7a04c
                                            • Instruction Fuzzy Hash: 76F0C231600304A7CF14BFB68C15E8EBAB4AF50B51B62452AF81197150DB7CD601CBEC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00420EE5 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 192synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1064 420ee5-420ef0 1066 420fd1-42103d call 40fb3d call 40d1d8 call 419797 call 418cda call 40d191 1064->1066 1067 420ef6-420f01 1064->1067 1103 421041-42109f CreateMutexW call 401b80 WaitForSingleObject call 40d268 1066->1103 1104 42103f 1066->1104 1070 420f12-420f1d 1067->1070 1071 420f03-420f0c call 418dc3 1067->1071 1077 420f29-420f3d 1070->1077 1078 420f1f-420f25 1070->1078 1071->1066 1071->1070 1083 420f52-420f6d 1077->1083 1084 420f3f-420f4a 1077->1084 1078->1077 1094 420fa1-420fc5 call 408e82 call 421722 1083->1094 1095 420f6f-420f89 call 45b5d4 call 40a017 1083->1095 1084->1083 1090 420f4c 1084->1090 1090->1083 1106 420fca-420fcc 1094->1106 1095->1094 1109 420f8b-420f9c call 45b5d4 call 40dad9 1095->1109 1124 4210b1-421113 call 408e82 call 40d922 call 401b80 call 405170 1103->1124 1125 4210a1-4210ac call 406a00 1103->1125 1104->1103 1110 421118-421644 call 401b80 * 3 call 45a8b0 call 401b80 * 2 call 45b878 1106->1110 1109->1094 1124->1110 1125->1124
                                            APIs
                                            • CreateMutexW.KERNEL32(00000000,00000000,-00000004), ref: 00421044
                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00421069
                                            • _memmove.LIBCMT ref: 00421625
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CreateMutexObjectSingleWait_memmove
                                            • String ID: -no_selfdeleter -IS_temp$@/L$@/L$Another instance of this setup is already running. Please wait for the other instance to finish and then try again.$no_selfdeleter
                                            • API String ID: 1945875148-1962316077
                                            • Opcode ID: 4a5bb79f52b75d93e5848b9ce847d241c9a657bd1344871be90dc4d8919035e1
                                            • Instruction ID: c277b3e87b360ef03c0ab4619398d7b5221df4a92d7531dc1d6a20a18ea266ad
                                            • Opcode Fuzzy Hash: 4a5bb79f52b75d93e5848b9ce847d241c9a657bd1344871be90dc4d8919035e1
                                            • Instruction Fuzzy Hash: 0C71F5B0A001149FCB15EB24C895BAD7BB5AF58354F5000EEF50AA7392CF789E48CF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00441E34 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 129COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1145 441e34-441e4c call 45b8c9 1148 441e92-441eae call 408e82 call 4437bf 1145->1148 1149 441e4e-441e58 call 424d42 1145->1149 1157 441eb3-441eb9 1148->1157 1149->1148 1154 441e5a-441e81 call 408e82 call 442017 1149->1154 1167 441e83-441e8d call 401b80 1154->1167 1159 441ed3-441ede GetLastError 1157->1159 1160 441ebb-441ebf 1157->1160 1164 441ee4-441ee7 1159->1164 1165 442007-44200f call 401b80 1159->1165 1161 441ec5-441ec9 1160->1161 1162 441ec1-441ec3 1160->1162 1161->1167 1168 441ecb-441ecd 1161->1168 1162->1161 1166 441ecf-441ed1 1162->1166 1164->1165 1170 441eed-441ef0 1164->1170 1179 442011-442016 call 45b878 1165->1179 1166->1167 1167->1179 1168->1166 1168->1167 1172 441ef6-441f3c call 43eaa1 call 408e82 call 443199 1170->1172 1173 441fbb-441fbf 1170->1173 1192 441f92-441fb6 GetLastError call 42382a call 401b80 * 2 1172->1192 1193 441f3e-441f53 call 42382a 1172->1193 1173->1167 1176 441fc5-442002 call 408e82 call 416974 call 45a466 1173->1176 1176->1165 1192->1173 1198 441f55-441f5c 1193->1198 1199 441f5e-441f62 1193->1199 1198->1199 1202 441f6d 1198->1202 1203 441f64-441f6b 1199->1203 1204 441f6f-441f8d call 42382a call 401b80 * 2 1199->1204 1202->1204 1203->1202 1203->1204 1204->1167
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00441E3E
                                            • GetLastError.KERNEL32 ref: 00441ED3
                                            • GetLastError.KERNEL32 ref: 00441F92
                                            • __CxxThrowException@8.LIBCMT ref: 00442002
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00442017: __EH_prolog3_catch_GS.LIBCMT ref: 00442021
                                              • Part of subcall function 00442017: __CxxThrowException@8.LIBCMT ref: 004420E0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Exception@8Throw$H_prolog3H_prolog3_H_prolog3_catch_
                                            • String ID: $@/L$dJ$lJ
                                            • API String ID: 3135901474-310088486
                                            • Opcode ID: 11feb997cf6f3efc188a7024f8470415e17837cb5f3adfa69233eb6fe9aadd1d
                                            • Instruction ID: 024aebdfad30573a76e4f50047cbbd5e19666ba93c77f482c8ad1b4a1462f21a
                                            • Opcode Fuzzy Hash: 11feb997cf6f3efc188a7024f8470415e17837cb5f3adfa69233eb6fe9aadd1d
                                            • Instruction Fuzzy Hash: AE51F870400208AAEB14FFA5C955BDE7BB46F01358F54419FFC49271E2EB7C4A8ACB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00426010 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 98COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041BFB9: _memset.LIBCMT ref: 0041BFF9
                                              • Part of subcall function 0041BFB9: _memset.LIBCMT ref: 0041C016
                                              • Part of subcall function 0041BFB9: _memset.LIBCMT ref: 0041C030
                                              • Part of subcall function 0041BFB9: _memset.LIBCMT ref: 0041C04A
                                              • Part of subcall function 0041BFB9: _memset.LIBCMT ref: 0041C064
                                              • Part of subcall function 0041BFB9: _memset.LIBCMT ref: 0041C07E
                                              • Part of subcall function 0041BFB9: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0041C08F
                                            • #17.COMCTL32 ref: 00426015
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00426062
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                              • Part of subcall function 0043B52C: __EH_prolog3_GS.LIBCMT ref: 0043B536
                                              • Part of subcall function 0043B52C: GetCurrentProcessId.KERNEL32(bin,00000000), ref: 0043B683
                                              • Part of subcall function 0040E057: __EH_prolog3_GS.LIBCMT ref: 0040E061
                                              • Part of subcall function 00417333: __EH_prolog3.LIBCMT ref: 0041733A
                                              • Part of subcall function 00417333: GetProcAddress.KERNEL32(?,RemoveEngineTypelib), ref: 00417406
                                              • Part of subcall function 00409334: __EH_prolog3_GS.LIBCMT ref: 0040933B
                                              • Part of subcall function 00409334: DeleteFileW.KERNELBASE(00000005), ref: 00409425
                                              • Part of subcall function 00409334: Sleep.KERNEL32(00000064), ref: 00409439
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            • CoUninitialize.OLE32 ref: 00426153
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast_memset$H_prolog3_String$FileFree$AddressAllocCurrentDeleteDescriptorH_prolog3InitializeModuleNameProcProcessSecuritySleepUninitialize
                                            • String ID: @/L$@/L$EXE=%s$EXEProcessBegin$ISSetupInit
                                            • API String ID: 1577315302-1180914206
                                            • Opcode ID: 37e33e08a69ec8d9a9e98aa63d76215eb7af806d72fff2adf52d2d2246c66f05
                                            • Instruction ID: ddca3c5136fd1a9baafb025972e1f55a76016417ff3bc3cd44e8b6ae246715ba
                                            • Opcode Fuzzy Hash: 37e33e08a69ec8d9a9e98aa63d76215eb7af806d72fff2adf52d2d2246c66f05
                                            • Instruction Fuzzy Hash: 0F317271600108ABDB04FBA1DD57FED77799F44308F4004AEF605AA1D2DFB85A48CBAA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004252EC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004252F6
                                            • __CxxThrowException@8.LIBCMT ref: 0042535A
                                            • SetFilePointer.KERNELBASE(?,?,?,?,00000108,0042442C,00000000,00000000,00000000,00000000,00000000,00000010,004246AC), ref: 00425366
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004253B9
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3$Exception@8FileH_prolog3_PointerThrow
                                            • String ID: dJ$dJ$lJ$lJ
                                            • API String ID: 2919269545-2563680426
                                            • Opcode ID: 8d2b546f7e3d873672aad8cd1b5a24ab6e95af9ee3eee59a8c9df0d3ac62f50c
                                            • Instruction ID: af51474dedc5b26f7e802cd600de06d5f3abcaf2f955c679b4fb138413ebcb4e
                                            • Opcode Fuzzy Hash: 8d2b546f7e3d873672aad8cd1b5a24ab6e95af9ee3eee59a8c9df0d3ac62f50c
                                            • Instruction Fuzzy Hash: 663161B6900218EBCB14EF91CC85FEEB778BF14304F10426FE915A3181DB749A45CB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00441B7A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 51libraryloaderfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW,?,00000000,?,0042469A,?,?,?,?,?,?,?,?,00000000,0044208C), ref: 00441B90
                                            • GetProcAddress.KERNEL32(00000000), ref: 00441B93
                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,0042469A,?,?,?,?,?), ref: 00441BBE
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileA,?,00000000,?,0042469A,?,?,?,?,?,?,?,?,00000000,0044208C), ref: 00441BC8
                                            • GetProcAddress.KERNEL32(00000000), ref: 00441BCB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc$CreateFile
                                            • String ID: CreateFileA$CreateFileW$kernel32.dll
                                            • API String ID: 2362759813-3217398002
                                            • Opcode ID: 02d42acd285fee06010f2fe6d359a1c1e867698318d47a66b01dc30a36c81fdf
                                            • Instruction ID: e6a1661a0682fcf3c0b1e3af4245b7ebd0ec74b0ed3e6b90110b66c31ac7ed74
                                            • Opcode Fuzzy Hash: 02d42acd285fee06010f2fe6d359a1c1e867698318d47a66b01dc30a36c81fdf
                                            • Instruction Fuzzy Hash: 12015E32500249BBDF025FA4DC44DEB3F3AFF09354B04451AFE2596161D67AD861EBA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041B249 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 306COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041B253
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                              • Part of subcall function 00425659: __EH_prolog3_GS.LIBCMT ref: 00425663
                                              • Part of subcall function 00425659: FindFirstFileW.KERNELBASE(?,?,00000001,?,00000000), ref: 004256E9
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00441E34: __EH_prolog3_GS.LIBCMT ref: 00441E3E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$String$FreeH_prolog3$AllocFileFindFirst
                                            • String ID: -package:$@/L$@/L$@/L$Disk1$setup.exe
                                            • API String ID: 2219161657-3779836210
                                            • Opcode ID: c1b0399b6a7a74406413bea6f852ab094c83e762743597c5191409fbb5aa38e8
                                            • Instruction ID: 7a0dce279f9585ff640f97ca2f15a969e3a000043eae30be66b08e4e35946bd6
                                            • Opcode Fuzzy Hash: c1b0399b6a7a74406413bea6f852ab094c83e762743597c5191409fbb5aa38e8
                                            • Instruction Fuzzy Hash: 51D16D70900258DFCB15EBA5CD55BDDBBB8AF59304F1040EEE40AA3292DB785B48CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004425A8 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004425AF
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                            • GetLastError.KERNEL32 ref: 004426A4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$H_prolog3_
                                            • String ID: @/L$@/L$@/L$@/L$\
                                            • API String ID: 2549205776-2956137688
                                            • Opcode ID: 727859a4d26247b066e980e7e2c053824ca06b9e1fda651589b9d0085ee8ffe5
                                            • Instruction ID: e2230353d362fa85eb07b59c5b4e32cf780bde26922efe29a9011714be2845c6
                                            • Opcode Fuzzy Hash: 727859a4d26247b066e980e7e2c053824ca06b9e1fda651589b9d0085ee8ffe5
                                            • Instruction Fuzzy Hash: B941D6B1800118DFDB14EFE5C991AEE7B78BF14358F50012FF815A7292EBB85A09CB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00415549 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 67fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00415553
                                            • __CxxThrowException@8.LIBCMT ref: 004155C9
                                            • ReadFile.KERNELBASE(?,?,?,?,00000000,0000010C,004243E8,?,00000003,00000000,00000000,00000000,00000000,00000000,00000010,004246AC), ref: 004155DB
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ReadThrow
                                            • String ID: dJ$dJ$lJ$lJ
                                            • API String ID: 2465803405-2563680426
                                            • Opcode ID: 2ce2bcd62077d47cbaec742ce579053ab29440419f78ca5c7f4ce532d42330ba
                                            • Instruction ID: 757f649c0f24d707cddd3cc6026ecbff9cc7938ff61cd9537476a12cee485af9
                                            • Opcode Fuzzy Hash: 2ce2bcd62077d47cbaec742ce579053ab29440419f78ca5c7f4ce532d42330ba
                                            • Instruction Fuzzy Hash: 5D212CB5900218EBCB14DF91CC81EEEB7BCBF54314F50855FE915A3141DB74AA89CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041AA5A Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 185COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041AA64
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 00448D7A: __EH_prolog3_GS.LIBCMT ref: 00448D81
                                              • Part of subcall function 00448D7A: RegQueryValueExW.KERNELBASE(?,?,00000000,00000008,00000000,@/L,0000005C,0041AB68,?,-80000001,?,?), ref: 00448DF6
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 004160F7: __EH_prolog3.LIBCMT ref: 004160FE
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                              • Part of subcall function 0041AE03: __EH_prolog3_GS.LIBCMT ref: 0041AE0D
                                              • Part of subcall function 0041AE03: SysStringLen.OLEAUT32(?), ref: 0041AF0D
                                              • Part of subcall function 0041AE03: SysFreeString.OLEAUT32(?), ref: 0041AF18
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$H_prolog3_$FreeH_prolog3$AllocQueryValue
                                            • String ID: @/L$@/L$@/L$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallString
                                            • API String ID: 582199494-1771472271
                                            • Opcode ID: 0149de3d8ac455f402a5d3477ab22963d654d174c090e4eb89211ccb1969ea91
                                            • Instruction ID: 2133936ac230856c8cd993649dd183d126aef40e66d99f475f238cbc8be83664
                                            • Opcode Fuzzy Hash: 0149de3d8ac455f402a5d3477ab22963d654d174c090e4eb89211ccb1969ea91
                                            • Instruction Fuzzy Hash: 62715071900258EEDB25EBA5CC91BEEB7B8AF14304F1440DEE44963192DBB85F88CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041A1F5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 128fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0041A222
                                              • Part of subcall function 0041AFCF: CompareStringA.KERNELBASE(00000400,00000001,?,00000008,?,000000FF,?,00000000,?,?,0041A23E,.debug,?), ref: 0041AFF7
                                            • GetSystemInfo.KERNELBASE(?), ref: 0041A2D6
                                            • MapViewOfFile.KERNELBASE(?,00000004,00000000,?,?,?), ref: 0041A2F8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CompareFileInfoQueryStringSystemViewVirtual
                                            • String ID: .debug$.rdata$.text
                                            • API String ID: 2597005349-733372908
                                            • Opcode ID: 523184ae0b0de6f3e55d0c113f4fe987be42d1687d59bfc980439c151a559eab
                                            • Instruction ID: 46f27250027f57cc5518d663b895eec603ef4a01fc78586ed2f5d97e3ef76f8b
                                            • Opcode Fuzzy Hash: 523184ae0b0de6f3e55d0c113f4fe987be42d1687d59bfc980439c151a559eab
                                            • Instruction Fuzzy Hash: 7E41AF72A01209AFDB04CF55D884ADEB7B5FF84320B24812BEC1497341DB34E960CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004018F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67registrylibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                                            • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0040192B
                                            • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,00000000), ref: 00401964
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00401977
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressCloseHandleModuleOpenProc
                                            • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                            • API String ID: 823179699-3913318428
                                            • Opcode ID: 6ee1d71fa988bb30e016b90a3485b7a829df65091cdd77d6608e423e28bc6611
                                            • Instruction ID: 666d2447c34f23843a47037dd86c3aafb36c38135b32122c0204c92dcdb19132
                                            • Opcode Fuzzy Hash: 6ee1d71fa988bb30e016b90a3485b7a829df65091cdd77d6608e423e28bc6611
                                            • Instruction Fuzzy Hash: 181190B5200205EBEF248F56CC54FABBBA8EB55700F14403AF905B72A0D7B9DD40DB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00423878 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00423882
                                            • InterlockedDecrement.KERNEL32(00000000), ref: 00423892
                                            • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004238BA
                                            • __CxxThrowException@8.LIBCMT ref: 00423900
                                              • Part of subcall function 0042393F: InterlockedDecrement.KERNEL32(004D9B10), ref: 00423964
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: DecrementInterlocked$ChangeCloseException@8FindH_prolog3_NotificationThrow
                                            • String ID: dJ$lJ
                                            • API String ID: 3897068468-817211891
                                            • Opcode ID: de3b3294a0f056db89cb576cc13525ae1430aba7c782ed35d86dcab5910f9ef8
                                            • Instruction ID: 7255c558e0f31a824aed04fa6c2964e07d47cf900ee808a719c10db471b8f681
                                            • Opcode Fuzzy Hash: de3b3294a0f056db89cb576cc13525ae1430aba7c782ed35d86dcab5910f9ef8
                                            • Instruction Fuzzy Hash: 9E110C70500314DFCB20AF62DC09B6BB7B4BF01316F50851FE456925A1EBBCAA54CF48
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044A2D3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 16libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,?,00445F90,?), ref: 0044A2E0
                                            • GetProcAddress.KERNEL32(00000000), ref: 0044A2E7
                                            • GetSystemInfo.KERNEL32(00445F90,?,00445F90,?), ref: 0044A2F4
                                            • GetNativeSystemInfo.KERNELBASE(00445F90,?,00445F90,?), ref: 0044A2FC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: InfoSystem$AddressHandleModuleNativeProc
                                            • String ID: GetNativeSystemInfo$kernel32
                                            • API String ID: 3433367815-3846845290
                                            • Opcode ID: 256408497a1f18058d8b92a3c99123d6efa964475f3e904f55bcd00cd31760d0
                                            • Instruction ID: eeda1bff8ae2d38d38734f80f42187ee96ac42355eff14b92fb034eb7986a4c9
                                            • Opcode Fuzzy Hash: 256408497a1f18058d8b92a3c99123d6efa964475f3e904f55bcd00cd31760d0
                                            • Instruction Fuzzy Hash: 50D0C932181209AB9F002BE2AC09AAA3F6CAA46B593500466F919C1120DBAA90915B6E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044160B Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 291COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch_GS.LIBCMT ref: 00441615
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 004470DB: __EH_prolog3.LIBCMT ref: 004470E2
                                            • GetLastError.KERNEL32 ref: 0044165A
                                              • Part of subcall function 004496BE: __EH_prolog3.LIBCMT ref: 004496C5
                                              • Part of subcall function 004451AC: __EH_prolog3_GS.LIBCMT ref: 004451B6
                                              • Part of subcall function 004451AC: __CxxThrowException@8.LIBCMT ref: 00445218
                                              • Part of subcall function 004451AC: GetFileTime.KERNEL32(?,@/L,?,?,00000108,004417D5,?,?,?,004AFFB8,80000000,00000001,00000080,00000003,00000000,00000000), ref: 00445222
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_H_prolog3_catch_ThrowTime
                                            • String ID: @/L$@/L
                                            • API String ID: 2981398202-2149722323
                                            • Opcode ID: fd56f878cf30999cabc71b1ef1b411d3b300420d92776d9e12e0517f2e7a09fd
                                            • Instruction ID: d24d2329456ce2d65250a96b37950dba0df017dd7ff9d5dc863a5a96e2a9edb2
                                            • Opcode Fuzzy Hash: fd56f878cf30999cabc71b1ef1b411d3b300420d92776d9e12e0517f2e7a09fd
                                            • Instruction Fuzzy Hash: C1B1D2B1801158EFEB10EB64CD41BEE7B78AB01318F50429FF82962291EB744F89CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044DA4D Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0044DA57
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0044D5E6: __EH_prolog3_GS.LIBCMT ref: 0044D5ED
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$H_prolog3
                                            • String ID: @/L$@/L$@/L$]
                                            • API String ID: 532146472-2667237272
                                            • Opcode ID: 76af3a991ef2415d7249b3b6997e83aa715108f18a696abe5775bb80f1e85060
                                            • Instruction ID: 70d7903d7185445953a6820a8f3bb1263b7c72cf5dde4c93e5d95424a7bf9854
                                            • Opcode Fuzzy Hash: 76af3a991ef2415d7249b3b6997e83aa715108f18a696abe5775bb80f1e85060
                                            • Instruction Fuzzy Hash: 7EA16E71C00118EEDB11EBA5C891BDDB7B8AF15304F5040EEE50AA3292EF74AB48CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00448D7A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00448D81
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                                              • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
                                            • RegQueryValueExW.KERNELBASE(?,?,00000000,00000008,00000000,@/L,0000005C,0041AB68,?,-80000001,?,?), ref: 00448DF6
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                              • Part of subcall function 0043F577: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,@/L,00448E3A,00000000,?,004C2F40,?,@/L), ref: 0043F598
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_QueryStringValue$AllocCloseHandleModule
                                            • String ID: @/L$@/L$@/L
                                            • API String ID: 3053678408-1531812684
                                            • Opcode ID: b3adcc722fab45b2e15634526bf07b98baf854b6c79dfcfd57094ceb0fba8d98
                                            • Instruction ID: ac7b5066a87a6bc5963b6742557b43daf190e8c0cacba5cf6ef970dab64e48b7
                                            • Opcode Fuzzy Hash: b3adcc722fab45b2e15634526bf07b98baf854b6c79dfcfd57094ceb0fba8d98
                                            • Instruction Fuzzy Hash: 6D310671800259DFCB05EF96C9919DEBBB8FF14348F50406EE905A7291DB74AE09CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00424725 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 0042472C
                                              • Part of subcall function 00423917: FindCloseChangeNotification.KERNELBASE(000000FF,?,0041772A,00000004,00417C5E), ref: 0042392F
                                              • Part of subcall function 00423728: SysFreeString.OLEAUT32(?), ref: 0042373F
                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000008,https://,00000000,00000000,00000007,http://,00000000,?), ref: 00424786
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ChangeCloseCreateFileFindFreeH_prolog3NotificationString
                                            • String ID: http://$https://$toys::file_lite
                                            • API String ID: 2000261683-1216559337
                                            • Opcode ID: f02858795b7956b8c4d53060d4865e4b902a8d173abf471bdebfa51244a2374f
                                            • Instruction ID: ece361843483dfe05cf74526d90ecfbec4639c66712ea21b889fcf728ede2be3
                                            • Opcode Fuzzy Hash: f02858795b7956b8c4d53060d4865e4b902a8d173abf471bdebfa51244a2374f
                                            • Instruction Fuzzy Hash: 8411E7B0740318BEEB00AF61DC82FAE26A8DF51788F50452FB855671D1DBBC9E44865C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004247F2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57sleepfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 004247F9
                                              • Part of subcall function 00423917: FindCloseChangeNotification.KERNELBASE(000000FF,?,0041772A,00000004,00417C5E), ref: 0042392F
                                              • Part of subcall function 00423728: SysFreeString.OLEAUT32(?), ref: 0042373F
                                            • Sleep.KERNEL32(000001F4), ref: 00424856
                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,?,00000080,00000000,?,00000000,00000008,https://,00000000,00000000,00000007,http://,00000000), ref: 0042487E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ChangeCloseCreateFileFindFreeH_prolog3NotificationSleepString
                                            • String ID: http://$https://
                                            • API String ID: 3717798124-1916535328
                                            • Opcode ID: d15c3b2e4cc9b1c3664176d60957613eb7b11e12d76b82f24c125ef1abf823a9
                                            • Instruction ID: 334e56836ecba030501e313b09b58f10a383e7a31440978c8db872e13c16adc2
                                            • Opcode Fuzzy Hash: d15c3b2e4cc9b1c3664176d60957613eb7b11e12d76b82f24c125ef1abf823a9
                                            • Instruction Fuzzy Hash: D61127B4240216BFDF10EF61DC82BAE3678EF44349F40462BB525671D1DBBC9A858748
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043AF40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043AF4A
                                            • WriteFile.KERNELBASE(?,?,?,?,00000000,00000088,0048A746,?,00000000,004AFFB8,40000000,00000001,00000080,00000002,00000000,00000000), ref: 0043AF6E
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416910: __EH_prolog3.LIBCMT ref: 00416917
                                            • __CxxThrowException@8.LIBCMT ref: 0043AFB3
                                              • Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$ExceptionException@8FileH_prolog3_RaiseThrowWrite
                                            • String ID: dJ$lJ
                                            • API String ID: 3362004152-817211891
                                            • Opcode ID: 7afeebe6458d2cddc67b9b2e8b5f920693a36522f19a3d81d8e2acb1d0efa69c
                                            • Instruction ID: 8fda84865bcee345883bac21e4513330d2e3b4510c507b3030c9d7ca402fde36
                                            • Opcode Fuzzy Hash: 7afeebe6458d2cddc67b9b2e8b5f920693a36522f19a3d81d8e2acb1d0efa69c
                                            • Instruction Fuzzy Hash: 7B011AB1900218EFDB10EBA1CC81FAEB37CFB14314F10856EF959A6191DB74AE49CB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00421F5D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00421F67
                                              • Part of subcall function 0044880F: __EH_prolog3_GS.LIBCMT ref: 00448816
                                              • Part of subcall function 0044880F: RegEnumKeyW.ADVAPI32(?,00000000,00000000,00000105), ref: 004488A2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_$Enum
                                            • String ID: @/L$ProductGuid$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
                                            • API String ID: 1600297748-2925473471
                                            • Opcode ID: cafd581f61d6678046556c0699cbdfc97a9eb13c1823e74cfec9ae701baf5d19
                                            • Instruction ID: bf98871ca9daf05328db170f2a05c5691e57a03d0f2efade93cd812357568720
                                            • Opcode Fuzzy Hash: cafd581f61d6678046556c0699cbdfc97a9eb13c1823e74cfec9ae701baf5d19
                                            • Instruction Fuzzy Hash: B6411631A00259BEDB11EBB5C902BEEB7B8BF05304F44009FE544A3182DB785E58CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044880F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00448816
                                              • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                                              • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                            • RegEnumKeyW.ADVAPI32(?,00000000,00000000,00000105), ref: 004488A2
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_String$AllocCloseEnumHandleModule
                                            • String ID: @/L$@/L
                                            • API String ID: 1559478826-2149722323
                                            • Opcode ID: 27df914eb52c517f2b5d23b4c404d9ce80e09d56837233ce453c89fb6ebefe69
                                            • Instruction ID: 0862246865320fa8c614a0330e91448f7e826122adb17bd63a28118c75009012
                                            • Opcode Fuzzy Hash: 27df914eb52c517f2b5d23b4c404d9ce80e09d56837233ce453c89fb6ebefe69
                                            • Instruction Fuzzy Hash: BC217C70D0035CDEDB01EF95C855BDDBBB4BF14308F50806EE801AB292DBB85A49DB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041CE7E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 0041CE85
                                              • Part of subcall function 00415F99: __EH_prolog3.LIBCMT ref: 00415FA0
                                              • Part of subcall function 00415F99: GetLastError.KERNEL32(00000004,004522CF,00000001,00000004,00452D7F,00000000,?), ref: 00415FC8
                                              • Part of subcall function 00415F99: SetLastError.KERNEL32(00000008), ref: 00415FED
                                            • SysStringLen.OLEAUT32(?), ref: 0041CEA9
                                              • Part of subcall function 00417173: GetLastError.KERNEL32 ref: 0041718A
                                              • Part of subcall function 00417173: SysFreeString.OLEAUT32(?), ref: 00417197
                                              • Part of subcall function 00417173: SetLastError.KERNEL32(?), ref: 004171B1
                                              • Part of subcall function 00417173: GetLastError.KERNEL32 ref: 004171C0
                                              • Part of subcall function 00417173: SysFreeString.OLEAUT32(?), ref: 004171DD
                                              • Part of subcall function 00417173: SetLastError.KERNEL32(?), ref: 004171ED
                                              • Part of subcall function 00424150: SysStringLen.OLEAUT32(?), ref: 00424162
                                            • CreateDirectoryW.KERNELBASE(?,00000000,?,00000000,00000001,00000000,?,00000001,00000001), ref: 0041CEE9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$FreeH_prolog3$CreateDirectory
                                            • String ID: \
                                            • API String ID: 3191628259-2967466578
                                            • Opcode ID: 0599958a989978f6a3c606978017d200c30cad898d6e6d56deb8c7206896d7a2
                                            • Instruction ID: 2e0b952217a3054a8dc745cb1fbad507815e893f9c24dfac76098aaeef5473f2
                                            • Opcode Fuzzy Hash: 0599958a989978f6a3c606978017d200c30cad898d6e6d56deb8c7206896d7a2
                                            • Instruction Fuzzy Hash: 59110A71800209AECB00EFE5C885DEEBB79EF18349F00841BF51166291DB785A49CFA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0045C169 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _malloc.LIBCMT ref: 0045C181
                                              • Part of subcall function 0045D6BB: __FF_MSGBANNER.LIBCMT ref: 0045D6D2
                                              • Part of subcall function 0045D6BB: __NMSG_WRITE.LIBCMT ref: 0045D6D9
                                              • Part of subcall function 0045D6BB: RtlAllocateHeap.NTDLL(00850000,00000000,00000001,00000000,?,00000000,?,00469FAC,00000008,00000008,00000008,?,?,00463326,00000018,004D1140), ref: 0045D6FE
                                            • std::exception::exception.LIBCMT ref: 0045C19D
                                            • __CxxThrowException@8.LIBCMT ref: 0045C1B2
                                              • Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                            • String ID: M
                                            • API String ID: 3074076210-1509087228
                                            • Opcode ID: f370604034ebb9023af3bb48c00bab255d4b8208b9f1e33c9cc197d90bd6f1ca
                                            • Instruction ID: ab6835afcc36a44ea13adfcc277e871d0861d516d0f772babc60f854880cee70
                                            • Opcode Fuzzy Hash: f370604034ebb9023af3bb48c00bab255d4b8208b9f1e33c9cc197d90bd6f1ca
                                            • Instruction Fuzzy Hash: BDF08C3140020EBECF01AFA5CC42ADE7BAAAF04355F10401AFD0855192DB759629AAAA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00408F6D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00408F74
                                            • GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                            • SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3
                                            • String ID: |-L
                                            • API String ID: 3502553090-4259979122
                                            • Opcode ID: cfc2000ee13a5fea6fa1c3e4b53b8b5579969b4e49a6ef0b610d8f3ceed3100f
                                            • Instruction ID: 11c2ddc2d380f58d602622aad08fd9f85eeb82a680d69af7e01571d9ba459ec7
                                            • Opcode Fuzzy Hash: cfc2000ee13a5fea6fa1c3e4b53b8b5579969b4e49a6ef0b610d8f3ceed3100f
                                            • Instruction Fuzzy Hash: 450146B5500612EFCB019F19C944A59BBF4FF18705B01822EF8148BB51C7B8E960CFC8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407B10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID: invalid string position$string too long
                                            • API String ID: 4104443479-4289949731
                                            • Opcode ID: 7c159c4a84880d4635d3051864a3d4ffcecdf03bc06ad88ed44cca12a1609d2e
                                            • Instruction ID: 09161259ddf798214b76fbfb6ec8959239b43407d1cf874b146bc26462550609
                                            • Opcode Fuzzy Hash: 7c159c4a84880d4635d3051864a3d4ffcecdf03bc06ad88ed44cca12a1609d2e
                                            • Instruction Fuzzy Hash: 4C31AB327083049BC7249E1CE88196BF3BAFF917153204A3FE451E7291EB75F85587AA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044D5E6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0044D5ED
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00433F0A: __EH_prolog3_GS.LIBCMT ref: 00433F14
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$H_prolog3
                                            • String ID: @/L$@/L
                                            • API String ID: 532146472-2149722323
                                            • Opcode ID: a2bb8d2bf68a5e7786acfc18f428a473960dd8f5e56b0311b6465602a3c9448f
                                            • Instruction ID: a7fdae8bbe90649986b60283a3b181dd8e8d809a7fbc7a59daf10507d4c4f308
                                            • Opcode Fuzzy Hash: a2bb8d2bf68a5e7786acfc18f428a473960dd8f5e56b0311b6465602a3c9448f
                                            • Instruction Fuzzy Hash: 2531B171900108EADB14EFE5CC81EDEBB78AF55348F10402EF915A7282DB786D09CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00424632 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00424639
                                              • Part of subcall function 00423878: __EH_prolog3_GS.LIBCMT ref: 00423882
                                              • Part of subcall function 00423878: InterlockedDecrement.KERNEL32(00000000), ref: 00423892
                                              • Part of subcall function 00423878: FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004238BA
                                              • Part of subcall function 00423878: __CxxThrowException@8.LIBCMT ref: 00423900
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                              • Part of subcall function 0045C169: std::exception::exception.LIBCMT ref: 0045C19D
                                              • Part of subcall function 0045C169: __CxxThrowException@8.LIBCMT ref: 0045C1B2
                                            • GetLastError.KERNEL32(000000FF,00000000,80400100,?,00000000,0044208C,004AFFB8,80000000,00000001,00000080,00000003,00000000,00000000,?,00000000,0000013C), ref: 00424714
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$ChangeCloseDecrementErrorFindH_prolog3H_prolog3_InterlockedLastNotification_mallocstd::exception::exception
                                            • String ID: toys::file
                                            • API String ID: 525007960-314977804
                                            • Opcode ID: fc56c29554c70d287dd3ce6b52f1851ad24c07adff85fa0d527a3b2e31bbbece
                                            • Instruction ID: 7a66d1111341c666b0ff6e124b5620924924d1741a0c7ee76a3493a771a79ac9
                                            • Opcode Fuzzy Hash: fc56c29554c70d287dd3ce6b52f1851ad24c07adff85fa0d527a3b2e31bbbece
                                            • Instruction Fuzzy Hash: 30210270700315AFDF14AFA1A881A6E37A5EF86348F50402EF9569B292CB3DDC11CB29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004081C0 Relevance: 4.6, APIs: 3, Instructions: 73memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • SysAllocStringLen.OLEAUT32(00000000,?), ref: 00408209
                                            • _memmove.LIBCMT ref: 00408231
                                            • SysFreeString.OLEAUT32(004D9420), ref: 00408241
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: String$AllocFree_memmove
                                            • String ID:
                                            • API String ID: 439004091-0
                                            • Opcode ID: 5fb5e50e56c7e47b454bebe101ff4f5299ac69a5b3bcd84836b3907a48ba9055
                                            • Instruction ID: b43cf874c5bbdaf5efb746692ba2c0685d91bb06690e60d7722d971cbff4e6c2
                                            • Opcode Fuzzy Hash: 5fb5e50e56c7e47b454bebe101ff4f5299ac69a5b3bcd84836b3907a48ba9055
                                            • Instruction Fuzzy Hash: 1621E772A047049FC7249FA8D5C456AB7E9EF85310320463FE8D6C77A0DF70A845C7A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0045E5D4 Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: __cinit__wsetenvp__wwincmdln_doexit
                                            • String ID:
                                            • API String ID: 3457282892-0
                                            • Opcode ID: abbbe093f9d4f381705f41b98bfcbcb1104cc30e1a7a167858b0424b0cbec94d
                                            • Instruction ID: e9ed90c085f4022293b8715495a9180f92f2e198c76a1c06189de36963813cd0
                                            • Opcode Fuzzy Hash: abbbe093f9d4f381705f41b98bfcbcb1104cc30e1a7a167858b0424b0cbec94d
                                            • Instruction Fuzzy Hash: 16F08C206017197AEA2876F39D027AE15980F1075EF20006FF914EA1C3FEBC8F4985AF
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044A186 Relevance: 4.5, APIs: 3, Instructions: 44synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,0044A10A,?,?,00000000), ref: 0044A1A1
                                            • GetExitCodeProcess.KERNELBASE(00000000,004D99FC), ref: 0044A1B3
                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,?,?,?,0044A10A,?), ref: 0044A1D7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ObjectSingleWait$CodeExitProcess
                                            • String ID:
                                            • API String ID: 2567322000-0
                                            • Opcode ID: 47b73a29251ffa315961e183f003a8199950903d43f8db58838632ae1c00efe7
                                            • Instruction ID: a6349c7bb0c2c702e4d9f5e9865588b5483bcf1a3169fa8815b693a4fbee9dfe
                                            • Opcode Fuzzy Hash: 47b73a29251ffa315961e183f003a8199950903d43f8db58838632ae1c00efe7
                                            • Instruction Fuzzy Hash: 7001F9326803729BE7215F54EC8476B77A8A701761F140237FC25B23D0C7BC8C62869B
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043E467 Relevance: 4.5, APIs: 3, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043E471
                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0043E48C
                                              • Part of subcall function 0040B827: __EH_prolog3.LIBCMT ref: 0040B82E
                                              • Part of subcall function 0040B827: GetLastError.KERNEL32(00000004,00416939,00000008,004238F4,dJ,00000001,?,00000000), ref: 0040B847
                                            • __CxxThrowException@8.LIBCMT ref: 0043E4AD
                                              • Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: DirectoryErrorExceptionException@8H_prolog3H_prolog3_LastRaiseThrowWindows
                                            • String ID:
                                            • API String ID: 1535131608-0
                                            • Opcode ID: baadd92ae60514eec9f75523e61c4db42bbf93c106807d1f9fbe6d0bbc7a0c75
                                            • Instruction ID: ff958f4271649e0e5f62b980e0cb7d377c8529007872fdfa0d0fb5959f6f5921
                                            • Opcode Fuzzy Hash: baadd92ae60514eec9f75523e61c4db42bbf93c106807d1f9fbe6d0bbc7a0c75
                                            • Instruction Fuzzy Hash: 06116171A002189ACB20FB52CC89BEDB378EF15705F5041EFE549B7191DB785A898F88
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00408E82 Relevance: 4.5, APIs: 3, Instructions: 34COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00408E89
                                            • GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                            • SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3
                                            • String ID:
                                            • API String ID: 3502553090-0
                                            • Opcode ID: b591589db8382f3a53e4722cc0a8441831acecdfbee6480e83bf172b1ce2c978
                                            • Instruction ID: cd4775aae2f589b2b6190ba357f6bb552be386f9e6396f327a4e4cbd48ebdd8e
                                            • Opcode Fuzzy Hash: b591589db8382f3a53e4722cc0a8441831acecdfbee6480e83bf172b1ce2c978
                                            • Instruction Fuzzy Hash: 340128B5900212EBC7009F19C944A15BBF4FB58715B05812AA8049BB51CB74E911CFC8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004075B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID: string too long
                                            • API String ID: 4104443479-2556327735
                                            • Opcode ID: d8d9a17f56fe8aa362f9e817b0c60bb4dbe1fcfd788c416c140c65da734472c6
                                            • Instruction ID: 2aab97029b4e0d26d72d430128af5ee2a3aa4b9c941feaa72b39917c82615ea0
                                            • Opcode Fuzzy Hash: d8d9a17f56fe8aa362f9e817b0c60bb4dbe1fcfd788c416c140c65da734472c6
                                            • Instruction Fuzzy Hash: 8E31C832718A049BC6349E5CE89086AF3E9FF91721320093FE447D7690DB36FC5587AA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041E051 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041E058
                                              • Part of subcall function 0041E830: __EH_prolog3_GS.LIBCMT ref: 0041E83A
                                              • Part of subcall function 0041E108: __EH_prolog3_GS.LIBCMT ref: 0041E112
                                              • Part of subcall function 0040B2A8: __EH_prolog3_GS.LIBCMT ref: 0040B2AF
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_$ErrorFreeLastString
                                            • String ID: @/L
                                            • API String ID: 2278686355-3803013380
                                            • Opcode ID: bc945ff16b6d0ed2995fb2ef97eae8a78a2a7d4e73a5dcd7c5328964f522f2f0
                                            • Instruction ID: d43dc1dfd1c1d366e0ea72215a4e762f3d586d334f07ae9165dfa1a365a6cae9
                                            • Opcode Fuzzy Hash: bc945ff16b6d0ed2995fb2ef97eae8a78a2a7d4e73a5dcd7c5328964f522f2f0
                                            • Instruction Fuzzy Hash: DC110871901214EACB01FBA68851ADD77B89F15748F00406FF956A7282EB3CAB0DC3D9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042341D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_catch
                                            • String ID: 0
                                            • API String ID: 3886170330-4108050209
                                            • Opcode ID: 7ce16868f1a16a77d6c4d4eee927ed42f4fd5f8fdd78f431fd6d6b4a48991903
                                            • Instruction ID: 1fd2965e065748cf62c6a7fa8096d60270a7602916f02e7b6492d4e078cd3bba
                                            • Opcode Fuzzy Hash: 7ce16868f1a16a77d6c4d4eee927ed42f4fd5f8fdd78f431fd6d6b4a48991903
                                            • Instruction Fuzzy Hash: 6211C275A012059FCB14EF65C4426AEBBB1EF44314F20842FF88597381C7389A40CF88
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004198B7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 004198BE
                                              • Part of subcall function 004448BB: __EH_prolog3_GS.LIBCMT ref: 004448C5
                                              • Part of subcall function 004448BB: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000014C,004198D8,?), ref: 00444921
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AllocateH_prolog3H_prolog3_Initialize
                                            • String ID: |-L
                                            • API String ID: 2231948254-4259979122
                                            • Opcode ID: df9c2ebbbd5aee6dc787c1d0fdeef885944cdeb5720d53540bd226ff44c2579a
                                            • Instruction ID: 2809e8d2b4c3faa5a8e81246fc108352b0dc2c1221e72939130a15a3242d449d
                                            • Opcode Fuzzy Hash: df9c2ebbbd5aee6dc787c1d0fdeef885944cdeb5720d53540bd226ff44c2579a
                                            • Instruction Fuzzy Hash: 72F0C271A002056BEB00BB65C903BDE7B689F11B15F10006AF9046A2D2C7794F4587CA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00415462 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00415469
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last
                                            • String ID: @/L
                                            • API String ID: 685212868-3803013380
                                            • Opcode ID: e6f01ac3d16a584b9ac28880e0d5266b2c760821b6eb3e499ac6d90e072e62c5
                                            • Instruction ID: 32e3fda1b680a593550d4b26a9284ff40ed6650362c56bb69f7499e5daed3f81
                                            • Opcode Fuzzy Hash: e6f01ac3d16a584b9ac28880e0d5266b2c760821b6eb3e499ac6d90e072e62c5
                                            • Instruction Fuzzy Hash: DDE0EC74541208E7DB04AF51C602B9D7670EF54319F50905FA9445A292CBF94644D69C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044A0B9 Relevance: 3.1, APIs: 2, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(001FFFFF,00000001,00000000), ref: 0044A143
                                            • CloseHandle.KERNEL32(?), ref: 0044A163
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CloseHandleOpenProcess
                                            • String ID:
                                            • API String ID: 39102293-0
                                            • Opcode ID: 058ab2cadc50432d22addfb1e7a2b3727e989381a9dd5f2e60146ef8b3f8739f
                                            • Instruction ID: 303365f954ea690ef316d0ea2206777c33a968c41db78a4177581de524328a4c
                                            • Opcode Fuzzy Hash: 058ab2cadc50432d22addfb1e7a2b3727e989381a9dd5f2e60146ef8b3f8739f
                                            • Instruction Fuzzy Hash: 2421A571A81609BBFF125E65DD46BAB37A8AF00344F08402AFD10D6391E779CD7096AB
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004199FF Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7a380af8c49e81da325641f793c3316773586ba9f4006d4935bfe4379c1f45da
                                            • Instruction ID: 58e0045d7d6f8f9b5b65513340df0367d2d4103165b97ae2735c2a79332c1d3b
                                            • Opcode Fuzzy Hash: 7a380af8c49e81da325641f793c3316773586ba9f4006d4935bfe4379c1f45da
                                            • Instruction Fuzzy Hash: 2311E739254391D5CF206BE694212EAF3B8AF92B84710040FED5293752D7B97C89C76E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00469AED Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___crtCorExitProcess.LIBCMT ref: 00469AF3
                                              • Part of subcall function 00469ABB: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,MF,?,?,00469AF8,00000008,?,0045D6E8,000000FF,0000001E,00000000,?,00000000,?,00469FAC), ref: 00469ACA
                                              • Part of subcall function 00469ABB: GetProcAddress.KERNEL32(MF,CorExitProcess), ref: 00469ADC
                                            • ExitProcess.KERNEL32 ref: 00469AFC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                            • String ID:
                                            • API String ID: 2427264223-0
                                            • Opcode ID: c5659f21324d10b2033b40b7ee3689cdf1ae860aaabf9acc87adb8bdf902fe97
                                            • Instruction ID: aa2cfe5421c62c74bc02cdffb4acc113a6f87016791dd0d9fb1beb9049ac7786
                                            • Opcode Fuzzy Hash: c5659f21324d10b2033b40b7ee3689cdf1ae860aaabf9acc87adb8bdf902fe97
                                            • Instruction Fuzzy Hash: 30B09231000108BBEB012F52DC0E8883F6DEB01790B008425F81508175EBB2AD929A89
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042432C Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch.LIBCMT ref: 00424333
                                              • Part of subcall function 00425464: __EH_prolog3_GS.LIBCMT ref: 0042546E
                                              • Part of subcall function 00425464: __CxxThrowException@8.LIBCMT ref: 004254D3
                                              • Part of subcall function 00425464: GetFileSize.KERNEL32(?,?,00000108,00424345,00000000,00000010,004246AC,?,?,?,?,?,?,00000000), ref: 004254DC
                                              • Part of subcall function 00425464: GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004254E9
                                              • Part of subcall function 004252EC: __EH_prolog3_GS.LIBCMT ref: 004252F6
                                              • Part of subcall function 004252EC: __CxxThrowException@8.LIBCMT ref: 0042535A
                                              • Part of subcall function 004252EC: SetFilePointer.KERNELBASE(?,?,?,?,00000108,0042442C,00000000,00000000,00000000,00000000,00000000,00000010,004246AC), ref: 00425366
                                              • Part of subcall function 004252EC: GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004253B9
                                              • Part of subcall function 00415549: __EH_prolog3_GS.LIBCMT ref: 00415553
                                              • Part of subcall function 00415549: __CxxThrowException@8.LIBCMT ref: 004155C9
                                              • Part of subcall function 00415549: ReadFile.KERNELBASE(?,?,?,?,00000000,0000010C,004243E8,?,00000003,00000000,00000000,00000000,00000000,00000000,00000010,004246AC), ref: 004155DB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Exception@8FileH_prolog3_Throw$ErrorLast$H_prolog3_catchPointerReadSize
                                            • String ID:
                                            • API String ID: 2159634448-0
                                            • Opcode ID: 500855b1677724a8cc5570667c0c80bc56a84ea79e9f84727f41942d5ba3cddd
                                            • Instruction ID: 6f042c7f5be1895180e12ea151be4674697b2fd49855ba8023a2fcefa1d4d327
                                            • Opcode Fuzzy Hash: 500855b1677724a8cc5570667c0c80bc56a84ea79e9f84727f41942d5ba3cddd
                                            • Instruction Fuzzy Hash: E5213970B0076999DF30E7A954417BFAAB9AB91328F90024FE5A2922D2C77C4D41935E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041CC74 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041CC7E
                                              • Part of subcall function 00416831: __EH_prolog3.LIBCMT ref: 00416838
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00425464: __EH_prolog3_GS.LIBCMT ref: 0042546E
                                              • Part of subcall function 00425464: __CxxThrowException@8.LIBCMT ref: 004254D3
                                              • Part of subcall function 00425464: GetFileSize.KERNEL32(?,?,00000108,00424345,00000000,00000010,004246AC,?,?,?,?,?,?,00000000), ref: 004254DC
                                              • Part of subcall function 00425464: GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004254E9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3$FreeH_prolog3_String$Exception@8FileSizeThrow
                                            • String ID:
                                            • API String ID: 3623232617-0
                                            • Opcode ID: 49a349a22a42cd11433ac022693faf57aa284f8db0cc27edbc0a6a7a0d10b8ce
                                            • Instruction ID: 180204596517c0e9b6ac9009096acaf67d3b5e0577b6137ead57bd40ceddf8f6
                                            • Opcode Fuzzy Hash: 49a349a22a42cd11433ac022693faf57aa284f8db0cc27edbc0a6a7a0d10b8ce
                                            • Instruction Fuzzy Hash: 36215E31900218DEEB14EBA4CC55BDDB7B8BF10319F5041AEE445A7192EB38AE49CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00433F0A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00433F14
                                              • Part of subcall function 00416831: __EH_prolog3.LIBCMT ref: 00416838
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3$FreeString$H_prolog3_
                                            • String ID:
                                            • API String ID: 1866482717-0
                                            • Opcode ID: 73c65bbe125acbbc9f5ae55ec18e9875de501598b5492e8ab105c17a457aefdc
                                            • Instruction ID: 5bcea37284075e25d5198c2aa56f72f07ba9248de4b731e2aa7ee767efa03dfb
                                            • Opcode Fuzzy Hash: 73c65bbe125acbbc9f5ae55ec18e9875de501598b5492e8ab105c17a457aefdc
                                            • Instruction Fuzzy Hash: 6C21A130801258DBDB21EF94C841BDDBB70BF14708F54809EF984A7282DB786F49CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041AFCF Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringA.KERNELBASE(00000400,00000001,?,00000008,?,000000FF,?,00000000,?,?,0041A23E,.debug,?), ref: 0041AFF7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CompareString
                                            • String ID:
                                            • API String ID: 1825529933-0
                                            • Opcode ID: 20a314cae8d14066ab1c315db32f16a6f30b3824b53d335ad9eeebe919a7255f
                                            • Instruction ID: 530d9d599951c99dcc0185d0d228e63b42ac07b487ab74325c1618bcfae99184
                                            • Opcode Fuzzy Hash: 20a314cae8d14066ab1c315db32f16a6f30b3824b53d335ad9eeebe919a7255f
                                            • Instruction Fuzzy Hash: E9F0E53234412576DB114A965C81AE7FB59EB06770F518222FA38A6180D7B5ECC292E8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042508B Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 004250A7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: d4ac50bccea01211118c50626b05f59935f398a5f128bbe2cdea3913c471716a
                                            • Instruction ID: 6ce1b97a90a1347bbbf41986e1d0e4c0939c7b018aad587f643f27bf801551af
                                            • Opcode Fuzzy Hash: d4ac50bccea01211118c50626b05f59935f398a5f128bbe2cdea3913c471716a
                                            • Instruction Fuzzy Hash: B5F0E532200118FFCF009F40CC40E99BB6DEF06755F108165BE145A0A1D332DE12EBD4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004151C6 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch.LIBCMT ref: 004151CD
                                              • Part of subcall function 00415462: __EH_prolog3.LIBCMT ref: 00415469
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3H_prolog3_catch
                                            • String ID:
                                            • API String ID: 1882928916-0
                                            • Opcode ID: 0ad919a521f2e055eab9ffcef74c0a5f3d5a80d7ad020efa133144dfd19ed34e
                                            • Instruction ID: 8b18382f5678aaa6d813228de1e50a62db69bcf4f26b2a3607d7dc471782994d
                                            • Opcode Fuzzy Hash: 0ad919a521f2e055eab9ffcef74c0a5f3d5a80d7ad020efa133144dfd19ed34e
                                            • Instruction Fuzzy Hash: D9E04632A11A59EBCB01FF8588016DF7721BF85715F59440AFC002B301C738AE458BDA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004470DB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 004470E2
                                              • Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210
                                              • Part of subcall function 004425A8: __EH_prolog3_GS.LIBCMT ref: 004425AF
                                              • Part of subcall function 004425A8: GetLastError.KERNEL32 ref: 004426A4
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeH_prolog3_String$H_prolog3
                                            • String ID:
                                            • API String ID: 386487564-0
                                            • Opcode ID: bb416fd25fe376ab0b7eee05979aeb2bfe3b8989df880676763b4553eb18912c
                                            • Instruction ID: eeda302224e1e2d715bd7bc18639648045e25d061f8b8f5264039f371051b528
                                            • Opcode Fuzzy Hash: bb416fd25fe376ab0b7eee05979aeb2bfe3b8989df880676763b4553eb18912c
                                            • Instruction Fuzzy Hash: 81D0C2A49111007AEB0CBB26C8179AD37288F11354B40502FFC15473A2EA7C560C81ED
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00425414 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointer.KERNELBASE(000000FF,?,000000FF,?), ref: 0042542F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: FilePointer
                                            • String ID:
                                            • API String ID: 973152223-0
                                            • Opcode ID: 6180d160bf37eafee95e332dd2cfcb138bc450929d0c8947b1cf6e744e2f61e0
                                            • Instruction ID: 6c1d035aab9d24d55cc3c180fec6a0c56823e5c399f9d78deba1b07ba70a0e0b
                                            • Opcode Fuzzy Hash: 6180d160bf37eafee95e332dd2cfcb138bc450929d0c8947b1cf6e744e2f61e0
                                            • Instruction Fuzzy Hash: 30E0DF31100109FFCB00DF50D905E99BF78FF02329F208198F4194A2A0C336EA12EF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00425F8F Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00425FA2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: FileWrite
                                            • String ID:
                                            • API String ID: 3934441357-0
                                            • Opcode ID: 9bbfac0eb4c3612a7822d6e7e9d00e82deabb6554d21890c00abd8639293d43b
                                            • Instruction ID: 59e2199c77b72c2af7b3068cab168a224e5da579144f00fc689edbda4a8099af
                                            • Opcode Fuzzy Hash: 9bbfac0eb4c3612a7822d6e7e9d00e82deabb6554d21890c00abd8639293d43b
                                            • Instruction Fuzzy Hash: 4ED01736200108BBDB059B91CD06E997BACEB09360F108264BA26850A0D772DE109B50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.KERNELBASE(00000000,?,0040E90B), ref: 004018CA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 913714d106289af44a3233bedb904f0d2cfd092c40a8ecab6c1ddbfcccfbf739
                                            • Instruction ID: 35568107ca6a2d1c2ae5aa4ac90370f89ea05eb17667ed646162b5df9abaad68
                                            • Opcode Fuzzy Hash: 913714d106289af44a3233bedb904f0d2cfd092c40a8ecab6c1ddbfcccfbf739
                                            • Instruction Fuzzy Hash: 9ED0C9715097208BD7709F2DF9047837BE8AF04710F15886EE499D3644D7B8DC818B94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00423917 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,0041772A,00000004,00417C5E), ref: 0042392F
                                              • Part of subcall function 0042393F: InterlockedDecrement.KERNEL32(004D9B10), ref: 00423964
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ChangeCloseDecrementFindInterlockedNotification
                                            • String ID:
                                            • API String ID: 148996130-0
                                            • Opcode ID: 7e3afa3cab65c4c4bfcc074b3dc16802bff0ad01fb72513ec71fcb362ec066b1
                                            • Instruction ID: 1a04bbf9125ed3f6d2895db98d060ad1f499ef540b6d0e15ad137bed5879aa94
                                            • Opcode Fuzzy Hash: 7e3afa3cab65c4c4bfcc074b3dc16802bff0ad01fb72513ec71fcb362ec066b1
                                            • Instruction Fuzzy Hash: DBD05B70602B118BC7345F19F509753B6F45F06B32744471E90FB429F087B86841C608
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405170 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?,?,0041781D), ref: 00405183
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: a02228b7d65cdfe4733a7f04c3010a86aefe6b0324a7f5084bb205d60545f0bf
                                            • Instruction ID: ddf6ed067c745a12368ff6712c0ccd030511df265d9738625be335e2a2687e02
                                            • Opcode Fuzzy Hash: a02228b7d65cdfe4733a7f04c3010a86aefe6b0324a7f5084bb205d60545f0bf
                                            • Instruction Fuzzy Hash: CCC01230A096115ADB788F2AA850B6322D8AF48300B14093EAC91EB380CA78DC818B98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004176D4 Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 004176DB
                                              • Part of subcall function 00423878: __EH_prolog3_GS.LIBCMT ref: 00423882
                                              • Part of subcall function 00423878: InterlockedDecrement.KERNEL32(00000000), ref: 00423892
                                              • Part of subcall function 00423878: FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004238BA
                                              • Part of subcall function 00423878: __CxxThrowException@8.LIBCMT ref: 00423900
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeLastString$ChangeCloseDecrementException@8FindH_prolog3H_prolog3_InterlockedNotificationThrow
                                            • String ID:
                                            • API String ID: 3768595382-0
                                            • Opcode ID: 66c70106b11f875f12e948a588e9645b5f6bfb61fe69adafccc8b296f8bbef83
                                            • Instruction ID: c9b6578549235cf6f3dbc7e3a3525ac85d01a6b0fd05b1095f0ee83cd0c0895b
                                            • Opcode Fuzzy Hash: 66c70106b11f875f12e948a588e9645b5f6bfb61fe69adafccc8b296f8bbef83
                                            • Instruction Fuzzy Hash: 01D0A9B0D002109BDB04BF96800236C72F4EF1031AF80885FF6402B283DBBC0A08C79C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042382A Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindClose.KERNELBASE(?,00000000,00441FA5), ref: 0042383D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CloseFind
                                            • String ID:
                                            • API String ID: 1863332320-0
                                            • Opcode ID: b61493307950c84b608308377377f83a7f5e9d1cd166965de3d354f56a6fadc7
                                            • Instruction ID: ae8555a7cb1c572486ceaff3455ae899c07b9457a7eadcf2c98346052d023e21
                                            • Opcode Fuzzy Hash: b61493307950c84b608308377377f83a7f5e9d1cd166965de3d354f56a6fadc7
                                            • Instruction Fuzzy Hash: ACC012312181228AC6242E3DBC0054276E86B41731364076EA0F0862F0D7248D828654
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00469F07 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                            Download Yara Rule
                                            APIs
                                            • _doexit.LIBCMT ref: 00469F11
                                              • Part of subcall function 00469DD8: __lock.LIBCMT ref: 00469DE6
                                              • Part of subcall function 00469DD8: DecodePointer.KERNEL32(004D1430,0000001C,00469CED,00000008,00000001,00000000,?,00469C2E,000000FF,?,00463260,00000011,00000000,?,00464E54,0000000D), ref: 00469E25
                                              • Part of subcall function 00469DD8: DecodePointer.KERNEL32(?,00469C2E,000000FF,?,00463260,00000011,00000000,?,00464E54,0000000D), ref: 00469E36
                                              • Part of subcall function 00469DD8: EncodePointer.KERNEL32(00000000,?,00469C2E,000000FF,?,00463260,00000011,00000000,?,00464E54,0000000D), ref: 00469E4F
                                              • Part of subcall function 00469DD8: DecodePointer.KERNEL32(-00000004,?,00469C2E,000000FF,?,00463260,00000011,00000000,?,00464E54,0000000D), ref: 00469E5F
                                              • Part of subcall function 00469DD8: EncodePointer.KERNEL32(00000000,?,00469C2E,000000FF,?,00463260,00000011,00000000,?,00464E54,0000000D), ref: 00469E65
                                              • Part of subcall function 00469DD8: DecodePointer.KERNEL32(?,00469C2E,000000FF,?,00463260,00000011,00000000,?,00464E54,0000000D), ref: 00469E7B
                                              • Part of subcall function 00469DD8: DecodePointer.KERNEL32(?,00469C2E,000000FF,?,00463260,00000011,00000000,?,00464E54,0000000D), ref: 00469E86
                                              • Part of subcall function 00469DD8: __initterm.LIBCMT ref: 00469EAE
                                              • Part of subcall function 00469DD8: __initterm.LIBCMT ref: 00469EBF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Pointer$Decode$Encode__initterm$__lock_doexit
                                            • String ID:
                                            • API String ID: 3712619029-0
                                            • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                            • Instruction ID: bc0fb77ef77f582299fd8a9fb488f4d72d36d92bd49939974ab26cb3d1d48b7a
                                            • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                            • Instruction Fuzzy Hash: 57B0127158030C33ED122542EC03F493B0C4B40B64F140032FA0C1C1E1B5E3796441CE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004509E1 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(00000001,?,0045091E,00000001,00000000,?,?,0045083B,00000001,00000001), ref: 004509E7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: 02bc53965f6046cd0c41efb203bf0ae1cdd8c2a0326ad8be3410e072c7548079
                                            • Instruction ID: 2d9258ea693c0498e80f38f83c37258ef96db77be6c8460a30c14699e006fea5
                                            • Opcode Fuzzy Hash: 02bc53965f6046cd0c41efb203bf0ae1cdd8c2a0326ad8be3410e072c7548079
                                            • Instruction Fuzzy Hash: 09B0123800414CBBCF011F62EC044D8BFACDA0A160B40C061FCAC0A223C732A5119F94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004419A9 Relevance: 1.3, APIs: 1, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,?,00000000), ref: 00441ABD
                                              • Part of subcall function 0043AF40: __EH_prolog3_GS.LIBCMT ref: 0043AF4A
                                              • Part of subcall function 0043AF40: WriteFile.KERNELBASE(?,?,?,?,00000000,00000088,0048A746,?,00000000,004AFFB8,40000000,00000001,00000080,00000002,00000000,00000000), ref: 0043AF6E
                                              • Part of subcall function 0043AF40: __CxxThrowException@8.LIBCMT ref: 0043AFB3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorException@8FileH_prolog3_LastThrowWrite
                                            • String ID:
                                            • API String ID: 1173477686-0
                                            • Opcode ID: a320f9511c876c2db79e35cd420f8da096ab764973b099169064b867b763de7f
                                            • Instruction ID: 13f94ecd3e47981fd75c93d59434eca1597e2681fdcdec4f1924a12ce66d6809
                                            • Opcode Fuzzy Hash: a320f9511c876c2db79e35cd420f8da096ab764973b099169064b867b763de7f
                                            • Instruction Fuzzy Hash: C631EF718011599FEB249B28CC55BEE77B9AF40364F1442DBE869B32D1E6384FC8DA24
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00441985 Relevance: 1.3, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,?,00000000), ref: 00441ABD
                                              • Part of subcall function 004496EA: __EH_prolog3_GS.LIBCMT ref: 004496F4
                                              • Part of subcall function 004496EA: SetFileTime.KERNEL32(?,@/L,?,?,00000084,00441A50,?,?,?,00000000,?,00000000,00000000,?,00000000), ref: 0044970A
                                              • Part of subcall function 004496EA: __CxxThrowException@8.LIBCMT ref: 00449750
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorException@8FileH_prolog3_LastThrowTime
                                            • String ID:
                                            • API String ID: 771044839-0
                                            • Opcode ID: 522fb240fa239ca45d202249eeaf7f5233791d51e9cee8a3cdc76a84f6ae3258
                                            • Instruction ID: 97aa90bf4b3880dd50b6f32f2bc69d5296dc4364471f20868dcbdadc326496e2
                                            • Opcode Fuzzy Hash: 522fb240fa239ca45d202249eeaf7f5233791d51e9cee8a3cdc76a84f6ae3258
                                            • Instruction Fuzzy Hash: 6C2101318001599FEB259B24CC557EE77B89F00354F1441DBE866731D1EB385FC8DA14
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00441A58 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004176D4: __EH_prolog3.LIBCMT ref: 004176DB
                                            • GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,?,00000000), ref: 00441ABD
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$H_prolog3
                                            • String ID:
                                            • API String ID: 746121330-0
                                            • Opcode ID: 13f02d1b94ce08764bf7b300bd26cb3357fa863c9a323f3766568caf36f11261
                                            • Instruction ID: b3e71ce7daf4c3763fb0b0746dc7499d6c9bda4d109914e63ad3d47129289c2a
                                            • Opcode Fuzzy Hash: 13f02d1b94ce08764bf7b300bd26cb3357fa863c9a323f3766568caf36f11261
                                            • Instruction Fuzzy Hash: A401D4314001159FEB15AB74C85A7EC7774AF14368F5145DEF826732D2EB385FC49A14
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 00490B40 Relevance: 176.5, APIs: 80, Strings: 20, Instructions: 1483stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00403FB0: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
                                              • Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068
                                              • Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000002,?,?,0048A841,?,00000000,00000103), ref: 00490876
                                              • Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?), ref: 004908BE
                                            • GetPrivateProfileIntA.KERNEL32(?,BUTTONS,00000000,00000000), ref: 00490C3A
                                            • _memset.LIBCMT ref: 00490C6A
                                            • _memset.LIBCMT ref: 00490C7B
                                            • _memset.LIBCMT ref: 00490C95
                                            • _memset.LIBCMT ref: 00490CAF
                                            • _memset.LIBCMT ref: 00490CC9
                                            • GetSysColor.USER32(00000008), ref: 00490CD9
                                            • GetSysColor.USER32(00000011), ref: 00490CDD
                                            • GetLastError.KERNEL32 ref: 00490D15
                                            • SetLastError.KERNEL32(004C2FA8), ref: 00490D62
                                            • GetLastError.KERNEL32 ref: 00490D78
                                            • SetLastError.KERNEL32(004C2FA8), ref: 00490DBF
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            • lstrcpyA.KERNEL32(00000000,00000000,?,00000000,00000000,ALL,00000003,004B1A74,00000000,00000001), ref: 00490FE3
                                            • lstrcpyA.KERNEL32(00000000,00000000,00000000), ref: 00491013
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                            • lstrcpyA.KERNEL32(00000000,BUTTON,00000000), ref: 004910FB
                                            • __itow.LIBCMT ref: 0049110C
                                            • lstrcatA.KERNEL32(00000000,00000000), ref: 0049111C
                                            • GetLastError.KERNEL32 ref: 00491136
                                            • SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 004911CA
                                            • GetPrivateProfileIntA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00491249
                                            • GetLastError.KERNEL32 ref: 00491266
                                            • SysFreeString.OLEAUT32(00000000), ref: 00491288
                                            • SysFreeString.OLEAUT32(?), ref: 00491299
                                              • Part of subcall function 00486570: GetLastError.KERNEL32(00000000,00492C07,?,?,?,?,?,?,?,?,?,2E932D87,?,000001A4,00000000), ref: 00486581
                                              • Part of subcall function 00486570: SetLastError.KERNEL32(53746547,?,?,?,?,?,?,?,?,?,2E932D87,?,000001A4,00000000), ref: 004865B1
                                              • Part of subcall function 00486570: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,2E932D87,?,000001A4,00000000), ref: 004865C5
                                              • Part of subcall function 00486570: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,2E932D87,?,000001A4,00000000), ref: 004865F5
                                            • SetLastError.KERNEL32(004C2F50), ref: 004912C8
                                            • lstrcpyA.KERNEL32(00000000,00000000), ref: 004912D9
                                            • lstrcatA.KERNEL32(00000000,004BCD28), ref: 004912E8
                                            • GetLastError.KERNEL32(?,00000104), ref: 0049131E
                                            • SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 004913BA
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,00000104,?), ref: 0049145A
                                            • GetLastError.KERNEL32 ref: 00491471
                                            • SysFreeString.OLEAUT32(00000000), ref: 00491493
                                            • SysFreeString.OLEAUT32(?), ref: 004914A4
                                            • SetLastError.KERNEL32(004C2F50), ref: 004914D3
                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00491551
                                            • SysFreeString.OLEAUT32(00000000), ref: 0049156D
                                            • SysFreeString.OLEAUT32(?), ref: 0049157E
                                            • SetLastError.KERNEL32(004AE964), ref: 004915AD
                                            • lstrcpyA.KERNEL32(00000000,00000000), ref: 004915BE
                                            • lstrcatA.KERNEL32(00000000,DOWN), ref: 004915CD
                                            • GetLastError.KERNEL32(?,00000104), ref: 00491603
                                            • SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 0049169A
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,00000104,?), ref: 0049173A
                                            • GetLastError.KERNEL32 ref: 00491751
                                            • SysFreeString.OLEAUT32(00000000), ref: 00491773
                                            • SysFreeString.OLEAUT32(?), ref: 00491784
                                            • SetLastError.KERNEL32(004C2F50), ref: 004917B3
                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 0049182D
                                            • SysFreeString.OLEAUT32(00000000), ref: 00491849
                                            • SysFreeString.OLEAUT32(?), ref: 0049185A
                                            • SetLastError.KERNEL32(004AE964), ref: 0049188F
                                            • lstrcpyA.KERNEL32(00000000,00000000), ref: 004918A4
                                            • lstrcatA.KERNEL32(00000000,POS), ref: 004918B3
                                            • GetLastError.KERNEL32 ref: 004918CD
                                            • SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 0049196A
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 004919F1
                                            • GetLastError.KERNEL32 ref: 00491A0C
                                            • SysFreeString.OLEAUT32(00000000), ref: 00491A2E
                                            • SysFreeString.OLEAUT32(?), ref: 00491A3F
                                            • SetLastError.KERNEL32(004C2F50), ref: 00491A6E
                                            • lstrcmpA.KERNEL32(00000000,004C2BD0), ref: 00491A92
                                            • lstrcpyA.KERNEL32(00000000,00000000), ref: 00491AD5
                                            • lstrcatA.KERNEL32(00000000,OPT), ref: 00491AE4
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00491B9D
                                            • lstrcmpA.KERNEL32(00000000,004C2BD0), ref: 00491BBE
                                              • Part of subcall function 00485E90: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485EE4
                                              • Part of subcall function 00485E90: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485F1D
                                              • Part of subcall function 0048FE10: GetLastError.KERNEL32(004B16A4,00000001,00000001,?,?,753CE860,00000000,?,?,?,?,?,?,00000000,004AB660,000000FF), ref: 0048FF96
                                              • Part of subcall function 0048FE10: SysFreeString.OLEAUT32(004AB660), ref: 0048FFB2
                                              • Part of subcall function 0048FE10: SysFreeString.OLEAUT32(00000000), ref: 0048FFBD
                                              • Part of subcall function 0048FE10: SetLastError.KERNEL32(753CE860,?,?,?,753CE860,00000000), ref: 0048FFDD
                                            • lstrcpyA.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00491C0D
                                            • lstrcatA.KERNEL32(00000000,TRNSPRNTCLR,?,?,?,?,?,?,?,?,?,?,?,00000078), ref: 00491C1C
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00491CD5
                                            • lstrcmpA.KERNEL32(00000000,004C2BD0,?,?,?,?,?,?,?,?,?,?,?,?,?,00000078), ref: 00491CF6
                                            • lstrcpyA.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00491D45
                                            • lstrcatA.KERNEL32(00000000,TXTCLR,?,?,?,?,?,?,?,?,?,?,?,0000006C), ref: 00491D54
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00491E0D
                                            • lstrcmpA.KERNEL32(00000000,004C2BD0,?,?,?,?,?,?,?,?,?,?,?,?,?,0000006C), ref: 00491E2E
                                            • GetSysColor.USER32(00000008), ref: 00491E48
                                            • lstrcpyA.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00491E81
                                            • lstrcatA.KERNEL32(00000000,DISTXTCLR), ref: 00491E90
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00491F49
                                            • lstrcmpA.KERNEL32(00000000,004C2BD0), ref: 00491F6A
                                            • GetSysColor.USER32(00000011), ref: 00491F84
                                              • Part of subcall function 00407F60: _memmove.LIBCMT ref: 00408015
                                            • wsprintfA.USER32 ref: 00491FC4
                                            • wsprintfA.USER32 ref: 0049211A
                                              • Part of subcall function 0045C169: std::exception::exception.LIBCMT ref: 0045C19D
                                              • Part of subcall function 0045C169: __CxxThrowException@8.LIBCMT ref: 0045C1B2
                                              • Part of subcall function 004862F0: _memset.LIBCMT ref: 00486301
                                              • Part of subcall function 004862F0: _memset.LIBCMT ref: 00486315
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$Free$lstrcpy$PrivateProfile$lstrcat$_memset$lstrcmp$Color$ByteCharMultiWidewsprintf$Exception@8Throw__itow_malloc_memmovestd::exception::exception
                                            • String ID: ALL$BUTTON$BUTTONS$DISTXTCLR$DOWN$OPT$P/L$POS$T4L$TRNSPRNTCLR$TXTCLR$lJ$x/L$x/L$|-L$|-L$|-L$|-L$|-L$|-L
                                            • API String ID: 1098502464-2208858857
                                            • Opcode ID: 332a79ee87174c770fc15d7b9ac97ae599faf1a152df18c7568b0dc6c2807ffa
                                            • Instruction ID: d90ebabf519ae0549fa234705d987d1b988953ce10c5817453ccb74728b57cef
                                            • Opcode Fuzzy Hash: 332a79ee87174c770fc15d7b9ac97ae599faf1a152df18c7568b0dc6c2807ffa
                                            • Instruction Fuzzy Hash: E2E25871E0022A9FDF60DB61DC44BDEBBB9BB44304F0041EAE509A3291DB75AE94CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0048A330 Relevance: 100.6, APIs: 39, Strings: 18, Instructions: 884stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32 ref: 0048A3A8
                                            • SetLastError.KERNEL32(lJ), ref: 0048A3F3
                                            • _memset.LIBCMT ref: 0048A43F
                                            • lstrcpyA.KERNEL32(?,NO DOUBT), ref: 0048A453
                                            • _memset.LIBCMT ref: 0048A46F
                                            • lstrcpyW.KERNEL32(?,?), ref: 0048A47F
                                            • lstrlenA.KERNEL32 ref: 0048A4B9
                                            • _memset.LIBCMT ref: 0048A4F5
                                            • lstrcpyA.KERNEL32(?,?,?,00000000,00000103,?,?,?,00000000,?), ref: 0048A511
                                            • lstrlenA.KERNEL32(?,?,?,?,00000000,?), ref: 0048A51E
                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?), ref: 0048A53B
                                            • _memmove.LIBCMT ref: 0048A55C
                                            • lstrcmpiA.KERNEL32(?,skin.ini), ref: 0048A57E
                                            • GetLastError.KERNEL32 ref: 0048A686
                                            • SetLastError.KERNEL32(004AFFC0,?,00000000,000000FF), ref: 0048A6F6
                                              • Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 0043AF40: __EH_prolog3_GS.LIBCMT ref: 0043AF4A
                                              • Part of subcall function 0043AF40: WriteFile.KERNELBASE(?,?,?,?,00000000,00000088,0048A746,?,00000000,004AFFB8,40000000,00000001,00000080,00000002,00000000,00000000), ref: 0043AF6E
                                              • Part of subcall function 0043AF40: __CxxThrowException@8.LIBCMT ref: 0043AFB3
                                            • _memmove.LIBCMT ref: 0048A7CA
                                            • GetPrivateProfileIntA.KERNEL32(SKINS,VERSION,00000001,00000000), ref: 0048A84E
                                            • _memset.LIBCMT ref: 0048A8A7
                                            • lstrcpyA.KERNEL32(?,TEXTCOLOR,00000063,ALL,00000003,?,?,?,?,?,?,?,00000000,?), ref: 0048A8BB
                                            • GetPrivateProfileStringA.KERNEL32(ALL,?,004C2BD0,?,00000064,00000000), ref: 0048A8E4
                                            • GetSysColor.USER32(00000008), ref: 0048A8F2
                                              • Part of subcall function 00403FB0: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
                                              • Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            • _memset.LIBCMT ref: 0048A9BA
                                            • _memset.LIBCMT ref: 0048A9CB
                                              • Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000002,?,?,0048A841,?,00000000,00000103), ref: 00490876
                                              • Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?), ref: 004908BE
                                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00000C00,00000000), ref: 0048A9E8
                                            • lstrcpyA.KERNEL32(00000000,?), ref: 0048AA08
                                            • lstrlenA.KERNEL32(?), ref: 0048AA0B
                                              • Part of subcall function 00485E90: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485EE4
                                              • Part of subcall function 00485E90: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485F1D
                                            • lstrcpyA.KERNEL32 ref: 0048AAE6
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,00000064,00000000), ref: 0048AB0A
                                            • GetSysColor.USER32(00000008), ref: 0048AB18
                                            • GetLastError.KERNEL32(ALL-,00000000,00000004,00000000,?,00000001), ref: 0048ACD8
                                            • SysFreeString.OLEAUT32(?), ref: 0048ACFA
                                            • SysFreeString.OLEAUT32(?), ref: 0048AD0B
                                            • SetLastError.KERNEL32(?), ref: 0048AD3A
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8
                                            • lstrcpyA.KERNEL32(00000000,?), ref: 0048AD5E
                                            • lstrlenA.KERNEL32(?), ref: 0048AD65
                                            • lstrcmpA.KERNEL32(SKINS,00000000,ALL,00000000,00000003,00000000,?,00000001), ref: 0048ADB0
                                            • lstrcpyA.KERNEL32 ref: 0048AE56
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,00000064,00000000), ref: 0048AE7E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$Freelstrcpy$_memset$PrivateProfilelstrlen$ByteCharColorMultiWide_memmove$Exception@8FileH_prolog3H_prolog3_NamesSectionThrowWritelstrcmplstrcmpi
                                            • String ID: ALL$ALL$ALL-$GetThemeAppProperties$NO DOUBT$SKINS$TEXTCOLOR$VERSION$dK$dJ$dJ$dJ$dJ$lJ$lJ$lJ$lJ$skin.ini
                                            • API String ID: 2276469943-1455993456
                                            • Opcode ID: f30d91533adbab82596d1eb394883459c51917d6ac21126a442b627c82a4cf55
                                            • Instruction ID: 79012e49ed486ce22d0537f09b4fbe6ad00e0975ff4e1d2c00a5e82a599fa431
                                            • Opcode Fuzzy Hash: f30d91533adbab82596d1eb394883459c51917d6ac21126a442b627c82a4cf55
                                            • Instruction Fuzzy Hash: EC829871900258EEEB10EBA1DD45BDEB7B8AF15304F0040EBE549E7181DBB86B98CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0049DEC4 Relevance: 55.4, APIs: 36, Instructions: 1384COMMON
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0049DF50
                                            • __whiteout.LIBCMT ref: 0049DFBF
                                              • Part of subcall function 0045D506: __getptd_noexit.LIBCMT ref: 0045D506
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___getptd_noexit__whiteout
                                            • String ID:
                                            • API String ID: 4052982633-0
                                            • Opcode ID: a14992832d4c41711310f10542e10f0b6cb14402c983ec2b552a6598a4c39450
                                            • Instruction ID: a3e14714cc9df98a0816df650cad5d880d5d2ed2129245b8a3308b3300a5d14b
                                            • Opcode Fuzzy Hash: a14992832d4c41711310f10542e10f0b6cb14402c983ec2b552a6598a4c39450
                                            • Instruction Fuzzy Hash: E7B29E71D012698BDF35DB16CC88BAEBBB5AB14310F5441FBE449A7291DA389EC1CF48
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0049CA69 Relevance: 55.3, APIs: 36, Instructions: 1338COMMON
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0049CAF5
                                            • __whiteout.LIBCMT ref: 0049CB60
                                              • Part of subcall function 0045D506: __getptd_noexit.LIBCMT ref: 0045D506
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___getptd_noexit__whiteout
                                            • String ID:
                                            • API String ID: 4052982633-0
                                            • Opcode ID: 4ae8c31ef9adc148e74008aa2df9d659f8bcc0f180d1acb9f72c2e61c9f1cd83
                                            • Instruction ID: acd30b8ab0848bff3661401df2af51d9eb98b2ff4f73cbc454c4f0973d2d5f84
                                            • Opcode Fuzzy Hash: 4ae8c31ef9adc148e74008aa2df9d659f8bcc0f180d1acb9f72c2e61c9f1cd83
                                            • Instruction Fuzzy Hash: 5EB29C71D052698BDF359B14CC98BBEBBB4AB44310F2441FBE449A7291DA389EC1CF48
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004685CF Relevance: 29.3, APIs: 15, Strings: 1, Instructions: 1277COMMON
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0046862A
                                              • Part of subcall function 0045D506: __getptd_noexit.LIBCMT ref: 0045D506
                                            • _memset.LIBCMT ref: 004687D4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___getptd_noexit_memset
                                            • String ID: X
                                            • API String ID: 2502719891-3081909835
                                            • Opcode ID: 06469d0f745e7e1af953ad50afcf297e59d042d0d5e6141ce931f08a4ab8aecb
                                            • Instruction ID: 4b2ee9128e37929f719b3c37fa5a85234011a7bc61eaa186f30933d59cbc89c6
                                            • Opcode Fuzzy Hash: 06469d0f745e7e1af953ad50afcf297e59d042d0d5e6141ce931f08a4ab8aecb
                                            • Instruction Fuzzy Hash: AAB26071B003298ADB24CF14CC447AAB3B5BB56315F1446EBD409E7691EBB99E81CF0B
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004443E5 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 186libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004443EF
                                            • GetModuleHandleW.KERNEL32(Kernel32.dll,LCIDToLocaleName), ref: 00444408
                                            • GetProcAddress.KERNEL32(00000000), ref: 0044440F
                                            • LoadLibraryW.KERNEL32(-00000004,mlang.dll,?,00000000), ref: 004444DF
                                            • GetProcAddress.KERNEL32(00000000,LcidToRfc1766W), ref: 0044450E
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$AddressFreeH_prolog3_Proc$AllocH_prolog3HandleLibraryLoadModule
                                            • String ID: @/L$@/L$@/L$@/L$@/L$Kernel32.dll$LCIDToLocaleName$LcidToRfc1766W$mlang.dll
                                            • API String ID: 1118478212-902657132
                                            • Opcode ID: 37c4925e79a14bea5b8c350c83a48e4d3755ffceb1cd4debd85c3010431dfc39
                                            • Instruction ID: fb490cd4c4185951d43f97ecbd8599a8fae49d0cfa27e50f6b17a355b2b286b9
                                            • Opcode Fuzzy Hash: 37c4925e79a14bea5b8c350c83a48e4d3755ffceb1cd4debd85c3010431dfc39
                                            • Instruction Fuzzy Hash: 35713F70900318EEEB10EF91CC55BDDBB78BF15704F1440AEE509B7292DBB85A45CB6A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00455333 Relevance: 22.7, APIs: 15, Instructions: 168encryptionfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0045533A
                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0045536E
                                            • ReadFile.KERNEL32(00000000,?,00000018,?,00000000), ref: 00455399
                                            • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 004553D6
                                            • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00008004,00000000,00000000,?), ref: 004553EC
                                            • CryptHashData.ADVAPI32(?,00000000,?,00000000,?,00008004,00000000,00000000,?), ref: 004553FE
                                            • GetLastError.KERNEL32(?,00008004,00000000,00000000,?), ref: 00455408
                                            • CryptHashData.ADVAPI32(?,00000000,?,00000000,?,?,00000001,?,00008004,00000000,00000000,?), ref: 00455439
                                            • GetLastError.KERNEL32(?,00008004,00000000,00000000,?), ref: 00455443
                                            • CryptDeriveKey.ADVAPI32(?,00006801,?,00000000,?,?,00008004,00000000,00000000,?), ref: 00455463
                                            • GetLastError.KERNEL32(?,00008004,00000000,00000000,?), ref: 0045546D
                                            • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 004554C1
                                            • CryptImportKey.ADVAPI32(?,00000000,?,?,00000010,00000001), ref: 004554E1
                                            • GetLastError.KERNEL32(?,00000000,?,?,00000010,00000001), ref: 004554EB
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                            • GetLastError.KERNEL32 ref: 00455501
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CryptErrorLast$File$HashRead$CreateData$DeriveH_prolog3_Import_malloc
                                            • String ID:
                                            • API String ID: 1372746476-0
                                            • Opcode ID: e2cedc7d3b94d21c563ffec7656afb3641c542741b65c800283172085fec9f9a
                                            • Instruction ID: 7b9a2a811e8abfb9575a15a0fa225ae37e23c5c53042507687d6b7065a6ff11c
                                            • Opcode Fuzzy Hash: e2cedc7d3b94d21c563ffec7656afb3641c542741b65c800283172085fec9f9a
                                            • Instruction Fuzzy Hash: BF518C71800119EFEB119FE2CC45AEEBF78EF05305F10412AF915A72A2DB34595ADB68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00475CA1 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6eb8f3866b5ea48272a6f9154bea011b6ec47790a0d751755b6acb7a5d7e2f49
                                            • Instruction ID: bcaf2ade6dbcaa6ecbdc78d049e7b0f52704d079f8f8195321b0f73386b771a1
                                            • Opcode Fuzzy Hash: 6eb8f3866b5ea48272a6f9154bea011b6ec47790a0d751755b6acb7a5d7e2f49
                                            • Instruction Fuzzy Hash: 0C326175B026688FCB24CF55DD406EAB7B5FB46314F0980DAE40EA7A81D7349E80CF4A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004546DD Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 241encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004546E7
                                            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,0000071C), ref: 00454719
                                            • GetLastError.KERNEL32 ref: 00454723
                                            • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 0045474E
                                            • GetLastError.KERNEL32 ref: 00454758
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CryptErrorLast$AcquireContextCreateH_prolog3_Hash
                                            • String ID: ISc(
                                            • API String ID: 4253850778-3536308444
                                            • Opcode ID: 2e911d3c92075c91b0cc4bc29cbbb563ffa6db0d63dce9b1f27a8023ffae6122
                                            • Instruction ID: 27db447b22cf1e47d342e2cd0d2220ae0c24cdb8ed7c3291c8ebcc0736985e66
                                            • Opcode Fuzzy Hash: 2e911d3c92075c91b0cc4bc29cbbb563ffa6db0d63dce9b1f27a8023ffae6122
                                            • Instruction Fuzzy Hash: A0917470904118DBDB21DB65CC85BDE7778EF44349F0041DAEA09AB282DB786EC9CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00451BC7 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 125filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00451BD1
                                              • Part of subcall function 00450E91: __EH_prolog3_GS.LIBCMT ref: 00450E9B
                                              • Part of subcall function 00450E91: GetFileAttributesW.KERNEL32(00000000,00000084,00451BE3,?,000002E0,0048B00C,?,00000001), ref: 00450EAF
                                              • Part of subcall function 00450E91: __CxxThrowException@8.LIBCMT ref: 00450EF4
                                            • FindFirstFileW.KERNEL32(-00000004,?,0048B00C,?,00000001), ref: 00451C17
                                            • lstrcmpW.KERNEL32(?,004AECA0), ref: 00451C4E
                                            • lstrcmpW.KERNEL32(?,004B60E8), ref: 00451C64
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00451CCA
                                            • RemoveDirectoryW.KERNEL32(?), ref: 00451CF2
                                            • __CxxThrowException@8.LIBCMT ref: 00451D38
                                            • DeleteFileW.KERNEL32(?,000002E0,0048B00C,?,00000001), ref: 00451D49
                                              • Part of subcall function 00450C01: __EH_prolog3_GS.LIBCMT ref: 00450C08
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: File$H_prolog3_$Exception@8FindThrowlstrcmp$AttributesDeleteDirectoryFirstNextRemove
                                            • String ID: *.*$dJ$lJ
                                            • API String ID: 1087441661-4156733564
                                            • Opcode ID: b7a714ad0654a0f4d69247b75817ae409cd263cef7e93b75a51ad9a0b0e00388
                                            • Instruction ID: 143d3da405b5dbad7b1d6632039a36703aa4dcd64b6036911f87ea3ed7e8dd09
                                            • Opcode Fuzzy Hash: b7a714ad0654a0f4d69247b75817ae409cd263cef7e93b75a51ad9a0b0e00388
                                            • Instruction Fuzzy Hash: 48418271900248EECB00EFA1CC89BDE77BCAF15309F40416AF915A3152EB789B4DCB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004542BF Relevance: 18.2, APIs: 12, Instructions: 208encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004542C9
                                              • Part of subcall function 0045395F: __EH_prolog3_GS.LIBCMT ref: 00453966
                                              • Part of subcall function 004545AC: __EH_prolog3_GS.LIBCMT ref: 004545B6
                                              • Part of subcall function 004545AC: GetLastError.KERNEL32 ref: 0045460F
                                            • GetLastError.KERNEL32 ref: 0045433A
                                            • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 0045438C
                                            • GetLastError.KERNEL32 ref: 00454396
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last$CreateCryptHash
                                            • String ID:
                                            • API String ID: 2420322064-0
                                            • Opcode ID: 679e2d0ad49bba8d3cc6f10e81d32c2aaa353309df2d48e857586953ad476365
                                            • Instruction ID: 33f30238f05662e3a32777ba37e20be3ced18808b6e6381ff4dd07b928e6ac16
                                            • Opcode Fuzzy Hash: 679e2d0ad49bba8d3cc6f10e81d32c2aaa353309df2d48e857586953ad476365
                                            • Instruction Fuzzy Hash: D981A571900128AFDB249B51CC45FDEB779AF84309F0141DAFA09A7242DF75AE98CF68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00430226 Relevance: 18.1, APIs: 12, Instructions: 104memoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileSize.KERNEL32(?,00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 0043023F
                                            • GetProcessHeap.KERNEL32(00000008,00000001,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 00430260
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 00430267
                                            • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF), ref: 00430285
                                            • _strlen.LIBCMT ref: 00430294
                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 004302C9
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 004302D0
                                            • GetProcessHeap.KERNEL32(00000008,00000003,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 004302E0
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 004302E7
                                            • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF), ref: 00430301
                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 0043031F
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 00430326
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Heap$Process$File$AllocFreeRead$Size_strlen
                                            • String ID:
                                            • API String ID: 3537955524-0
                                            • Opcode ID: 8525024322926dda2b8c73ce46ddf0f5c2a4bfa67a9af4508137702a1035c735
                                            • Instruction ID: d969d208ad07ff395abe69dae3ca2b342e6068e6d281f30907df666d4f1ca5ed
                                            • Opcode Fuzzy Hash: 8525024322926dda2b8c73ce46ddf0f5c2a4bfa67a9af4508137702a1035c735
                                            • Instruction Fuzzy Hash: 7B31D432600214BBDB109BA6DC4DFAB7FACEF4E711F000266FA15C7190DB749904CBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00446187 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00446191
                                              • Part of subcall function 0041525D: __EH_prolog3_GS.LIBCMT ref: 00415264
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004461F4
                                            • GetLastError.KERNEL32(0000003B,00000000,?,00000001,00000284), ref: 0044620A
                                            • Process32FirstW.KERNEL32 ref: 00446229
                                            • Process32NextW.KERNEL32(00000000,?), ref: 004462A5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_Process32$CreateErrorFirstLastNextSnapshotToolhelp32
                                            • String ID: @/L
                                            • API String ID: 3102987474-3803013380
                                            • Opcode ID: 8b321bc83049cdccbccfc38694c27a24e3f8fade2d8680e1ccb61ce418d63844
                                            • Instruction ID: 1051442936c2f9e768134ec6fec72a2a3bd5fac9e71656c3d22c2f1aefdc5c6d
                                            • Opcode Fuzzy Hash: 8b321bc83049cdccbccfc38694c27a24e3f8fade2d8680e1ccb61ce418d63844
                                            • Instruction Fuzzy Hash: 4D416D71C05129AAEF20EB66CC49BEEBBB8AF55304F1041EFE408A2191DFB45E84CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00420149 Relevance: 12.1, APIs: 8, Instructions: 97libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch_GS.LIBCMT ref: 00420153
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000060,00000424,00420A3B,?,00000000,?,00000000,00000004,00422F16,004AFD3C,?,?,REGISTRY,004AFD3C), ref: 00420192
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 004201A8
                                            • FindResourceW.KERNEL32(00000000,?,?), ref: 004201D3
                                            • LoadResource.KERNEL32(00000000,00000000), ref: 004201EB
                                            • SizeofResource.KERNEL32(00000000,00000000), ref: 004201FD
                                              • Part of subcall function 0041886B: GetLastError.KERNEL32(00422C2D), ref: 0041886B
                                            • FreeLibrary.KERNEL32(00000000), ref: 00420297
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: LibraryLoadResource$ErrorFindFreeH_prolog3_catch_LastSizeof
                                            • String ID:
                                            • API String ID: 1818814483-0
                                            • Opcode ID: 5c40c895b842d40c583e07fe4555a5f175d465904de97858630341c00a426d0b
                                            • Instruction ID: dcd30aa2ccdba2c5da9b84cebe88835904bb6204f87880d06d77132595859cd1
                                            • Opcode Fuzzy Hash: 5c40c895b842d40c583e07fe4555a5f175d465904de97858630341c00a426d0b
                                            • Instruction Fuzzy Hash: B64151B1A0022D9BCB219F559C44BDE7AF5AF09354F9040EEF508A3252DB358E81CF6D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00455DCC Relevance: 10.6, APIs: 7, Instructions: 95fileencryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00455DE4
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                            • CryptSignHashW.ADVAPI32(?,00000002,00000000,00000000,00000000,?), ref: 00455DFA
                                            • GetLastError.KERNEL32 ref: 00455E04
                                            • CryptSignHashW.ADVAPI32(?,00000002,00000000,00000000,?,?), ref: 00455E47
                                            • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00455E63
                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00455E73
                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00455EA7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: File$CryptHashPointerSignWrite$ErrorLast_malloc
                                            • String ID:
                                            • API String ID: 1271059220-0
                                            • Opcode ID: c530eee5c92f536864e7fe9929134b36f1dc97ec25f5b6c5271cb4df65434cc7
                                            • Instruction ID: 28c5d0445e811f71bfbf1d5993522376da190f2c4232c2fe774f0be825dfd1f5
                                            • Opcode Fuzzy Hash: c530eee5c92f536864e7fe9929134b36f1dc97ec25f5b6c5271cb4df65434cc7
                                            • Instruction Fuzzy Hash: 5331E132240616BFEF114F61DC46FA77FA9FF00711F004026FE00AA5A1C7B2A964DB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0046E8C7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _wcscmp.LIBCMT ref: 0046E8DE
                                            • _wcscmp.LIBCMT ref: 0046E8EF
                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0046EB8D,?,00000000), ref: 0046E90B
                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0046EB8D,?,00000000), ref: 0046E935
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: InfoLocale_wcscmp
                                            • String ID: ACP$OCP
                                            • API String ID: 1351282208-711371036
                                            • Opcode ID: 3390c0fb2b6f6f8687ab493929d8735c3e3afb1e9609bf79bea86108939da677
                                            • Instruction ID: 2a2383a469fdf8a10c53846b21bbfe88573d6af3713b7a1a3722d3b4a4f31c9e
                                            • Opcode Fuzzy Hash: 3390c0fb2b6f6f8687ab493929d8735c3e3afb1e9609bf79bea86108939da677
                                            • Instruction Fuzzy Hash: E401D236200205AEEB609E1BDC45FEA37DCAF05765B008027FA04DA291F728EA4587DE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0045564F Relevance: 7.5, APIs: 5, Instructions: 49encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00455A6D: CryptAcquireContextW.ADVAPI32(?,?,00000000,00000001,00000010,?,?,?,?,0045566C,00000000), ref: 00455A88
                                              • Part of subcall function 00455A6D: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,0045566C,00000000), ref: 00455A91
                                              • Part of subcall function 00455A6D: CryptDestroyHash.ADVAPI32(?,?,00000000,?,?,?,0045566C,00000000), ref: 00455A9A
                                            • CoCreateGuid.OLE32(?,00000000), ref: 00455670
                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00455680
                                            • _wcsncpy.LIBCMT ref: 00455690
                                            • CryptAcquireContextW.ADVAPI32(?,?,?,00000001,00000008), ref: 0045569F
                                            • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000001,00000008), ref: 004556B5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Crypt$Context$AcquireCreateHash$DestroyFromGuidReleaseString_wcsncpy
                                            • String ID:
                                            • API String ID: 396328816-0
                                            • Opcode ID: 2265288f131747b7349a2cbe0a2d1fb9926499350dc997a78105b36db74e1acb
                                            • Instruction ID: 7739b7cb654ae7079a22b9405ed4236f99ab491bf0d2af22a6cbab156e3c7506
                                            • Opcode Fuzzy Hash: 2265288f131747b7349a2cbe0a2d1fb9926499350dc997a78105b36db74e1acb
                                            • Instruction Fuzzy Hash: 11015E72600218BBDB00DFE1DC89F9B7BBCEB09705F104466FA019A181DAB4EA08CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041CAE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041CAEE
                                            • GetPrivateProfileIntW.KERNEL32(Startup,AllUsers,00000000,-00000004), ref: 0041CB30
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_PrivateProfile
                                            • String ID: AllUsers$Startup
                                            • API String ID: 477331544-1531790124
                                            • Opcode ID: 15c9069964983c92b044df91cb72890182536ad4b849ba4e9695917b6c3142d3
                                            • Instruction ID: e22680aeceeda87f44c82e58a12d05d65c08435aef8c1e6c3b34f179fcf946c7
                                            • Opcode Fuzzy Hash: 15c9069964983c92b044df91cb72890182536ad4b849ba4e9695917b6c3142d3
                                            • Instruction Fuzzy Hash: 7901B1B0B402009FDB14EF65D89979DBBE4EF45309F44006EE445D7292CB38ED49CB88
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0046E5AC Relevance: 6.2, APIs: 4, Instructions: 173COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00464D84: __getptd_noexit.LIBCMT ref: 00464D85
                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 0046E605
                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 0046E652
                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 0046E702
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: InfoLocale$__getptd_noexit
                                            • String ID:
                                            • API String ID: 1862418609-0
                                            • Opcode ID: 250c7e0f169319473d2ab52f48354382f08f58874d9e7da598718d2f2a084208
                                            • Instruction ID: 84d2ae87c26c69b423e8ef456a5c678aca90cf99854d1c4513fa7dadb5d5393e
                                            • Opcode Fuzzy Hash: 250c7e0f169319473d2ab52f48354382f08f58874d9e7da598718d2f2a084208
                                            • Instruction Fuzzy Hash: 36518A75500216AFEF289F26C882B6B77E8EF11315F10417BE800CA292F7B8D955DB5A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042C966 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 0042C9A3
                                            • GetFileAttributesW.KERNEL32(?), ref: 0042C9DA
                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 0042C9E5
                                            • DeleteFileW.KERNEL32(?), ref: 0042C9F4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: File$Attributes$DeleteFindFirst
                                            • String ID:
                                            • API String ID: 2297122337-0
                                            • Opcode ID: 8bb42c000784f76d68038a9efd1e5df228410e67c8050de428b4ce5ea6037d64
                                            • Instruction ID: b0eac9454e78ba0cc43f222def109c854297570c411374b70cd897779411f04e
                                            • Opcode Fuzzy Hash: 8bb42c000784f76d68038a9efd1e5df228410e67c8050de428b4ce5ea6037d64
                                            • Instruction Fuzzy Hash: 40110671600664DBC720EF18EC8C55DB7B4EF46316B50066EE052A71A0CB789ECACB5C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004125AD Relevance: 4.6, APIs: 3, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 004125E1
                                            • TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 004125FC
                                            • IsValidLocale.KERNEL32(?,00000001), ref: 0041262A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: InfoLocale$CharsetTranslateValid
                                            • String ID:
                                            • API String ID: 1865635962-0
                                            • Opcode ID: fdad4521af90eed553c557b12d549d6fd565ed28d828521a4f028f7a35e841a9
                                            • Instruction ID: 734faa13da326b0d3bf3c840113cfb97524dd83f0da8d1589cdf40ad58ad38cc
                                            • Opcode Fuzzy Hash: fdad4521af90eed553c557b12d549d6fd565ed28d828521a4f028f7a35e841a9
                                            • Instruction Fuzzy Hash: CE11A534A00104AADB14DF65D945AFA77B8AF18700B10442AFA01E72D1EBB5EC91C76C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0045505F Relevance: 4.5, APIs: 3, Instructions: 39encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 0045507B
                                            • GetLastError.KERNEL32 ref: 00455085
                                            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 004550B1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CryptHashParam$ErrorLast
                                            • String ID:
                                            • API String ID: 1884520423-0
                                            • Opcode ID: c193fc93756d2847739b82c0c75ae9b82191190ddc07a669d83e2fc80bdfa83d
                                            • Instruction ID: cfd196a1478a03f14f59f2b7840bf961381deeede028b4b3d1fdd0a9fb735bc8
                                            • Opcode Fuzzy Hash: c193fc93756d2847739b82c0c75ae9b82191190ddc07a669d83e2fc80bdfa83d
                                            • Instruction Fuzzy Hash: A6F081B5000708BFEB20CF50CC46FEB7BBCEB00B10F00451AFA11C6290E7B1A9089BA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004559E0 Relevance: 4.5, APIs: 3, Instructions: 37encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 004559FC
                                            • GetLastError.KERNEL32 ref: 00455A06
                                            • CryptSetHashParam.ADVAPI32(?,00000002,?,00000000), ref: 00455A2E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CryptHashParam$ErrorLast
                                            • String ID:
                                            • API String ID: 1884520423-0
                                            • Opcode ID: d5c56685a24979982aa0d8ef8a23978b060038e388f986dbf2681cca73596991
                                            • Instruction ID: 9a9db5d308ff9ccaea8357ed1139faa85925d2d7cdae957a465facf69a33f7f9
                                            • Opcode Fuzzy Hash: d5c56685a24979982aa0d8ef8a23978b060038e388f986dbf2681cca73596991
                                            • Instruction Fuzzy Hash: CFF04F71510704BFEB20CF60DC4AFAA7FA8EB01700F10461AEA1296290E7B5AD059B64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00455A6D Relevance: 4.5, APIs: 3, Instructions: 28encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptAcquireContextW.ADVAPI32(?,?,00000000,00000001,00000010,?,?,?,?,0045566C,00000000), ref: 00455A88
                                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,0045566C,00000000), ref: 00455A91
                                            • CryptDestroyHash.ADVAPI32(?,?,00000000,?,?,?,0045566C,00000000), ref: 00455A9A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Crypt$Context$AcquireDestroyHashRelease
                                            • String ID:
                                            • API String ID: 2937476097-0
                                            • Opcode ID: 706c87482f787f2664a75151b30f21f106f4f774529dca5b9423f8773dbe496b
                                            • Instruction ID: b581e11407cbc47a4c99fe5eb7ccddbb5a29ade457aadda0d58643ef8943acc7
                                            • Opcode Fuzzy Hash: 706c87482f787f2664a75151b30f21f106f4f774529dca5b9423f8773dbe496b
                                            • Instruction Fuzzy Hash: 8AE039B6100A14ABD6304F66EC08D87BFFCEB85701B000A2AB692D2160D6B2A948CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00464F6E Relevance: 3.1, APIs: 2, Instructions: 71COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00464FA3
                                            • IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 00465058
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: DebuggerPresent_memset
                                            • String ID:
                                            • API String ID: 2328436684-0
                                            • Opcode ID: 30e630e0c4360776ab38092c0afed0eafb2761b64fe840dba2adabf5bf55a564
                                            • Instruction ID: 6a2e9a9e9d10309ba4ee37709abccabb61ed69375fac9e00e357eaa61f69ad69
                                            • Opcode Fuzzy Hash: 30e630e0c4360776ab38092c0afed0eafb2761b64fe840dba2adabf5bf55a564
                                            • Instruction Fuzzy Hash: 3F31B675801228ABCF21DF65D9887C9B7F8AF08314F5041EAE81CA7251E7789B858F49
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0046E4AC Relevance: 3.0, APIs: 2, Instructions: 47COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00464D84: __getptd_noexit.LIBCMT ref: 00464D85
                                            • _GetPrimaryLen.LIBCMT ref: 0046E4F7
                                            • EnumSystemLocalesW.KERNEL32(0046E5AC,00000001,000000A0,?,?,0046EB36,00000000,?,?,?,?,?,00000055), ref: 0046E507
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: EnumLocalesPrimarySystem__getptd_noexit
                                            • String ID:
                                            • API String ID: 1605451767-0
                                            • Opcode ID: 9f9565c636c59fd6a40c03239ab5f95cbac2029abe3a144c69ffeb1cd06cadce
                                            • Instruction ID: adb5cb6d038db806dabc890ed3941d36723e6c2896cd645e690a7ff04314c5a9
                                            • Opcode Fuzzy Hash: 9f9565c636c59fd6a40c03239ab5f95cbac2029abe3a144c69ffeb1cd06cadce
                                            • Instruction Fuzzy Hash: C201F73A550307AFEB209F7AD409B66BBE0EF40729F10492EE447861C1FB7CA414CB49
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0046E529 Relevance: 3.0, APIs: 2, Instructions: 31COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00464D84: __getptd_noexit.LIBCMT ref: 00464D85
                                            • _GetPrimaryLen.LIBCMT ref: 0046E55B
                                            • EnumSystemLocalesW.KERNEL32(0046E79F,00000001,?,?,0046EB00,004620B7,?,?,00000055,?,?,004620B7,?,?,?), ref: 0046E56E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: EnumLocalesPrimarySystem__getptd_noexit
                                            • String ID:
                                            • API String ID: 1605451767-0
                                            • Opcode ID: 4f30b4fd97aca6579e7ab532277327b2e75f6e49790ce1654feefc81a4c946b9
                                            • Instruction ID: 9b194bf615f34a188e3360dd678b4b267d31ed76c2cc864db2014fbbf2881020
                                            • Opcode Fuzzy Hash: 4f30b4fd97aca6579e7ab532277327b2e75f6e49790ce1654feefc81a4c946b9
                                            • Instruction Fuzzy Hash: 22F02035910304BEEB206B76E801FA23FD4CB02329F20481BF84A8A192FA781900866A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004559DE Relevance: 3.0, APIs: 2, Instructions: 27encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 004559FC
                                            • GetLastError.KERNEL32 ref: 00455A06
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CryptErrorHashLastParam
                                            • String ID:
                                            • API String ID: 2561833602-0
                                            • Opcode ID: d2bd3f526ffcab827848f3352d30dc01e53f6bfb96fa9e44300d7d78fc3b36db
                                            • Instruction ID: 01fa2e57d49853d085b3c6b94d87a937f65bde4b32404e6bb0c0c54f07d55c21
                                            • Opcode Fuzzy Hash: d2bd3f526ffcab827848f3352d30dc01e53f6bfb96fa9e44300d7d78fc3b36db
                                            • Instruction Fuzzy Hash: F3E092B2500304BFEB24DF51DC0AEEB7BACEB01700F00026BE90193240E6B1AE089674
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00455D9E Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptVerifySignatureW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,004407A0,00000001,?,00000000,00000000,?,?,000001ED,00000000), ref: 00455DB1
                                            • GetLastError.KERNEL32 ref: 00455DBB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CryptErrorLastSignatureVerify
                                            • String ID:
                                            • API String ID: 2524884230-0
                                            • Opcode ID: e41b0b5dac174dff23051184fff421a58b20a60067bba2cd77ad8fd4c4cdc764
                                            • Instruction ID: 71fa4fb927ae7c563d7a200f7b9d3092a9c6925e5d1a4eaff98f384954e56967
                                            • Opcode Fuzzy Hash: e41b0b5dac174dff23051184fff421a58b20a60067bba2cd77ad8fd4c4cdc764
                                            • Instruction Fuzzy Hash: FCE0EC32140B20AFDB215F61AC09B937FE1BB45710F014859E662469A0D272A855AB44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0046E79F Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00464D84: __getptd_noexit.LIBCMT ref: 00464D85
                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 0046E7F8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: InfoLocale__getptd_noexit
                                            • String ID:
                                            • API String ID: 2161030339-0
                                            • Opcode ID: a04deb6f81116242e4524b4085a1d0491f7a0c5bafdb467c6e726964d0ee26b6
                                            • Instruction ID: 8115c626b999ecea31a7e474cb9bf8adedcce59d9df97034df0d2f925dfb735f
                                            • Opcode Fuzzy Hash: a04deb6f81116242e4524b4085a1d0491f7a0c5bafdb467c6e726964d0ee26b6
                                            • Instruction Fuzzy Hash: 96218376500216AFEB24AB26D842BBB73ECEF45315F10017FED0187182FB789D59CA5A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00430174 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetVersionExW.KERNEL32(?), ref: 004301A1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Version
                                            • String ID:
                                            • API String ID: 1889659487-0
                                            • Opcode ID: 2832456f11c060cd0b794991ee57ccbb05c39478b69244dc5654ccd42b1bfb3b
                                            • Instruction ID: 7319d55478f440adb9be3f0c93e2518c3f23ad37675a81d97adda49a0b8018e7
                                            • Opcode Fuzzy Hash: 2832456f11c060cd0b794991ee57ccbb05c39478b69244dc5654ccd42b1bfb3b
                                            • Instruction Fuzzy Hash: 11F08C30A2125C9FCB54FF79D84A7DA7BE46B0A704F4040BEA409D3291DB799E88CB48
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004552A9 Relevance: 1.5, APIs: 1, Instructions: 16encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptImportKey.ADVAPI32(?,?,?,00000000,?,?,?,0045524F,?,?,?), ref: 004552BD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CryptImport
                                            • String ID:
                                            • API String ID: 365355273-0
                                            • Opcode ID: b3f1e4ba6b1e29f29402b69bb5628869b50dd2b71fafb138142bb0ad58ad59ea
                                            • Instruction ID: 900fc10cd5a9fd490bdb10e79e9bb780e289fc71fc74bfcddd7d23e94dd786bb
                                            • Opcode Fuzzy Hash: b3f1e4ba6b1e29f29402b69bb5628869b50dd2b71fafb138142bb0ad58ad59ea
                                            • Instruction Fuzzy Hash: A1D0923609410DABDF01AFA0DC00EA97B6DEB15704F108425BA19C9060D6729525AB54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00454DDC Relevance: 1.5, APIs: 1, Instructions: 15encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptExportKey.ADVAPI32(?,00000000,00000006,?,?,?), ref: 00454DEF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CryptExport
                                            • String ID:
                                            • API String ID: 3389274496-0
                                            • Opcode ID: e4c75fbdd417c76a26c3bc60670c3e46bfbb020ba5fc6b41369e347131a9fa02
                                            • Instruction ID: cf802b866f72df25074d93545b209c631ec5f1b05fb7829114a2a83150e93ff8
                                            • Opcode Fuzzy Hash: e4c75fbdd417c76a26c3bc60670c3e46bfbb020ba5fc6b41369e347131a9fa02
                                            • Instruction Fuzzy Hash: 27D0C93219420DBBDF115FA1DC01F997F2AEB15750F008024B619C90A0C6739432AB54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0045521D Relevance: 1.5, APIs: 1, Instructions: 12encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 0045522B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CryptDataHash
                                            • String ID:
                                            • API String ID: 4245837645-0
                                            • Opcode ID: 268971d0e33aefb79e69c38cac60b728a26826172c325b9ccdb1988ebb492c2e
                                            • Instruction ID: a684f307210f68e850dcc11fdfa315bd933b69cc9a36ccad98f41c2e9a9221a9
                                            • Opcode Fuzzy Hash: 268971d0e33aefb79e69c38cac60b728a26826172c325b9ccdb1988ebb492c2e
                                            • Instruction Fuzzy Hash: F9C0123219820DBBDF011EA1DC01E953F29AB11711F208120B619880A0C6729024AB54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00454C59 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4174b9389ff6ccb49cbf26b32f4b45137529def5cf4d0702bda6e93628ee28e9
                                            • Instruction ID: 720dd9784d7ddd72b307fbec705fff6e0fb157f28ed4351bcec19ade2eafb700
                                            • Opcode Fuzzy Hash: 4174b9389ff6ccb49cbf26b32f4b45137529def5cf4d0702bda6e93628ee28e9
                                            • Instruction Fuzzy Hash: FCD012311155218BF7310E24FC00B9273D46B81756F29042E9480991B4D7F88CC4C65C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00454C91 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44dac623479ab8d54e28553e1fde5bf2da857e4f3c372e72a21ba5f122344b45
                                            • Instruction ID: 7b7da9609656c9049257375588c864be9154602eec8d43ca5e029df1e4d4d4e0
                                            • Opcode Fuzzy Hash: 44dac623479ab8d54e28553e1fde5bf2da857e4f3c372e72a21ba5f122344b45
                                            • Instruction Fuzzy Hash: 4BC01231121121CBE7310E67E80179576D46BC0316F16082E948089290D7B98CC0C654
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00454CAB Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3fe1b20618835f18976d6e79287851e967064628a4209108dd5dd1dac9a9dd98
                                            • Instruction ID: 88fe66a3bdd6f8142c6fe228e44481322a4e10ced52755408f3c7228a0f8a0b1
                                            • Opcode Fuzzy Hash: 3fe1b20618835f18976d6e79287851e967064628a4209108dd5dd1dac9a9dd98
                                            • Instruction Fuzzy Hash: 08C012311151218BE7310E14F800B9172D46B80316F25092E94908B264D7B88CC0CB54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402200 Relevance: 96.7, APIs: 44, Strings: 11, Instructions: 404timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32 ref: 0040225F
                                            • SetLastError.KERNEL32(T4L), ref: 004022A2
                                              • Part of subcall function 004040F0: SysStringLen.OLEAUT32(?), ref: 004040FE
                                              • Part of subcall function 004040F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00404118
                                            • GetDateFormatW.KERNEL32(00000800,00000000,00000000,M-d-yyyy,00000000,00000080,?,00000080), ref: 004022EA
                                              • Part of subcall function 00403CF0: GetLastError.KERNEL32(2E932D87,?,00000000,74DEDFA0,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403D2F
                                              • Part of subcall function 00403CF0: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00403DC9
                                              • Part of subcall function 00403CF0: SysFreeString.OLEAUT32(?), ref: 00403DE3
                                              • Part of subcall function 00403CF0: SysFreeString.OLEAUT32(?), ref: 00403DF0
                                              • Part of subcall function 00403CF0: SetLastError.KERNEL32(?), ref: 00403E14
                                              • Part of subcall function 00403CF0: SetLastError.KERNEL32(?,?,00000000,74DEDFA0,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403E1A
                                            • GetLastError.KERNEL32 ref: 00402311
                                            • SetLastError.KERNEL32(T4L), ref: 00402345
                                              • Part of subcall function 004040F0: _wmemcpy_s.LIBCMT ref: 00404145
                                            • GetTimeFormatW.KERNEL32(00000800,00000000,00000000,hh':'mm':'ss tt,00000000,00000080,?,00000080), ref: 0040238A
                                              • Part of subcall function 00402CE0: GetLastError.KERNEL32(2E932D87,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
                                              • Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8
                                              • Part of subcall function 00403080: GetLastError.KERNEL32 ref: 004030E5
                                              • Part of subcall function 00403080: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 0040314E
                                              • Part of subcall function 00403080: GetLastError.KERNEL32(?), ref: 004031A4
                                              • Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 004031BE
                                              • Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 004031CB
                                              • Part of subcall function 00403080: SetLastError.KERNEL32(?), ref: 004031EF
                                              • Part of subcall function 004034E0: GetLastError.KERNEL32 ref: 0040354B
                                              • Part of subcall function 004034E0: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 004035B4
                                              • Part of subcall function 004034E0: SysFreeString.OLEAUT32(?), ref: 004036A6
                                              • Part of subcall function 00403080: GetLastError.KERNEL32(00000000,?,00000000,?), ref: 00403290
                                              • Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 004032A8
                                              • Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 004032B5
                                              • Part of subcall function 00403080: SetLastError.KERNEL32(?), ref: 004032D9
                                              • Part of subcall function 00403080: GetLastError.KERNEL32(00000000,00000000,000000FF), ref: 00403334
                                              • Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 0040334C
                                              • Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 00403359
                                              • Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402E45
                                              • Part of subcall function 00402DE0: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 00402EA5
                                              • Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402ECE
                                              • Part of subcall function 00402DE0: SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00402F2E
                                              • Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402F4E
                                            • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,00000001,?,?,?,00000001), ref: 00402447
                                            • SysFreeString.OLEAUT32(?), ref: 0040246B
                                            • SysFreeString.OLEAUT32(?), ref: 0040247E
                                            • SetLastError.KERNEL32(?), ref: 004024B1
                                            • GetLastError.KERNEL32 ref: 004024C6
                                            • SysFreeString.OLEAUT32(?), ref: 004024E4
                                            • SysFreeString.OLEAUT32(?), ref: 004024F7
                                            • SetLastError.KERNEL32(?), ref: 0040252A
                                            • GetLastError.KERNEL32 ref: 0040253F
                                            • SysFreeString.OLEAUT32(?), ref: 0040255D
                                            • SysFreeString.OLEAUT32(?), ref: 00402570
                                            • SetLastError.KERNEL32(?), ref: 004025A3
                                            • GetLastError.KERNEL32 ref: 004025B8
                                            • SysFreeString.OLEAUT32(?), ref: 004025D6
                                            • SysFreeString.OLEAUT32(?), ref: 004025E9
                                            • SetLastError.KERNEL32(?), ref: 0040261C
                                            • GetLastError.KERNEL32 ref: 00402631
                                            • SysFreeString.OLEAUT32(?), ref: 0040264F
                                            • SysFreeString.OLEAUT32(?), ref: 00402662
                                            • SetLastError.KERNEL32(?), ref: 00402695
                                            • GetLastError.KERNEL32 ref: 004026AD
                                            • SetLastError.KERNEL32(T4L), ref: 00402700
                                            • GetLastError.KERNEL32 ref: 004027C5
                                            • SysFreeString.OLEAUT32(?), ref: 004027E3
                                            • SysFreeString.OLEAUT32(?), ref: 004027F6
                                            • SetLastError.KERNEL32(?), ref: 00402829
                                            • GetLastError.KERNEL32 ref: 0040283E
                                            • SysFreeString.OLEAUT32(?), ref: 0040285C
                                            • SysFreeString.OLEAUT32(?), ref: 0040286F
                                            • SetLastError.KERNEL32(?), ref: 004028A2
                                            • GetLastError.KERNEL32 ref: 004028B1
                                            • SysFreeString.OLEAUT32(?), ref: 004028C9
                                            • SysFreeString.OLEAUT32(?), ref: 004028D6
                                            • SetLastError.KERNEL32(?), ref: 004028FA
                                            • GetLastError.KERNEL32 ref: 0040290F
                                            • SysFreeString.OLEAUT32(?), ref: 00402927
                                            • SysFreeString.OLEAUT32(?), ref: 00402934
                                              • Part of subcall function 00403B50: __vwprintf_p.LIBCMT ref: 00403B7F
                                              • Part of subcall function 00403B50: vswprintf.LIBCMT ref: 00403BB1
                                            • SetLastError.KERNEL32(?), ref: 00402958
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$Free$Format$AllocDateTime__vwprintf_p_wmemcpy_svswprintf
                                            • String ID: %s[%s]: %s$%s[%s]: %s -- File: %s, Line: %d$M-d-yyyy$P/L$P/L$P/L$P/L$T4L$T4L$T4L$hh':'mm':'ss tt
                                            • API String ID: 1002200784-2789026671
                                            • Opcode ID: f69a7b9fae25941d03fa104c4305318c631f64017a0491884069ae751dd80c88
                                            • Instruction ID: 688b1669901aab8b91c164d4b3d8465613a847ef94fe040e21fb9ed64ef3d503
                                            • Opcode Fuzzy Hash: f69a7b9fae25941d03fa104c4305318c631f64017a0491884069ae751dd80c88
                                            • Instruction Fuzzy Hash: 1B12F671508380DFD721DF69C849B9ABBE4BF89308F00892DE98C932A1DB75A814CF57
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044680A Relevance: 75.6, APIs: 1, Strings: 42, Instructions: 349COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00446811
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0044363E: __EH_prolog3_GS.LIBCMT ref: 00443645
                                              • Part of subcall function 0044363E: GetModuleHandleW.KERNEL32(Kernel32.dll,LocaleNameToLCID,00000074), ref: 00443659
                                              • Part of subcall function 0044363E: GetProcAddress.KERNEL32(00000000), ref: 00443660
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$AddressH_prolog3_HandleModuleProc
                                            • String ID: @/L$american$australian$canadian$chinese$chinese-simplified$chinese-traditional$czech$danish$dutch$dutch-belgian$english$english-nz$english-uk$finnish$french$french-belgian$french-canadian$french-swiss$german$german-austrian$german-swiss$greek$hungarian$icelandic$italian$italian-swiss$japanese$korean$norwegian$norwegian-bokmal$norwegian-nynorsk$polish$portuguese$portuguese-brazilian$russian$slovak$spanish$spanish-mexican$spanish-modern$swedish$turkish
                                            • API String ID: 1772309320-951662217
                                            • Opcode ID: f943daf6fba8af7a32a011cb288ce8dbe2fcf75110c813bd1e5e94803ea24f1c
                                            • Instruction ID: 09f8fec64f06b567d922b2b76d34bc84588bd33ab69aeb8cfb7145ae5b5f1af8
                                            • Opcode Fuzzy Hash: f943daf6fba8af7a32a011cb288ce8dbe2fcf75110c813bd1e5e94803ea24f1c
                                            • Instruction Fuzzy Hash: CFB161A0310168A1FB10AE12E951BB52754DB11309FA2843BBDC7DA1C1FBBCEF15D62E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00492320 Relevance: 74.0, APIs: 34, Strings: 8, Instructions: 494stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00403FB0: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
                                              • Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068
                                              • Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000002,?,?,0048A841,?,00000000,00000103), ref: 00490876
                                              • Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?), ref: 004908BE
                                            • GetPrivateProfileIntA.KERNEL32(?,RECTS,00000000,?), ref: 00492417
                                            • _memset.LIBCMT ref: 00492447
                                            • _memset.LIBCMT ref: 00492458
                                            • _memset.LIBCMT ref: 00492472
                                            • lstrcpyA.KERNEL32(00000000,RECT), ref: 004924B2
                                            • __itow.LIBCMT ref: 004924C2
                                            • lstrcatA.KERNEL32(00000000,00000000), ref: 004924D2
                                            • GetLastError.KERNEL32 ref: 004924EC
                                            • SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 0049257A
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 0049260E
                                            • GetLastError.KERNEL32 ref: 0049262C
                                            • SysFreeString.OLEAUT32(00000000), ref: 0049264E
                                            • SysFreeString.OLEAUT32(?), ref: 0049265F
                                            • SetLastError.KERNEL32(004C2F50), ref: 00492694
                                            • GetSysColor.USER32(0000000F), ref: 00492698
                                            • CreateSolidBrush.GDI32(?), ref: 004926CE
                                            • lstrcpyA.KERNEL32(00000000,00000000), ref: 004926E2
                                            • lstrcatA.KERNEL32(00000000,POS), ref: 004926F1
                                            • GetLastError.KERNEL32 ref: 0049270B
                                            • SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 0049279A
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00492827
                                            • GetLastError.KERNEL32 ref: 00492845
                                            • SysFreeString.OLEAUT32(00000000), ref: 00492867
                                            • SysFreeString.OLEAUT32(?), ref: 00492878
                                            • SetLastError.KERNEL32(004C2F50), ref: 004928AD
                                            • lstrcpyA.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 004928FB
                                            • lstrcatA.KERNEL32(00000000,AREA), ref: 0049290A
                                            • GetLastError.KERNEL32 ref: 00492924
                                            • SetLastError.KERNEL32(004C3454,004C2D7C,00000000), ref: 004929AA
                                            • GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00492A31
                                            • GetLastError.KERNEL32 ref: 00492A4F
                                            • SysFreeString.OLEAUT32(00000000), ref: 00492A71
                                            • SysFreeString.OLEAUT32(?), ref: 00492A82
                                            • SetLastError.KERNEL32(004C2F50), ref: 00492AB7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$Free$PrivateProfile$_memsetlstrcatlstrcpy$ByteCharMultiWide$BrushColorCreateSolid__itow
                                            • String ID: AREA$P/L$POS$RECT$RECTS$T4L$lJ$|-L
                                            • API String ID: 792308993-3612069791
                                            • Opcode ID: fa48708b4e3af9e7a9e99997592a41cd4d6c9ae0536503e3d14adad394899abf
                                            • Instruction ID: 847f3d342a300f7a84bb54192f6ac905bd70cd248483a1ad69a0eaab08ef64dd
                                            • Opcode Fuzzy Hash: fa48708b4e3af9e7a9e99997592a41cd4d6c9ae0536503e3d14adad394899abf
                                            • Instruction Fuzzy Hash: C82240B59012299FDF60DF54CD85B9EBBB8BF44308F0041EAEA09A7291DB745E84CF58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004946B0 Relevance: 65.1, APIs: 33, Strings: 4, Instructions: 329memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 004946ED
                                              • Part of subcall function 00480F50: GetLastError.KERNEL32(2E932D87,753CE860), ref: 00480F9C
                                              • Part of subcall function 00480F50: SetLastError.KERNEL32(004C2F90,00000000,00000000,000000FF), ref: 00480FFC
                                              • Part of subcall function 00480F50: GetLastError.KERNEL32(00000000,00000000,000000FF), ref: 0048102A
                                              • Part of subcall function 00480F50: SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00481078
                                            • GetLastError.KERNEL32(00000000,00000004,?), ref: 00494794
                                            • SysFreeString.OLEAUT32(?), ref: 004947A9
                                            • SysFreeString.OLEAUT32(?), ref: 004947BA
                                            • SetLastError.KERNEL32(?), ref: 004947E9
                                            • GetLastError.KERNEL32 ref: 00494800
                                            • SysFreeString.OLEAUT32(?), ref: 00494818
                                            • SysFreeString.OLEAUT32(?), ref: 00494829
                                            • SetLastError.KERNEL32(?), ref: 00494858
                                            • GetLastError.KERNEL32 ref: 00494869
                                            • SysFreeString.OLEAUT32(?), ref: 0049487B
                                            • SysFreeString.OLEAUT32(?), ref: 00494886
                                            • SetLastError.KERNEL32(?), ref: 004948A6
                                            • GetLastError.KERNEL32 ref: 004948BD
                                            • SysFreeString.OLEAUT32(?), ref: 004948D5
                                            • SysFreeString.OLEAUT32(?), ref: 004948E6
                                            • SetLastError.KERNEL32(?), ref: 0049491B
                                            • GetLastError.KERNEL32 ref: 0049492B
                                            • SetLastError.KERNEL32(004AE96C), ref: 00494957
                                            • SysStringLen.OLEAUT32(?), ref: 00494980
                                            • SysReAllocStringLen.OLEAUT32(74DEE034,74DEE014,?), ref: 0049499D
                                            • _wmemcpy_s.LIBCMT ref: 004949D9
                                            • wsprintfW.USER32 ref: 00494A01
                                            • GetFileAttributesW.KERNEL32(00000000,?,00000000,000000FF), ref: 00494A37
                                            • GetLastError.KERNEL32 ref: 00494A65
                                            • SysFreeString.OLEAUT32(?), ref: 00494A77
                                            • SysFreeString.OLEAUT32(?), ref: 00494A82
                                            • SetLastError.KERNEL32(004AE964), ref: 00494AA2
                                            • __CxxThrowException@8.LIBCMT ref: 00494B36
                                            • GetLastError.KERNEL32(004AE89C,004C6AB8), ref: 00494B3D
                                            • SysFreeString.OLEAUT32(?), ref: 00494B53
                                            • SysFreeString.OLEAUT32(?), ref: 00494B5E
                                            • SetLastError.KERNEL32(004AE964), ref: 00494B7E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$Free$AllocAttributesCountException@8FileThrowTick_wmemcpy_swsprintf
                                            • String ID: %hx.rra$dJ$lJ$lJ
                                            • API String ID: 2442431672-3032772394
                                            • Opcode ID: 74f2561bb9a981e667478c4730fb088cb0459db49348410031f53d45b7bbf98f
                                            • Instruction ID: 57c3e9b993fe8f9d33eff172e26738e36be1e758f2be950968eea74ca9e0be38
                                            • Opcode Fuzzy Hash: 74f2561bb9a981e667478c4730fb088cb0459db49348410031f53d45b7bbf98f
                                            • Instruction Fuzzy Hash: 64E14871900218DFDF10DFA9CC85B9EBBB4BF09314F1081A9E818A72A1D735AE95CF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00489C10 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 476stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00485E90: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485EE4
                                              • Part of subcall function 00485E90: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485F1D
                                            • wsprintfA.USER32 ref: 00489C9A
                                              • Part of subcall function 00407F60: _memmove.LIBCMT ref: 00408015
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            • GetLastError.KERNEL32 ref: 00489CF2
                                            • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00489D40
                                            • lstrcpyA.KERNEL32(000000D0,?), ref: 00489D89
                                            • lstrcpyA.KERNEL32(00000004,?), ref: 00489D90
                                            • lstrcpyA.KERNEL32(00000068,?), ref: 00489DA0
                                            • MapDialogRect.USER32(?,?), ref: 00489DDE
                                            • MulDiv.KERNEL32(?,000186A0,00000006), ref: 00489E09
                                            • MulDiv.KERNEL32(?,000186A0,0000000D), ref: 00489E1E
                                            • MulDiv.KERNEL32(?,?,00000004), ref: 00489E86
                                            • MulDiv.KERNEL32(?,?,00000008), ref: 00489EB2
                                            • GetClientRect.USER32(?,?), ref: 00489F45
                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00489F56
                                            • CreateCompatibleDC.GDI32(00000000), ref: 00489F62
                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00489F7B
                                            • SelectObject.GDI32(?,00000000), ref: 00489F8E
                                            • MulDiv.KERNEL32(?,?,00000004), ref: 00489FBE
                                            • MulDiv.KERNEL32(?,?,00000008), ref: 00489FD1
                                            • MulDiv.KERNEL32(?,?,00000004), ref: 00489FE4
                                            • MulDiv.KERNEL32(?,?,00000008), ref: 00489FF7
                                            • FillRect.USER32(?,?,?), ref: 0048A00C
                                            • GetDlgItem.USER32(?,?), ref: 0048A12F
                                            • DrawIcon.USER32(?,?,?,00000000), ref: 0048A146
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CreateRectlstrcpy$CompatibleFreeString$BitmapClientDialogDrawFillIconItemObjectSelect_memmovewsprintf
                                            • String ID: -%04x$DISPLAY$PROP_PSKIN
                                            • API String ID: 4259255117-337460466
                                            • Opcode ID: 699e3fec2dd89d017e5b6cf3d41b093f95551703619165cb3b4e5b9639e52c7b
                                            • Instruction ID: 70738925456c83a3d94c2be7d828d2fde00a464bb3ee72cafabbb019b9fd451b
                                            • Opcode Fuzzy Hash: 699e3fec2dd89d017e5b6cf3d41b093f95551703619165cb3b4e5b9639e52c7b
                                            • Instruction Fuzzy Hash: 1722BF31A00614EFEB21DF64C848FAEBBF1BF09304F08859AE559AB3A1D775AC54CB45
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004728F6 Relevance: 60.4, APIs: 40, Instructions: 363COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • operator+.LIBCMT ref: 0047290F
                                              • Part of subcall function 0046FEBA: DName::DName.LIBCMT ref: 0046FECB
                                              • Part of subcall function 0046FEBA: DName::operator+.LIBCMT ref: 0046FED2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: NameName::Name::operator+operator+
                                            • String ID:
                                            • API String ID: 2937105810-0
                                            • Opcode ID: 384c3e0ca060e22cf96fc802421b9f5f56c9749a7988d7e3c9e0b4eb1a1bdd91
                                            • Instruction ID: 969f5c165d20e4bf4bf56e0f3833ca81ca177723f95f804c72888cd493028a97
                                            • Opcode Fuzzy Hash: 384c3e0ca060e22cf96fc802421b9f5f56c9749a7988d7e3c9e0b4eb1a1bdd91
                                            • Instruction Fuzzy Hash: D0D18571A00209AFCB14DFA5D991AEE7BF8EF08304F10806BF545E7351EB789A45CB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004896F0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 395stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0048971F
                                            • GetClassNameW.USER32(?,?,00000064), ref: 0048972E
                                            • lstrcmpiW.KERNEL32(Button,?), ref: 00489743
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00489750
                                            • SetWindowLongW.USER32(?,000000F0,?), ref: 004897E6
                                            • GetWindowLongW.USER32(?,000000F4), ref: 004897EF
                                            • GetWindowRect.USER32(?,?), ref: 0048991B
                                            • MulDiv.KERNEL32(?,000186A0,000186A0), ref: 00489962
                                            • MulDiv.KERNEL32(?,?,000186A0), ref: 0048997F
                                            • MulDiv.KERNEL32(?,000186A0,?), ref: 004899A9
                                            • MulDiv.KERNEL32(?,000186A0,?), ref: 004899E8
                                            • ScreenToClient.USER32(?,?), ref: 00489A14
                                            • MulDiv.KERNEL32(?,?,00000004), ref: 00489A36
                                            • MulDiv.KERNEL32(?,?,00000008), ref: 00489A50
                                            • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00489A6F
                                            • lstrcmpiW.KERNEL32(Static,?), ref: 00489A83
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00489A96
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00489AA7
                                            • GetWindowRect.USER32(?,?), ref: 00489AB9
                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00489ACA
                                            • SendMessageW.USER32(?,00000171,00000000,00000000), ref: 00489AE6
                                            • GetWindowLongW.USER32(?,000000F4), ref: 00489B09
                                            • ShowWindow.USER32(?,00000000), ref: 00489B3E
                                            • GetWindowTextW.USER32(?,?,0000000A), ref: 00489B81
                                            • SetWindowLongW.USER32(?,000000FC,0048B5D0), ref: 00489B96
                                            • SetPropW.USER32(?,PROP_STAT_PSKIN,?), ref: 00489BB3
                                            • SetPropW.USER32(?,PROP_STAT_OLDPROC,00000000), ref: 00489BBC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Window$Long$PropRectlstrcmpi$ClassClientMessageMoveNamePointsScreenSendShowText_memset
                                            • String ID: @$Button$PROP_STAT_OLDPROC$PROP_STAT_PSKIN$Static$msctls_progress32
                                            • API String ID: 2481118448-847272177
                                            • Opcode ID: 4ed7df9cd92373620730382fc3c96828335f7747dfe276474ca3cd7cf5f7590a
                                            • Instruction ID: 41f908669bd52f81dd4fa49fd0d274b072d1bd80de334967a700d6d04aa9b213
                                            • Opcode Fuzzy Hash: 4ed7df9cd92373620730382fc3c96828335f7747dfe276474ca3cd7cf5f7590a
                                            • Instruction Fuzzy Hash: B8F12974A00605EFCB14DF69C884FAABBF5BB08304F14899AE96AD7391DB35EC41CB54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040C4F0 Relevance: 56.5, APIs: 20, Strings: 12, Instructions: 473windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040C4FA
                                            • GetWindowLongW.USER32(?,000000EB), ref: 0040C55E
                                            • SetDlgItemTextW.USER32(?,000003F3,-00000004), ref: 0040C5C7
                                            • GetWindowRect.USER32(?,?), ref: 0040C5E8
                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040C619
                                            • LoadIconW.USER32(00000000,00007F01), ref: 0040C787
                                            • GetDlgItem.USER32(?,000003F9), ref: 0040C79A
                                            • SendMessageW.USER32(00000000), ref: 0040C7A1
                                            • SetWindowTextW.USER32(?,-00000004), ref: 0040C7D5
                                            • SetDlgItemTextW.USER32(?,000003F8,-00000004), ref: 0040C864
                                            • SetDlgItemTextW.USER32(?,000003F7,00000004), ref: 0040C91C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ItemTextWindow$H_prolog3_IconLoadLongMessageMoveRectSend
                                            • String ID: <<$ >>$%ld : 0x%x$%s%ld : 0x%x%s%s$@/L$@/L$@/L$@/L$@/L$@/L$open$|-L
                                            • API String ID: 4073716165-137234772
                                            • Opcode ID: 60ef12f6934638c40aa8cdec9215dcfcb234efda6e5a8565390ddd823a9f73ac
                                            • Instruction ID: 6b9efaaaacef784ff1fdca34bf3a7d303e4e581d6e4752c68b6b157190edf8f9
                                            • Opcode Fuzzy Hash: 60ef12f6934638c40aa8cdec9215dcfcb234efda6e5a8565390ddd823a9f73ac
                                            • Instruction Fuzzy Hash: 25125B71900218EFDB15DBA4CC95FAE77B8BF09304F0401AEE509A72A1DB78AA44CF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004100B5 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 289windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004100BF
                                            • EndDialog.USER32(?), ref: 0041012F
                                            • GetDlgItem.USER32(?,00000001), ref: 00410147
                                            • EnableWindow.USER32(00000000), ref: 0041014A
                                            • GetDlgItem.USER32(?,0000012D), ref: 00410158
                                            • ShowWindow.USER32(00000000), ref: 0041015B
                                            • GetDlgItem.USER32(?,000003EB), ref: 004101BD
                                            • GetDlgItem.USER32(?,000003E9), ref: 004101C6
                                            • SetWindowTextW.USER32(?,-00000004), ref: 00410263
                                            • SendDlgItemMessageW.USER32(?,00000009,00000030,00000000,00000000), ref: 0041029B
                                            • SendDlgItemMessageW.USER32(?,00000001,00000030,00000000,00000000), ref: 004102C7
                                            • SendDlgItemMessageW.USER32(?,000003EB,00000030,00000000), ref: 004102D9
                                            • SendDlgItemMessageW.USER32(?,000003E9,00000030,00000000), ref: 004102EB
                                            • SendDlgItemMessageW.USER32(?,000003ED,00000030,00000000), ref: 004102FD
                                            • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000), ref: 0041030F
                                            • SendDlgItemMessageW.USER32(?,0000040A,00000030,00000000), ref: 00410321
                                            • SendDlgItemMessageW.USER32(?,000003EE,00000030,00000000), ref: 00410333
                                            • SendDlgItemMessageW.USER32(?,0000040B,00000030,00000000), ref: 00410345
                                            • GetDlgItem.USER32(?,0000012D), ref: 00410355
                                            • ShowWindow.USER32(00000000), ref: 00410358
                                            • GetDlgItem.USER32(?,000003EE), ref: 00410403
                                            • SetWindowTextW.USER32(00000000), ref: 00410406
                                            • DeleteObject.GDI32(000000D4), ref: 0041048C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Item$MessageSend$Window$ShowText$DeleteDialogEnableH_prolog3_Object
                                            • String ID: P/L$PrereqDialog$T4L
                                            • API String ID: 128106140-452211144
                                            • Opcode ID: 7660520ec895de8dcc91c66f694f1584091d7a9feecac8de77f27f00f02b1e60
                                            • Instruction ID: ecff8cb4ece4c13748142295969d04c6f5643743f071b9191e4dc25ec3dc4e6d
                                            • Opcode Fuzzy Hash: 7660520ec895de8dcc91c66f694f1584091d7a9feecac8de77f27f00f02b1e60
                                            • Instruction Fuzzy Hash: F5B19171501254AFEB21EB91DC89FAE77A8EB55704F0040ABF205BB1D1CBB89D85CB6C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040971C Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 287threadinjectionprocessCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 004097A8
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                              • Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00441E34: __EH_prolog3_GS.LIBCMT ref: 00441E3E
                                            • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00409884
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004098B7
                                            • _memset.LIBCMT ref: 004098DD
                                            • _memset.LIBCMT ref: 004098F6
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000044,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0040991C
                                            • _memset.LIBCMT ref: 0040993F
                                            • _wcsncpy.LIBCMT ref: 004099B2
                                              • Part of subcall function 00441E34: GetLastError.KERNEL32 ref: 00441ED3
                                              • Part of subcall function 00441E34: GetLastError.KERNEL32 ref: 00441F92
                                              • Part of subcall function 00441E34: __CxxThrowException@8.LIBCMT ref: 00442002
                                            • _wcsncpy.LIBCMT ref: 004099DD
                                            • GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004099FD
                                            • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409A00
                                            • DuplicateHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409A03
                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409A24
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409A30
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409A38
                                            • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00409A53
                                            • _memmove.LIBCMT ref: 00409AA1
                                            • GetThreadContext.KERNEL32 ref: 00409AC0
                                            • VirtualProtectEx.KERNEL32(?,?,00000C35,00000040,?), ref: 00409B02
                                            • WriteProcessMemory.KERNEL32(?,?,?,00000C35,00000000), ref: 00409B1D
                                            • FlushInstructionCache.KERNEL32(?,?,00000C35), ref: 00409B2F
                                            • SetThreadContext.KERNEL32(?,00010003), ref: 00409B42
                                            • ResumeThread.KERNEL32(?), ref: 00409B4E
                                            • CloseHandle.KERNEL32(?), ref: 00409B5A
                                            • CloseHandle.KERNEL32(?), ref: 00409B62
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$HandleProcess$Close$CurrentH_prolog3_Thread_memset$ContextDirectoryFileString_wcsncpy$AllocCacheCreateDuplicateException@8FlushH_prolog3InstructionMemoryModuleMoveNameProtectResumeSystemTerminateThrowVirtualWrite_memmove
                                            • String ID: @/L$@/L$@/L$explorer.exe
                                            • API String ID: 3542506763-3744986830
                                            • Opcode ID: d70bf96061e9ae4a3764fdd706b6d614774bc0ca1da3216862d769f6a1850e09
                                            • Instruction ID: f51911a9ddecf8f95a698078a3ab9431c8a2878545a22eec0a50bb54fcfc93b8
                                            • Opcode Fuzzy Hash: d70bf96061e9ae4a3764fdd706b6d614774bc0ca1da3216862d769f6a1850e09
                                            • Instruction Fuzzy Hash: ABC13C71900228AFEB25DB65CC49FDABBB8EF05344F0041EAF909A71A1DB745E84CF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405AE0 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 250COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32 ref: 00405B4B
                                            • SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 00405BB4
                                            • GetLastError.KERNEL32 ref: 00405BD4
                                            • SetLastError.KERNEL32(T4L), ref: 00405C11
                                            • GetLastError.KERNEL32(?,000000FF,00000001), ref: 00405C8C
                                            • SysFreeString.OLEAUT32(?), ref: 00405CA6
                                            • SysFreeString.OLEAUT32(?), ref: 00405CB9
                                            • SetLastError.KERNEL32(?), ref: 00405CF2
                                            • GetLastError.KERNEL32(00000000,00000000,000000FF,?,?,000000FF,?,000000FF,00000001), ref: 00405D52
                                            • SysFreeString.OLEAUT32(?), ref: 00405D6C
                                            • SysFreeString.OLEAUT32(?), ref: 00405D7F
                                            • SetLastError.KERNEL32(?), ref: 00405DB8
                                            • GetLastError.KERNEL32(?,000000FF,00000001), ref: 00405DCB
                                            • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00405E22
                                            • GetLastError.KERNEL32 ref: 00405E37
                                            • SysFreeString.OLEAUT32(?), ref: 00405E4B
                                            • SysFreeString.OLEAUT32(?), ref: 00405E58
                                            • SetLastError.KERNEL32(?), ref: 00405E7C
                                            • GetLastError.KERNEL32 ref: 00405E8F
                                            • SysFreeString.OLEAUT32(?), ref: 00405EA3
                                            • SysFreeString.OLEAUT32(?), ref: 00405EB0
                                            • SetLastError.KERNEL32(?), ref: 00405ED4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString
                                            • String ID: P/L$T4L$T4L$T4L$T4L$T4L
                                            • API String ID: 2425351278-1114961416
                                            • Opcode ID: bae9bababab1643fc427e99a430b4058c6078c8af4335f0efac4ce899c9eef20
                                            • Instruction ID: f040519dc64b790a380e079862b9e4b9806259381dd47372e147210011703477
                                            • Opcode Fuzzy Hash: bae9bababab1643fc427e99a430b4058c6078c8af4335f0efac4ce899c9eef20
                                            • Instruction Fuzzy Hash: 15B12A715083809FD720DF29C844B5BBBE4FF89318F114A2EE498972A1DB79D859CF4A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00438907 Relevance: 47.7, APIs: 22, Strings: 5, Instructions: 450windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00438911
                                              • Part of subcall function 00438520: __EH_prolog3_GS.LIBCMT ref: 0043852A
                                              • Part of subcall function 00438520: SendDlgItemMessageW.USER32(?,00000034,00000031,00000000,00000000), ref: 00438576
                                              • Part of subcall function 00438520: GetObjectW.GDI32(00000000,0000005C,?), ref: 00438586
                                              • Part of subcall function 00438520: lstrcpyW.KERNEL32(?,?), ref: 004385B2
                                              • Part of subcall function 00438520: CreateFontIndirectW.GDI32(?), ref: 004385BF
                                              • Part of subcall function 00438520: SendDlgItemMessageW.USER32(?,00000034,00000030,?,00000001), ref: 004385F5
                                              • Part of subcall function 00438520: SetDlgItemTextW.USER32(?,0000000C,-00000004), ref: 0043862A
                                              • Part of subcall function 00438520: GetDlgItem.USER32(?,0000000C), ref: 0043863D
                                              • Part of subcall function 00438520: EnableWindow.USER32(00000000,?), ref: 0043864F
                                              • Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272
                                            • SetDlgItemTextW.USER32(?,00000001,-00000004), ref: 00438954
                                            • SetDlgItemTextW.USER32(?,00000009,-00000004), ref: 0043898C
                                            • SetDlgItemTextW.USER32(?,00000034,-00000004), ref: 004389C4
                                            • SetDlgItemTextW.USER32(?,00000033,-00000004), ref: 004389FC
                                            • SetDlgItemTextW.USER32(?,000003FA,-00000004), ref: 00438A42
                                            • SetDlgItemTextW.USER32(?,000003F2,-00000004), ref: 00438AA7
                                            • SetDlgItemTextW.USER32(?,000003F3,-00000004), ref: 00438AE2
                                            • GetDlgItem.USER32(?,000003F3), ref: 00438AFA
                                            • GetDlgItem.USER32(?,000003F2), ref: 00438B0C
                                            • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00438B2D
                                            • GetDlgItem.USER32(?,000003ED), ref: 00438B45
                                            • EnableWindow.USER32(00000000), ref: 00438B48
                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00438B5E
                                            • GetDlgItem.USER32(?,000003ED), ref: 00438B68
                                            • SendMessageW.USER32(00000000,00001036,00000000,00000020), ref: 00438B7E
                                            • _memset.LIBCMT ref: 00438D52
                                            • SendMessageW.USER32(00000000,0000104D,00000000,?), ref: 00438D8D
                                            • SendMessageW.USER32(00000000,00001074,00000000,?), ref: 00438DC7
                                            • SendMessageW.USER32(00000000,0000102B,?,?), ref: 00438DFB
                                            • SendMessageW.USER32(00000000,0000101E,00000000,0000FFFF), ref: 00438E63
                                            • SendMessageW.USER32(00000000,0000101E,00000001,0000FFFF), ref: 00438E72
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Item$MessageSend$Text$H_prolog3_$EnableWindow$CreateFontIndirectObject_memsetlstrcpy
                                            • String ID: @/L$@/L$DisplayName$InstallLocation$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
                                            • API String ID: 4221600495-3072867973
                                            • Opcode ID: 354406124cb9a5c9d95d4ae64111fc13f7b778ccbe7f253f7368d6bc83fef5e8
                                            • Instruction ID: f4065dad9136cee450ccfd26a1c38904ffa9fa8b9581f805fbc6e3bc669e9b24
                                            • Opcode Fuzzy Hash: 354406124cb9a5c9d95d4ae64111fc13f7b778ccbe7f253f7368d6bc83fef5e8
                                            • Instruction Fuzzy Hash: E2024E70A00204DFEB14EB64CD56FA9B7B4EF04704F0441AEF50AAB2A2DBB4EA44CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042E2AA Relevance: 44.0, APIs: 9, Strings: 16, Instructions: 240windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0042E2B4
                                            • SendMessageW.USER32(?,0000000C,00000000,ISPREREQDIR), ref: 0042E368
                                            • SendMessageW.USER32(?,0000000C,00000000,?), ref: 0042E389
                                            • SendMessageW.USER32(?,00000111,00000008,00000000), ref: 0042E39A
                                            • SendMessageW.USER32(?,0000000C,00000000,?), ref: 0042E3B8
                                            • SendMessageW.USER32(?,00000111,00000007,00000000), ref: 0042E3C9
                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0042E3D7
                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0042E406
                                              • Part of subcall function 004053A0: GetLastError.KERNEL32(2E932D87,?,?,?,?,004AC278,000000FF), ref: 004053E2
                                              • Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: MessageSend$ErrorLast$H_prolog3_
                                            • String ID: ISPREREQDIR$P/L$P/L$P/L$P/L$P/L$P/L$T4L$T4L$T4L$T4L$T4L$[ISPREREQDIR]$[ProductLanguage]$[SETUPEXEDIR]$[SETUPEXENAME]
                                            • API String ID: 860943175-2351489034
                                            • Opcode ID: f829a352067c94b8d2136d2da42c29586a9d3a204320ed353cdc83418de33877
                                            • Instruction ID: 79434aba791d9d0bd5f5de81912bae10fd3ddc51b5e82914d9b94aa6d9080963
                                            • Opcode Fuzzy Hash: f829a352067c94b8d2136d2da42c29586a9d3a204320ed353cdc83418de33877
                                            • Instruction Fuzzy Hash: 8AA15E75900218EEDB15DB91CD41BDEBBB8AF18304F0440AEF50977182DBB86A48DF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042D52A Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 291windowsynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0042B1C8: __EH_prolog3.LIBCMT ref: 0042B1CF
                                              • Part of subcall function 0042B1C8: GetCurrentDirectoryW.KERNEL32(00000104,00000000,?,00000105,00000014,0042D5E6,00000008,?,00000001), ref: 0042B21F
                                              • Part of subcall function 0042B1C8: SetCurrentDirectoryW.KERNEL32(@/L), ref: 0042B23D
                                            • _memset.LIBCMT ref: 0042D5FB
                                              • Part of subcall function 0042C627: __EH_prolog3_GS.LIBCMT ref: 0042C62E
                                              • Part of subcall function 0042C627: SetWindowTextW.USER32(00000000,?), ref: 0042C705
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                              • Part of subcall function 00403FB0: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
                                              • Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068
                                              • Part of subcall function 00402CE0: GetLastError.KERNEL32(2E932D87,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
                                              • Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8
                                            • ShellExecuteExW.SHELL32(?), ref: 0042D883
                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000004FF), ref: 0042D8E5
                                            • PeekMessageW.USER32(?,00000000,00000113,00000113,00000001), ref: 0042D900
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,04270001), ref: 0042D916
                                            • TranslateMessage.USER32(?), ref: 0042D924
                                            • DispatchMessageW.USER32(?), ref: 0042D92E
                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0042D93B
                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0042D954
                                            • CloseHandle.KERNEL32(00000000), ref: 0042D960
                                            • GetLastError.KERNEL32 ref: 0042D9A8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Message$CurrentDirectoryFreePeekStringWait$CloseCodeDispatchExecuteExitH_prolog3H_prolog3_HandleMultipleObjectObjectsProcessShellSingleTextTranslateWindow_memset
                                            • String ID: ..\..\Shared\Setup\SetupPreRequisite.cpp$<$Could not launch prerequisite, last error: %d, ShellExecute: %d$Creating new process for prerequisite, launching command line %s [%s] %s$Launching: $LJ$No process created by successful prerequisite launch$P/L$P/L$P/LP/L$Prerequisite process exited with return code %d$T4L$?
                                            • API String ID: 2605968414-436948734
                                            • Opcode ID: e71a3f2d2a089c766f84c1fd2eb14a0511c08aa2de0e75c7102c2c15218af3f4
                                            • Instruction ID: c9bc824b41885e786c5c4dc4d682975b70ef9eaa1a67df954e4f72b307bcb23a
                                            • Opcode Fuzzy Hash: e71a3f2d2a089c766f84c1fd2eb14a0511c08aa2de0e75c7102c2c15218af3f4
                                            • Instruction Fuzzy Hash: C6C17F71A00168EEDB10DBA2DD45FDEB7BCAF15304F5040AFA50AB2181DB786B49CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004891D0 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 156windowstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0048920D
                                            • GetWindowRect.USER32(?,?), ref: 0048921D
                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00489230
                                            • GetWindowTextW.USER32(?,?,000000A0), ref: 00489251
                                            • SetWindowTextW.USER32(?,004C2D7C), ref: 0048926C
                                            • GetWindowLongW.USER32(?,000000F0), ref: 0048927B
                                            • GetWindowLongW.USER32(?,000000EC), ref: 00489287
                                            • GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0048928F
                                            • CreateWindowExW.USER32(00000000,STATIC,00000000,00000000,0000000A,?,0000000A,?,?,000000FF,00000000), ref: 004892D7
                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004892FB
                                            • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00489309
                                            • SetWindowLongW.USER32(00000000,000000FC,0048B5D0), ref: 00489313
                                            • SetPropW.USER32(00000000,PROP_STAT_PSKIN,?), ref: 0048932D
                                            • SetPropW.USER32(00000000,PROP_STAT_OLDPROC,00000000), ref: 00489336
                                            • GetDC.USER32(00000000), ref: 00489339
                                            • SelectObject.GDI32(00000000,?), ref: 0048935C
                                            • lstrlenW.KERNEL32(00000000,?), ref: 00489370
                                            • GetTextExtentPoint32W.GDI32(00000000,00000000,00000000), ref: 0048937F
                                            • ReleaseDC.USER32(00000000,00000000), ref: 00489387
                                            • SetWindowPos.USER32(00000000,?,0000000A,?,00000000,00000000,00000002), ref: 004893B0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Window$LongText$MessagePropSend$CreateExtentHandleModuleObjectPoint32PointsRectReleaseSelect_memsetlstrlen
                                            • String ID: PROP_STAT_OLDPROC$PROP_STAT_PSKIN$STATIC
                                            • API String ID: 2762062944-2065393330
                                            • Opcode ID: bf93ef031eaad974e9cead7c19c87a383d5c3986f2365f2943bb7513e27f3eef
                                            • Instruction ID: 554e64f90a53f570123fbcd2b9e0d893343d00fca2cdb48856f930deabf8fc29
                                            • Opcode Fuzzy Hash: bf93ef031eaad974e9cead7c19c87a383d5c3986f2365f2943bb7513e27f3eef
                                            • Instruction Fuzzy Hash: 77518F71901228BFDB209BA5DC48F9A7B7DEB0A310F0001A5F619A7191DB745E80CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404640 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 199COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32 ref: 004046A7
                                            • SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 0040470A
                                            • GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000,?,?), ref: 00404792
                                            • SysFreeString.OLEAUT32(?), ref: 004047AC
                                            • SysFreeString.OLEAUT32(?), ref: 004047BC
                                            • SetLastError.KERNEL32(?), ref: 004047E6
                                            • GetLastError.KERNEL32 ref: 00404801
                                            • SysFreeString.OLEAUT32(?), ref: 00404815
                                            • SysFreeString.OLEAUT32(?), ref: 00404822
                                            • SetLastError.KERNEL32(?), ref: 00404846
                                              • Part of subcall function 00404580: GetLastError.KERNEL32(2E932D87,?,?,?,00000000,004ACAC8,000000FF,T4L,004050D6,00000000,00000001,000000FF), ref: 004045BE
                                              • Part of subcall function 00404580: SetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 0040461A
                                            • GetLastError.KERNEL32(?,?,000000FF,?,00000001,00000000), ref: 00404885
                                            • SysFreeString.OLEAUT32(?), ref: 00404899
                                            • SysFreeString.OLEAUT32(?), ref: 004048A6
                                            • SetLastError.KERNEL32(?), ref: 004048CA
                                            • GetLastError.KERNEL32 ref: 004048DD
                                            • SysFreeString.OLEAUT32(?), ref: 004048F1
                                            • SysFreeString.OLEAUT32(?), ref: 004048FE
                                            • SetLastError.KERNEL32(?), ref: 00404922
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString
                                            • String ID: P/L$T4L$T4L$T4L
                                            • API String ID: 2425351278-1200131689
                                            • Opcode ID: e21d52ea6584db1b08c492c2dc4f3a2eef207e403f46286ccb6dab0482927bdd
                                            • Instruction ID: cde076b80f0a8efed71b4ffcd14bd0697ccf1f34df26b5c4eb0a563b8905cb2f
                                            • Opcode Fuzzy Hash: e21d52ea6584db1b08c492c2dc4f3a2eef207e403f46286ccb6dab0482927bdd
                                            • Instruction Fuzzy Hash: CF9125711083809FD720DF29C845B5BBBE5BF89318F104A2DF599972A1D776E818CF46
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043A837 Relevance: 37.2, APIs: 8, Strings: 13, Instructions: 417COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043A841
                                            • _memset.LIBCMT ref: 0043A866
                                            • SHGetSpecialFolderLocation.SHELL32(00000000,@/L,?,?,00000000,00000000), ref: 0043A884
                                            • SHGetPathFromIDListW.SHELL32(?,?), ref: 0043A8A2
                                            • SHGetMalloc.SHELL32(?), ref: 0043A8AF
                                              • Part of subcall function 0043C3A2: __EH_prolog3_GS.LIBCMT ref: 0043C3AC
                                              • Part of subcall function 0043C3A2: _memset.LIBCMT ref: 0043C3D2
                                              • Part of subcall function 0043C3A2: RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,?), ref: 0043C3F4
                                              • Part of subcall function 0043C3A2: RegQueryValueExW.ADVAPI32(?,CommonFilesDir,00000000,00000000,?,?), ref: 0043C433
                                              • Part of subcall function 0043BFDB: GetFileAttributesW.KERNEL32(dJ,0043A941,?,?,00000000), ref: 0043BFE7
                                            • GetVersion.KERNEL32(?,?,00000000), ref: 0043ABF6
                                            • GetVersion.KERNEL32(?,?,00000000), ref: 0043AD7E
                                            • GetVersion.KERNEL32(00000000,?,00000000,?), ref: 0043AE65
                                              • Part of subcall function 0040B51F: __EH_prolog3_GS.LIBCMT ref: 0040B529
                                              • Part of subcall function 0040B51F: GetModuleHandleW.KERNEL32(KERNEL32.DLL,00000274,0043AD95,?,00000000), ref: 0040B54C
                                              • Part of subcall function 0040B51F: GetProcAddress.KERNEL32(00000000,GetSystemWindowsDirectoryW), ref: 0040B560
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_Version$ErrorFreeLastString_memset$AddressAttributesFileFolderFromHandleListLocationMallocModuleOpenPathProcQuerySpecialValue
                                            • String ID: @/L$All Users\$Application Data\$Common Files\$Fonts$My Documents\$Personal\$Program Files$dJ$dJ$lJ$lJ$lJ
                                            • API String ID: 1011625025-502265293
                                            • Opcode ID: bb567733174fa146f7a2f1d0015a72dbf4725a5a39518295a1f3e59c255c448d
                                            • Instruction ID: bf6d20eef09fdc84e89b69ed726bbf1ce7202a806fd1a8f855702ac999b10b21
                                            • Opcode Fuzzy Hash: bb567733174fa146f7a2f1d0015a72dbf4725a5a39518295a1f3e59c255c448d
                                            • Instruction Fuzzy Hash: 16028D718442589ADB25EB61CC59BDEB7B8AF18304F1401DFE14A63192DF386B88CF1A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404C00 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 246COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32 ref: 00404C5F
                                            • SetLastError.KERNEL32(T4L), ref: 00404C97
                                            • GetLastError.KERNEL32(00000000,00000000,000000FF,00000007,00000000,00000000,T4L,00000002,00000001), ref: 00404D70
                                            • SysFreeString.OLEAUT32(?), ref: 00404D88
                                            • SysFreeString.OLEAUT32(?), ref: 00404D95
                                            • SetLastError.KERNEL32(?), ref: 00404DBF
                                            • GetLastError.KERNEL32(?), ref: 00404E54
                                            • SysFreeString.OLEAUT32(?), ref: 00404E6C
                                            • SysFreeString.OLEAUT32(?), ref: 00404E79
                                            • SetLastError.KERNEL32(?), ref: 00404E9D
                                            • GetLastError.KERNEL32 ref: 00404EB0
                                            • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00404F03
                                            • GetLastError.KERNEL32 ref: 00404F12
                                            • SysFreeString.OLEAUT32(?), ref: 00404F2A
                                            • SysFreeString.OLEAUT32(?), ref: 00404F37
                                            • SetLastError.KERNEL32(?), ref: 00404F5B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString
                                            • String ID: P/L$T4L$T4L$T4L$\
                                            • API String ID: 2425351278-1825822663
                                            • Opcode ID: 4659591ec9c173596597a223606b4cff03fb49f5437a1000925287c0d0ce57ef
                                            • Instruction ID: aa9b36dd0ea5038fb1f37e920e4466eefaced8f4359d97b31f3457d675e79404
                                            • Opcode Fuzzy Hash: 4659591ec9c173596597a223606b4cff03fb49f5437a1000925287c0d0ce57ef
                                            • Instruction Fuzzy Hash: FEA15BB1108340DFD710DF24C985B5BBBE4BF88318F10492EF999972A1D779E948CB9A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401CA0 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 214COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(2E932D87), ref: 00401D5B
                                            • SetLastError.KERNEL32(T4L), ref: 00401D91
                                            • GetLastError.KERNEL32(?,00000104), ref: 00401E08
                                            • SetLastError.KERNEL32(004C3454), ref: 00401E38
                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00401E6A
                                              • Part of subcall function 00402CE0: GetLastError.KERNEL32(2E932D87,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
                                              • Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FileModuleName
                                            • String ID: InstallShield.log$P/L$P/L$SOFTWARE\InstallShield\22.0\Professional$T4L$T4L$VerboseLogPath
                                            • API String ID: 1026760046-777573538
                                            • Opcode ID: 1d6d3eb3d8f6c7f78560d07c1a3589e2c246a6b27d59768c343c7773800a5df6
                                            • Instruction ID: a826d0a235e98ca63236490f962bccbb2077009cf1f65bafaa1f07d6c467c3ca
                                            • Opcode Fuzzy Hash: 1d6d3eb3d8f6c7f78560d07c1a3589e2c246a6b27d59768c343c7773800a5df6
                                            • Instruction Fuzzy Hash: B8914671900258DFDB10DFA4CC45BDDBBB4BF08308F1041AAE905B72A2DBB86A48CF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004121A7 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 208windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004121B1
                                            • GetVersionExW.KERNEL32 ref: 004121DF
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            • SendMessageW.USER32(00000000,00000111,-00000003,00000000), ref: 00412370
                                              • Part of subcall function 0041075B: __EH_prolog3_GS.LIBCMT ref: 00410762
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeH_prolog3_LastString$MessageSendVersion
                                            • String ID: ..\..\Shared\Setup\IsPreReqDlg.cpp$P/L$P/L$StartStopProgress - Embedded$StartStopProgress - Embedded Looping$StartStopProgress - Fallback - %d of %d$T4L$T4L$J
                                            • API String ID: 769765983-1904212388
                                            • Opcode ID: ec59afcb61641f62f463e10475dff29df5807bc78ad57a7ce08a595ed43e0f88
                                            • Instruction ID: fbceac630cb4103d327e9a4c239ca0b8bf1133a04f97d0e8b8a959c252da8487
                                            • Opcode Fuzzy Hash: ec59afcb61641f62f463e10475dff29df5807bc78ad57a7ce08a595ed43e0f88
                                            • Instruction Fuzzy Hash: 3F81E270900214AFDB25DB61CD46FEEBBB8AB05314F14806FF516E62D1CBB85A89CB1D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00488F10 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 188stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPropW.USER32(?,PROP_PSKIN), ref: 00488F37
                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00488F62
                                            • CopyRect.USER32(?,?), ref: 00488F75
                                            • GetWindowDC.USER32(?), ref: 00488F87
                                            • SaveDC.GDI32(00000000), ref: 00488F91
                                            • SelectObject.GDI32(?,00000000), ref: 00488FA1
                                            • SetBkMode.GDI32(?,00000001), ref: 00488FAC
                                            • _memset.LIBCMT ref: 00488FC8
                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00488FDF
                                            • SetTextColor.GDI32(?,?), ref: 0048908F
                                            • lstrlenW.KERNEL32(?,?,00000025,?,?,?), ref: 004890A5
                                            • DrawTextW.USER32(?,?,00000000,?,?), ref: 004890B2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Text$Window$ColorCopyDrawMessageModeObjectPropRectSaveSelectSend_memsetlstrlen
                                            • String ID: PROP_PSKIN
                                            • API String ID: 4252396310-87134567
                                            • Opcode ID: 7b86111057095eec148e7ec5289d20ac218a723cb6ab76f13d62882ec73e630e
                                            • Instruction ID: cb2e39630f42b20d055d4f040fc1d11ba7b46237cdc587037aa14d23a8e36253
                                            • Opcode Fuzzy Hash: 7b86111057095eec148e7ec5289d20ac218a723cb6ab76f13d62882ec73e630e
                                            • Instruction Fuzzy Hash: 3D719F71900618EFCB109FA5DC49BAABBF8FF09304F0485A9E94593190DB35AD95CFD4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00408999 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 175sleepprocessstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 004089E6
                                            • lstrcpyW.KERNEL32(?,?), ref: 004089F6
                                            • CoCreateGuid.OLE32(?), ref: 00408A0B
                                            • wsprintfW.USER32 ref: 00408A63
                                            • _memset.LIBCMT ref: 00408A7C
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00408AAA
                                            • WaitForInputIdle.USER32(?,00004E20), ref: 00408AC9
                                            • CloseHandle.KERNEL32(?), ref: 00408ADB
                                            • CloseHandle.KERNEL32(?), ref: 00408AE3
                                            • CreateItemMoniker.OLE32(004AE788,?,00000000), ref: 00408B1E
                                            • Sleep.KERNEL32(0000012C), ref: 00408B2F
                                            • GetRunningObjectTable.OLE32(00000000,00000000), ref: 00408B43
                                            • Sleep.KERNEL32(0000012C), ref: 00408B73
                                            • SysFreeString.OLEAUT32(?), ref: 00408BD6
                                            • SysFreeString.OLEAUT32(?), ref: 00408BDE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Create$CloseFreeHandleSleepString_memset$GuidIdleInputItemMonikerObjectProcessRunningTableWaitlstrcpywsprintf
                                            • String ID: %s %s:%s$D
                                            • API String ID: 1856294533-3221625341
                                            • Opcode ID: caa98a643aa1c9f07a7de46df3d2a173a0f0c0a318de980771262210bcc06cb9
                                            • Instruction ID: 6d2a3535a564949f3a27c88a7dc45fa473a966758db7ff26171fb717b92680c0
                                            • Opcode Fuzzy Hash: caa98a643aa1c9f07a7de46df3d2a173a0f0c0a318de980771262210bcc06cb9
                                            • Instruction Fuzzy Hash: 9F615E72900129ABCF20DB61CD44B9A77F9BF48315F0480EAE989A7251DF35AE85CFD4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00430765 Relevance: 28.1, APIs: 1, Strings: 15, Instructions: 82COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043076C
                                              • Part of subcall function 0042F17A: RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000001), ref: 0042F1FA
                                              • Part of subcall function 0042F0B4: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000001,?,?,00000001,004AFFB4,00000008,?,00000001), ref: 0042F0ED
                                              • Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
                                              • Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLastValue$EnumH_prolog3_Query
                                            • String ID: FileRenameOperations$P/L$PendingFileRenameOperations$Reboot required - %s key added$RunOnce$RunOnceEx$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx$SYSTEM\CurrentControlSet\Control\Session Manager$SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations$T4L$T4L$Wininit.ini rename$[WindowsFolder]Wininit.ini$rename
                                            • API String ID: 3169893437-3071006280
                                            • Opcode ID: 00ac6a287fb0775836a4a836d2bf89853549e207758ae03f023f9276af7890cf
                                            • Instruction ID: ed5429d839554e5b15bb60490259541da5dbb0ef2b890cefcf450b3e0e9fcbec
                                            • Opcode Fuzzy Hash: 00ac6a287fb0775836a4a836d2bf89853549e207758ae03f023f9276af7890cf
                                            • Instruction Fuzzy Hash: EC21A970B40205EACB18FAA5C992BEDB3B8BF54704F54152BE505B7183C7FC5C0686AD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041D8B2 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 370COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041D8BC
                                              • Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 004160F7: __EH_prolog3.LIBCMT ref: 004160FE
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                              • Part of subcall function 0041AE03: __EH_prolog3_GS.LIBCMT ref: 0041AE0D
                                              • Part of subcall function 0041AE03: SysStringLen.OLEAUT32(?), ref: 0041AF0D
                                              • Part of subcall function 0041AE03: SysFreeString.OLEAUT32(?), ref: 0041AF18
                                              • Part of subcall function 0041AE03: SysFreeString.OLEAUT32(?), ref: 0041AF53
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: String$ErrorFreeLast$H_prolog3_$AllocH_prolog3
                                            • String ID: @/L$@/L$IS_OriginalLauncher:$IS_temp$auto$delayedstart:$extract_all:$installfromweb:$media_path:$no_engine$runfromtemp$tempdisk1folder:$|-L$|-L
                                            • API String ID: 126701897-1698992500
                                            • Opcode ID: fb06f9c35445f785ee054ad8a290ba95409f0049d4a28f277c84a0b6636a9f04
                                            • Instruction ID: 4d0e82a3e1fc830d835c838a24e5cf109e40e4a2356c89bde4cad9fd60ae6b00
                                            • Opcode Fuzzy Hash: fb06f9c35445f785ee054ad8a290ba95409f0049d4a28f277c84a0b6636a9f04
                                            • Instruction Fuzzy Hash: C3E1B170A04258AECB25EB61CC51BDEBB74AF11308F0441EEF146371D2DBB95E89CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041D22E Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 369stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041D238
                                            • _memmove.LIBCMT ref: 0041D31E
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 0041D358
                                            • __setjmp3.LIBCMT ref: 0041D379
                                              • Part of subcall function 0040E057: __EH_prolog3_GS.LIBCMT ref: 0040E061
                                              • Part of subcall function 0041A199: __EH_prolog3_GS.LIBCMT ref: 0041A1A0
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                              • Part of subcall function 00418CDA: _longjmp.LIBCMT ref: 00418D00
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            • _memmove.LIBCMT ref: 0041D751
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: String$H_prolog3_$ErrorFreeLast_memmove$Alloc__setjmp3_longjmplstrcpy
                                            • String ID: @/L$Failure$HeaderPathFile=%sUser=%sPassword=%sProxyUser=%sProxyPassword=%s$ISSetupDLLOp$OpenCABBegin$OpenCABEnd$Result=%sError=0x%08lxHeaderPathFile=%sUser=%sPassword=%sProxyUser=%sProxyPassword=%s$Result=%sHeaderPathFile=%sUser=%sPassword=%sProxyUser=%sProxyPassword=%s$Success$setup.cpp
                                            • API String ID: 4289572177-3023734520
                                            • Opcode ID: 2c0b02372d2e7b4a0f49aad5c5bbce9b0dfe81279bee21d0e97e0301e172cf40
                                            • Instruction ID: 033641801d150d44d134599509e2117a10eddff37f33a6f588b1976842b4bc5d
                                            • Opcode Fuzzy Hash: 2c0b02372d2e7b4a0f49aad5c5bbce9b0dfe81279bee21d0e97e0301e172cf40
                                            • Instruction Fuzzy Hash: D1F15070901218DFDB14EF65C999BDAB7B9EF45304F0000EEE509AB292DB78AB84CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004109A6 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 246synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
                                              • Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F
                                              • Part of subcall function 00411934: __EH_prolog3_GS.LIBCMT ref: 0041193E
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000400,000000FF), ref: 00410A1A
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040E23E: __EH_prolog3_GS.LIBCMT ref: 0040E245
                                              • Part of subcall function 0040E1C1: __EH_prolog3_GS.LIBCMT ref: 0040E1C8
                                            • _memset.LIBCMT ref: 00410BA6
                                            • ShellExecuteExW.SHELL32(?), ref: 00410C27
                                            • WaitForInputIdle.USER32(?,00002710), ref: 00410C3C
                                            • ShowWindow.USER32(00000000,00000000), ref: 00410C4E
                                              • Part of subcall function 00411846: __EH_prolog3_GS.LIBCMT ref: 00411850
                                              • Part of subcall function 00411846: IsWindow.USER32(?), ref: 0041186C
                                              • Part of subcall function 00411846: SendMessageW.USER32(?,00001074,?,?), ref: 00411911
                                              • Part of subcall function 00411846: SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 0041191C
                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410C5C
                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00410C6F
                                            • CloseHandle.KERNEL32(?), ref: 00410C7B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last$MessageSendWaitWindow$CloseCodeExecuteExitFileHandleIdleInputModuleNameObjectProcessShellShowSingle_memset
                                            • String ID: /debuglog"$ /runprerequisites"$@/L$P/L$Prerequisites need elevation; launching elevated with arguments: %s$T4L$J
                                            • API String ID: 2857916795-3942929204
                                            • Opcode ID: 7722a622becdbd17bd668536b255e5f1746b33eb76e55b6c629e475fcf2192e1
                                            • Instruction ID: bfd18bfaadf6a67000669331278259af1ee67e682f1695489e365acfe78be12f
                                            • Opcode Fuzzy Hash: 7722a622becdbd17bd668536b255e5f1746b33eb76e55b6c629e475fcf2192e1
                                            • Instruction Fuzzy Hash: 94B17E71901259EFDB20EB65CC45BCAB7B8BF04304F0081EAE549B7192DB74AB84CF98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00499CB0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 203filememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00499CDA
                                            • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 00499D18
                                            • ReadFile.KERNEL32(00000000,?,0000000C,00000004,00000000), ref: 00499D5B
                                            • ReadFile.KERNEL32(00000000,?,00000004,0000000C,00000000), ref: 00499D85
                                            • GlobalAlloc.KERNEL32(00000042,00000408), ref: 00499DA4
                                            • GlobalLock.KERNEL32(00000000), ref: 00499DB1
                                            • ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000), ref: 00499DC6
                                            • ReadFile.KERNEL32(00000000,00000004,?,00000004,00000000), ref: 00499DF8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: File$Read$Global$AllocCreateLock
                                            • String ID: RIFF
                                            • API String ID: 3955436798-110600796
                                            • Opcode ID: 35ef50a9a3d2bb9f6a957f20a0b1166f03cdfddc88815c73f1f07a234f9a26a1
                                            • Instruction ID: 1d04d0dfda4a2410dd206582d648e19fd6c8b20c30a9597cdfe0bf6b6187c96f
                                            • Opcode Fuzzy Hash: 35ef50a9a3d2bb9f6a957f20a0b1166f03cdfddc88815c73f1f07a234f9a26a1
                                            • Instruction Fuzzy Hash: FE61887160011CABEF24DB65DC46FEA77ACDB19714F0041BAEA09D61C0DBB49E84CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00408BF3 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 108stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Module$FileFreeHandleLibraryLoadNameString_memset_wcschr_wcsrchrlstrcpylstrlenwsprintf
                                            • String ID: %s\%s$..\..\..\inc\CoCreate.cpp$DllGetClassObject$x4K
                                            • API String ID: 836880797-3589990351
                                            • Opcode ID: 62448f792ccd6f6464d93e8e352c8bc92f98070b702b0d51859baf54152be34a
                                            • Instruction ID: 816578f38f4b4d2644b821f4f19a0e6ae83ca2fdd092241f6fd384f9e14ada88
                                            • Opcode Fuzzy Hash: 62448f792ccd6f6464d93e8e352c8bc92f98070b702b0d51859baf54152be34a
                                            • Instruction Fuzzy Hash: C131C675901318ABDF20EBA1DC49EDA77BCEF19300F0045AAF915E3181EB789E448F69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044542C Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00445433
                                              • Part of subcall function 00445309: GetVersionExW.KERNEL32(?,?,00000000), ref: 0044533B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_Version
                                            • String ID: @/L$@/L$@/L$Windows 2000$Windows 7 / Server 2008 R2$Windows 8 / Server 2012$Windows 8.1 / Server 2012 R2$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista / Server 2008$Windows XP
                                            • API String ID: 3152847492-3735908412
                                            • Opcode ID: 1cd9a6287cde444437cf7d9742eceb90f602e66114381f045e12fafac483c39e
                                            • Instruction ID: 89d619f7e0f2fec5d0ca7ad439ae17567f4ff9548112a3e4181b66542faee5d8
                                            • Opcode Fuzzy Hash: 1cd9a6287cde444437cf7d9742eceb90f602e66114381f045e12fafac483c39e
                                            • Instruction Fuzzy Hash: C021F672900B14F7FF14AA589845BFEB2259B04300F65412BF801772DAE6BC2E459B9F
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043190D Relevance: 25.9, APIs: 17, Instructions: 401windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00431917
                                            • SendMessageW.USER32(?,0000000C,00000000,?), ref: 004319B6
                                            • SendMessageW.USER32(?,00000111,00000011,00000000), ref: 00431AD8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: MessageSend$H_prolog3_
                                            • String ID:
                                            • API String ID: 3491702567-0
                                            • Opcode ID: 3cbdbb80509f3dd07162f011f52de1cc26bba07a418bf6a61fbf048c2ab3a28c
                                            • Instruction ID: f29ec4940026f901c8c63d912fe719e0b599786281a900669bd12044710333b6
                                            • Opcode Fuzzy Hash: 3cbdbb80509f3dd07162f011f52de1cc26bba07a418bf6a61fbf048c2ab3a28c
                                            • Instruction Fuzzy Hash: 01E1F370A41219BFDB24EB51CC89BAABBB4FF0D301F14505BE506966A0D739AD80CF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00411FC6 Relevance: 25.7, APIs: 17, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(00000000), ref: 00411FF4
                                            • GetDlgItem.USER32(000003EC,?), ref: 00412020
                                            • GetWindowRect.USER32(00000000), ref: 00412029
                                            • GetDlgItem.USER32(0000012D), ref: 00412036
                                            • GetWindowRect.USER32(00000000,?), ref: 00412042
                                            • ScreenToClient.USER32(?), ref: 00412081
                                            • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000004), ref: 00412094
                                            • GetDlgItem.USER32(000003EB), ref: 004120A5
                                            • GetWindowRect.USER32(00000000,?), ref: 004120B2
                                            • GetWindowRect.USER32(?,?), ref: 004120CB
                                            • ScreenToClient.USER32(?), ref: 00412102
                                            • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000004), ref: 00412115
                                            • GetDlgItem.USER32(0000040B), ref: 00412126
                                            • GetWindowRect.USER32(00000000,?), ref: 0041213A
                                            • GetWindowRect.USER32(00000000,?), ref: 00412141
                                            • ScreenToClient.USER32(?), ref: 0041217D
                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00412192
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Window$Rect$Item$ClientScreen
                                            • String ID:
                                            • API String ID: 1521148189-0
                                            • Opcode ID: 03d8f41e63986f824cd9499d5980d3e3cc7b4f54c68830348ee8837366ffa1bd
                                            • Instruction ID: 3c1246fc33e8bfaa141091deeb84a48d6a8805fb812ee7279d1519111118527a
                                            • Opcode Fuzzy Hash: 03d8f41e63986f824cd9499d5980d3e3cc7b4f54c68830348ee8837366ffa1bd
                                            • Instruction Fuzzy Hash: 0C51D772D00218AFCF14DFE5DD48AAEBFB9FB49304F04416AFA11B7250DA75A905CB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042D048 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 342registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0042D052
                                              • Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
                                              • Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,00000004), ref: 0042D2B4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_QueryValue
                                            • String ID: $ $HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_DYN_DATA$HKEY_LOCAL_MACHINE$HKEY_PERFORMANCE_DATA$HKEY_USERS$P/L$T4L$|-L
                                            • API String ID: 2669483599-3843504692
                                            • Opcode ID: f06eae71abe48cfbbd86e421a7393177120c22bba0bcb7f614c21f1382e8ce41
                                            • Instruction ID: 760d87769cb27e9a3106f8434ad31bc11ce91334da186b466ba4f57283696265
                                            • Opcode Fuzzy Hash: f06eae71abe48cfbbd86e421a7393177120c22bba0bcb7f614c21f1382e8ce41
                                            • Instruction Fuzzy Hash: 3FD1A331E00229EEDF24EF54DC41BEEB374AF15304F54419AE80967251DB38AE85CF5A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004993A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 249COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClientRect.USER32(?,?), ref: 004993CC
                                            • MulDiv.KERNEL32(?,?,000186A0), ref: 004993F2
                                            • MulDiv.KERNEL32(?,?,000186A0), ref: 00499408
                                            • MulDiv.KERNEL32(?,?,000186A0), ref: 004995A4
                                            • MulDiv.KERNEL32(?,?,000186A0), ref: 004995B4
                                            • GdipCreateFromHDC.GDIPLUS(dtI,00000000,?,?,?,?,495D8068,?,495D8068,?,?,?,?,00497464,?), ref: 00499628
                                            • GdipSetInterpolationMode.GDIPLUS(00000000,00000007,dtI,00000000,?,?,?,?,495D8068,?,495D8068,?,?,?,?,00497464), ref: 00499636
                                            • GdipDrawImageRectI.GDIPLUS(?,00000000,?,004968FC,?,?,00000000,00000007,dtI,00000000,?,?,?,?,495D8068,?), ref: 00499653
                                            • GdipDeleteGraphics.GDIPLUS(?,?,00000000,?,004968FC,?,?,00000000,00000007,dtI,00000000,?,?,?,?,495D8068), ref: 00499659
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Gdip$Rect$ClientCreateDeleteDrawFromGraphicsImageInterpolationMode
                                            • String ID: dtI
                                            • API String ID: 2842912273-4107075368
                                            • Opcode ID: a1d50315728ef9d2e6159dfe1f894fbe1ebda8f4c066f3690cc7e651875e586c
                                            • Instruction ID: 735df29da3d41b5e84f5607b61dba7307d7bd735b7e6884b43e8b034cdb8b0ab
                                            • Opcode Fuzzy Hash: a1d50315728ef9d2e6159dfe1f894fbe1ebda8f4c066f3690cc7e651875e586c
                                            • Instruction Fuzzy Hash: D2A12572900219DFCF15CFA9C984AEEBFF5AF48300F19416AE904B7255D778AD41CBA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040C163 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 245COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040C16D
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                              • Part of subcall function 0040B30D: __EH_prolog3_GS.LIBCMT ref: 0040B317
                                              • Part of subcall function 0040B30D: GetTempPathW.KERNEL32(00000104,?,000003C4,0040C1ED,004C2FA0,00000000,setup.log,?,00000000), ref: 0040B333
                                              • Part of subcall function 0040B30D: __CxxThrowException@8.LIBCMT ref: 0040B354
                                              • Part of subcall function 0040B30D: _memset.LIBCMT ref: 0040B366
                                              • Part of subcall function 0040B30D: GetVersionExW.KERNEL32(?), ref: 0040B37F
                                              • Part of subcall function 0040B30D: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000), ref: 0040B400
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$FreeH_prolog3String$CreateException@8FilePathTempThrowVersion_memset
                                            • String ID: @/L$@/L$@/L$ErrorInfo$ExtendedError$File$InstallShield Silent$Log File$ResponseResult$ResultCode$Version$setup.log$v7.00
                                            • API String ID: 2783467436-2482715196
                                            • Opcode ID: f3a3eecb020bd649a9160d72db034ca68247dc870f9a5e903dbdb82760e28b17
                                            • Instruction ID: c68d3ea23bdf467265571757f091d5588a3b108f499c8db3734d4648a1fd0980
                                            • Opcode Fuzzy Hash: f3a3eecb020bd649a9160d72db034ca68247dc870f9a5e903dbdb82760e28b17
                                            • Instruction Fuzzy Hash: 4AA1D770A41218EEEB15EBA5C856FDDBB78AF15304F1000DEE409671C2DBB95F48CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004903C0 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 243COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,2E932D87,?,?,?), ref: 0049042D
                                            • SetLastError.KERNEL32(004C2FA8,?,?,?), ref: 00490459
                                            • GetLastError.KERNEL32(?,?,?), ref: 00490470
                                            • SetLastError.KERNEL32(004C2FA8,?,?,?), ref: 004904A8
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString
                                            • String ID: -%04x$@/L$@/L$ALL$x/L$x/L$|-L
                                            • API String ID: 2425351278-1512846612
                                            • Opcode ID: 78b4928d7478143692704d0aa30728f32b45240465ebc3f1f510221e1aca66df
                                            • Instruction ID: ebecb8ea2020591ad02cc0cc64adcfa2df6b7ac4c083aef3c2a62466a0d9f0de
                                            • Opcode Fuzzy Hash: 78b4928d7478143692704d0aa30728f32b45240465ebc3f1f510221e1aca66df
                                            • Instruction Fuzzy Hash: F6B16B71900218DFDF14DFA5CD45BDEBBB8AF14304F1041AEE519A7291EBB86A48CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041DDEE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 219COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041DDF5
                                            • _wcsstr.LIBCMT ref: 0041DE84
                                            • CharNextW.USER32(?,?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DE95
                                            • CharNextW.USER32(00000000,?,?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DE9A
                                            • CharNextW.USER32(00000000,?,?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DE9F
                                            • CharNextW.USER32(00000000,?,?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DEA4
                                            • CharNextW.USER32(00000000,}},?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DF4C
                                            • CharNextW.USER32(?,00000000), ref: 0041DFDA
                                            • CharNextW.USER32(?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DFEE
                                            • CoTaskMemFree.OLE32(?,00000060,00420044,?,00000000), ref: 0041E02C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CharNext$FreeH_prolog3_Task_wcsstr
                                            • String ID: }}$HKCR$HKCU{Software{Classes
                                            • API String ID: 2086807494-1142484189
                                            • Opcode ID: 8f30e03445809a091b1cffeecd05f48cd9bfb1e696a547fa3020534b9aea9403
                                            • Instruction ID: df0c8aa4c098a463b193e25667902a6e3b71f4746cd688b4e961f85f3641d515
                                            • Opcode Fuzzy Hash: 8f30e03445809a091b1cffeecd05f48cd9bfb1e696a547fa3020534b9aea9403
                                            • Instruction Fuzzy Hash: 3A7185B4D043469EDF159FE5C885AEEBBB4AF19304F14002FE806AB285EB7D9D85C718
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004623EA Relevance: 24.1, APIs: 16, Instructions: 92COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                            • String ID:
                                            • API String ID: 2661855409-0
                                            • Opcode ID: e6060315223cd679f0e935f0c800c775c802199c932b956f3eed8f01737f9e20
                                            • Instruction ID: a9ca251b26a119557e22d5c9d6a3ceed4c557929d5e648630d0751dc90489963
                                            • Opcode Fuzzy Hash: e6060315223cd679f0e935f0c800c775c802199c932b956f3eed8f01737f9e20
                                            • Instruction Fuzzy Hash: 4F217B31504A10BAEB313F66CD02A5B77E5DF40759B10802FF84851162FFBE8811865F
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00438666 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 231COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043866D
                                              • Part of subcall function 00438520: __EH_prolog3_GS.LIBCMT ref: 0043852A
                                              • Part of subcall function 00438520: SendDlgItemMessageW.USER32(?,00000034,00000031,00000000,00000000), ref: 00438576
                                              • Part of subcall function 00438520: GetObjectW.GDI32(00000000,0000005C,?), ref: 00438586
                                              • Part of subcall function 00438520: lstrcpyW.KERNEL32(?,?), ref: 004385B2
                                              • Part of subcall function 00438520: CreateFontIndirectW.GDI32(?), ref: 004385BF
                                              • Part of subcall function 00438520: SendDlgItemMessageW.USER32(?,00000034,00000030,?,00000001), ref: 004385F5
                                              • Part of subcall function 00438520: SetDlgItemTextW.USER32(?,0000000C,-00000004), ref: 0043862A
                                              • Part of subcall function 00438520: GetDlgItem.USER32(?,0000000C), ref: 0043863D
                                              • Part of subcall function 00438520: EnableWindow.USER32(00000000,?), ref: 0043864F
                                            • SetDlgItemTextW.USER32(?,000003F0,-00000004), ref: 004386ED
                                            • SetDlgItemTextW.USER32(000000FF,00000001,-00000004), ref: 00438731
                                            • SetDlgItemTextW.USER32(000000FF,00000009,-00000004), ref: 00438769
                                            • SetDlgItemTextW.USER32(000000FF,00000034,-00000004), ref: 004387A1
                                            • SetDlgItemTextW.USER32(000000FF,00000033,-00000004), ref: 004387D9
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            • GetDlgItem.USER32(000000FF,00000009), ref: 004387F0
                                            • EnableWindow.USER32(00000000), ref: 004387F9
                                            • GetDlgItem.USER32(000000FF,00000002), ref: 00438802
                                            • EnableWindow.USER32(00000000), ref: 00438805
                                              • Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272
                                            • SetDlgItemTextW.USER32(000000FF,00000135,-00000004), ref: 00438853
                                            • SetDlgItemTextW.USER32(000000FF,00000133,-00000004), ref: 0043888F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Item$Text$EnableH_prolog3_Window$ErrorFreeLastMessageSendString$CreateFontIndirectObjectlstrcpy
                                            • String ID: @/L
                                            • API String ID: 3400525829-3803013380
                                            • Opcode ID: 83c38380b40e06f34526bccf285ceb16d52ea3a536c56e77a7eab6061acc8e07
                                            • Instruction ID: 99848dd83c6374fb36809338b4f8e8e67f97a4339c1bcd2e2d1d5bc9e53d76c4
                                            • Opcode Fuzzy Hash: 83c38380b40e06f34526bccf285ceb16d52ea3a536c56e77a7eab6061acc8e07
                                            • Instruction Fuzzy Hash: 4A912871A00214DFDB04EFA4CD95E59BBB5EF48314B1481AEE906AF2A2DB74E904CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0049A519 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 206stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _memmove$lstrcmp$H_prolog3_memset
                                            • String ID: GIF87a$GIF89a
                                            • API String ID: 3198123400-2918331024
                                            • Opcode ID: 9a78bc09d3a6dfc7bd0308a729b8ce7a21b9173d5990ee77875f7a3950f4731e
                                            • Instruction ID: 91db72cd28c73f0ef1eeb2121f56b187381224a7741448445ea30fbe006bc91b
                                            • Opcode Fuzzy Hash: 9a78bc09d3a6dfc7bd0308a729b8ce7a21b9173d5990ee77875f7a3950f4731e
                                            • Instruction Fuzzy Hash: 25610A71A00205EFDF149FA0D882B66BBF5EF15305F2444BFE885DA142E738C965CB9A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041A66B Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 197COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041A675
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                              • Part of subcall function 004160F7: __EH_prolog3.LIBCMT ref: 004160FE
                                              • Part of subcall function 0041AE03: __EH_prolog3_GS.LIBCMT ref: 0041AE0D
                                              • Part of subcall function 0041AE03: SysStringLen.OLEAUT32(?), ref: 0041AF0D
                                              • Part of subcall function 0041AE03: SysFreeString.OLEAUT32(?), ref: 0041AF18
                                              • Part of subcall function 0041AE03: SysFreeString.OLEAUT32(?), ref: 0041AF53
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: String$ErrorFreeH_prolog3_Last$AllocH_prolog3
                                            • String ID: @/L$@/L$@/L$@/L$@/L$IS_OriginalLauncher:$IS_temp$media_path:$no_selfdeleter$package:$runfromtemp$tempdisk1folder:
                                            • API String ID: 2065516073-3687985525
                                            • Opcode ID: 3dc9f634664d83ceb242bbc7e953b1b8cc5b11b6e0530fe2c44a8e6539155c61
                                            • Instruction ID: 7eca238bf4f1094fc050d3c58cae8f84a087c1bbe7817835243e007e7fe61ec6
                                            • Opcode Fuzzy Hash: 3dc9f634664d83ceb242bbc7e953b1b8cc5b11b6e0530fe2c44a8e6539155c61
                                            • Instruction Fuzzy Hash: 8E815970900218AADB25EB51CD96FDEB778AF95308F0440DEF10977192DBB85B88CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00499B60 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 105COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindResourceW.KERNEL32(?,0049656D,PNG,?,?,?,?,meI,0049679F,?,meI,00000000,?,?,?,?), ref: 00499B88
                                            • FindResourceW.KERNEL32(?,0049656D,00000002,?,0049656D,?,00000000), ref: 00499B99
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: FindResource
                                            • String ID: PNG$meI
                                            • API String ID: 1635176832-435019584
                                            • Opcode ID: 96306c1938d657758a853b8badf2b6628b84b2b29c2069ca4d2c957a01d72c48
                                            • Instruction ID: 751e23a65b219406f39188abc307689922d9d28db804e09094a1ae607ac35154
                                            • Opcode Fuzzy Hash: 96306c1938d657758a853b8badf2b6628b84b2b29c2069ca4d2c957a01d72c48
                                            • Instruction Fuzzy Hash: BD31C572601219ABDB005F6AAC44AAF7FACFF15316F00057AFC14D2250E779DD2087A9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041C715 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 294stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041C71F
                                            • _memmove.LIBCMT ref: 0041C74A
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 0041C77F
                                            • __setjmp3.LIBCMT ref: 0041C7A0
                                              • Part of subcall function 00418CDA: _longjmp.LIBCMT ref: 00418D00
                                              • Part of subcall function 004188B7: __EH_prolog3_GS.LIBCMT ref: 004188C1
                                              • Part of subcall function 004188B7: _memmove.LIBCMT ref: 004188F2
                                              • Part of subcall function 004188B7: lstrcpyW.KERNEL32(?,-00000004), ref: 00418927
                                              • Part of subcall function 004188B7: __setjmp3.LIBCMT ref: 00418948
                                              • Part of subcall function 00419F3C: __EH_prolog3_GS.LIBCMT ref: 00419F46
                                              • Part of subcall function 00419F3C: _memset.LIBCMT ref: 00419F95
                                              • Part of subcall function 00419F3C: _memmove.LIBCMT ref: 00419FAD
                                              • Part of subcall function 00419F3C: lstrcpyW.KERNEL32(?,-00000004), ref: 00419FE2
                                              • Part of subcall function 00419F3C: __setjmp3.LIBCMT ref: 0041A003
                                              • Part of subcall function 00419F3C: _wcschr.LIBCMT ref: 0041A01E
                                              • Part of subcall function 00419F3C: VariantClear.OLEAUT32(?), ref: 0041A081
                                              • Part of subcall function 00419F3C: _memmove.LIBCMT ref: 0041A15F
                                              • Part of subcall function 0041FA74: __EH_prolog3_GS.LIBCMT ref: 0041FA7E
                                            • GetDlgItem.USER32(?,00000009), ref: 0041C9BE
                                            • EnableWindow.USER32(00000000), ref: 0041C9C7
                                            • GetDlgItem.USER32(?,00000002), ref: 0041C9D3
                                            • EnableWindow.USER32(00000000), ref: 0041C9D6
                                            • _memmove.LIBCMT ref: 0041CA6B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _memmove$ErrorH_prolog3_Last$__setjmp3lstrcpy$EnableFreeItemStringWindow$ClearVariant_longjmp_memset_wcschr
                                            • String ID: <Support>$<Support>\Engine\Log$setup.cpp
                                            • API String ID: 723219012-2693976720
                                            • Opcode ID: 974d0f14b5b2ba866243e95e352fa81eeb5e0d0110e1ff6b9f88b5e664b33e63
                                            • Instruction ID: 01d2c1aa1e48944ee1a50b52351e8f206b17040fda434f4d6f10e28c08ad58c2
                                            • Opcode Fuzzy Hash: 974d0f14b5b2ba866243e95e352fa81eeb5e0d0110e1ff6b9f88b5e664b33e63
                                            • Instruction Fuzzy Hash: EEA1A170640204AFDB14EBB5CC99FAA7768AF48304F1081ADB50ADF2C2DF78D945CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00450F31 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 229stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch_GS.LIBCMT ref: 00450F3B
                                            • MoveFileExW.KERNEL32(?,?,00000005), ref: 00450F6F
                                            • GetLastError.KERNEL32 ref: 00450F7D
                                              • Part of subcall function 00450E4E: __EH_prolog3_GS.LIBCMT ref: 00450E55
                                              • Part of subcall function 00450D51: __EH_prolog3_GS.LIBCMT ref: 00450D58
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00451E0F: __EH_prolog3_GS.LIBCMT ref: 00451E16
                                              • Part of subcall function 00451E0F: GetShortPathNameW.KERNEL32(?,00000000,00000104), ref: 00451E73
                                              • Part of subcall function 00451E0F: __CxxThrowException@8.LIBCMT ref: 00451EA2
                                              • Part of subcall function 0043CD31: __EH_prolog3_GS.LIBCMT ref: 0043CD38
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            • GetPrivateProfileSectionW.KERNEL32(rename,00000000,00001FFF,WININIT.INI), ref: 00451180
                                            • GetPrivateProfileSectionW.KERNEL32(rename,00000000,?,00000000), ref: 004511D7
                                            • lstrcpyW.KERNEL32(00001FFF,?), ref: 0045120A
                                            • lstrlenW.KERNEL32(00001FFF), ref: 00451211
                                            • WritePrivateProfileSectionW.KERNEL32(rename,00000000,WININIT.INI), ref: 0045122F
                                            • GetLastError.KERNEL32 ref: 0045124A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$PrivateProfileSection$FreeString$Exception@8FileH_prolog3H_prolog3_catch_MoveNamePathShortThrowWritelstrcpylstrlen
                                            • String ID: NUL$WININIT.INI$rename
                                            • API String ID: 3909151621-58278441
                                            • Opcode ID: 5fd1463ef6ca09b164e7c37edc345bbc507451e80e1a20656804d1f7de8fecdb
                                            • Instruction ID: 8363b48016af33153c358b9385617e216f70485c1f9bce546ef3a4aba1493cfb
                                            • Opcode Fuzzy Hash: 5fd1463ef6ca09b164e7c37edc345bbc507451e80e1a20656804d1f7de8fecdb
                                            • Instruction Fuzzy Hash: F291C631900118EECB11EBA5CC55BDE7778AF15305F1040AFF906A3192EB786B48CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00438288 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 219windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043828F
                                              • Part of subcall function 00438520: __EH_prolog3_GS.LIBCMT ref: 0043852A
                                              • Part of subcall function 00438520: SendDlgItemMessageW.USER32(?,00000034,00000031,00000000,00000000), ref: 00438576
                                              • Part of subcall function 00438520: GetObjectW.GDI32(00000000,0000005C,?), ref: 00438586
                                              • Part of subcall function 00438520: lstrcpyW.KERNEL32(?,?), ref: 004385B2
                                              • Part of subcall function 00438520: CreateFontIndirectW.GDI32(?), ref: 004385BF
                                              • Part of subcall function 00438520: SendDlgItemMessageW.USER32(?,00000034,00000030,?,00000001), ref: 004385F5
                                              • Part of subcall function 00438520: SetDlgItemTextW.USER32(?,0000000C,-00000004), ref: 0043862A
                                              • Part of subcall function 00438520: GetDlgItem.USER32(?,0000000C), ref: 0043863D
                                              • Part of subcall function 00438520: EnableWindow.USER32(00000000,?), ref: 0043864F
                                            • GetDlgItem.USER32(?,00000130), ref: 004382A3
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0043832A
                                            • SendMessageW.USER32(00000000,0000019A,00000000,?), ref: 0043833C
                                            • SendMessageW.USER32(00000000,0000018F,000000FF,?), ref: 004383AE
                                            • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 004383C0
                                            • SetDlgItemTextW.USER32(00000000,00000001,-00000004), ref: 004383F9
                                            • SetDlgItemTextW.USER32(00000000,00000009,-00000004), ref: 00438431
                                            • SetDlgItemTextW.USER32(00000000,00000034,-00000004), ref: 00438469
                                            • SetDlgItemTextW.USER32(00000000,00000033,-00000004), ref: 004384A1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Item$MessageSend$Text$ErrorH_prolog3_Last$CreateEnableFontIndirectObjectWindowlstrcpy
                                            • String ID: @/L$@/L
                                            • API String ID: 1643976860-2149722323
                                            • Opcode ID: 9eb226005983cb94065936658ebb00b778596eeaf163ca26dd5261b5f3215247
                                            • Instruction ID: bd88454f7a6d59e6672a981e1f5a4da371b6e447b4fcc15e68d28bb08d8c6674
                                            • Opcode Fuzzy Hash: 9eb226005983cb94065936658ebb00b778596eeaf163ca26dd5261b5f3215247
                                            • Instruction Fuzzy Hash: 70913C71900104EFDB04EF64C995EA9B7B8FF08318F14816EF916AB2A2DB74E914CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00414634 Relevance: 21.2, APIs: 14, Instructions: 158COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041463E
                                            • SetDlgItemTextW.USER32(?,00000002,-00000004), ref: 00414687
                                            • SetDlgItemTextW.USER32(?,000003F0,-00000004), ref: 004146E2
                                            • SetWindowTextW.USER32(?,-00000004), ref: 00414729
                                            • GetDesktopWindow.USER32 ref: 00414747
                                            • GetClientRect.USER32(00000000), ref: 0041474E
                                            • GetWindowRect.USER32(?,?), ref: 00414759
                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,00000088), ref: 0041478D
                                            • GetDlgItem.USER32(?,00000009), ref: 00414798
                                            • EnableWindow.USER32(00000000), ref: 004147A5
                                            • GetDlgItem.USER32(?,00000002), ref: 004147AE
                                            • EnableWindow.USER32(00000000), ref: 004147B5
                                            • GetDlgItem.USER32(?,00000002), ref: 004147EC
                                            • IsWindowEnabled.USER32(00000000), ref: 004147F3
                                              • Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Window$Item$Text$EnableH_prolog3_Rect$ClientDesktopEnabledMove
                                            • String ID:
                                            • API String ID: 3274798458-0
                                            • Opcode ID: 6b6eaa5e9d2bcf7e3eb6567ff08be4d225d798d8ea05d6adec4517f8e64a5b00
                                            • Instruction ID: b7755b4ba74daaa41efc44d42eaf60814dde8330b4d32263410293f3089a8e82
                                            • Opcode Fuzzy Hash: 6b6eaa5e9d2bcf7e3eb6567ff08be4d225d798d8ea05d6adec4517f8e64a5b00
                                            • Instruction Fuzzy Hash: 6051A371A10218AFDB14EFB5DC49EAE7BB8FF49304F00052AF506A7291DB38E944CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00440A93 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 133libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00440A9D
                                            • GetModuleHandleW.KERNEL32(Shell32.dll,SHBrowseForFolderW), ref: 00440AC9
                                            • GetProcAddress.KERNEL32(00000000), ref: 00440AD2
                                            • GetModuleHandleW.KERNEL32(Shell32.dll,SHGetPathFromIDListW), ref: 00440AE1
                                            • GetProcAddress.KERNEL32(00000000), ref: 00440AE4
                                            • GetCurrentDirectoryW.KERNEL32(00000104,00000000,?,00000104), ref: 00440B27
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                            • _memset.LIBCMT ref: 00440B47
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressErrorH_prolog3_HandleLastModuleProcString$AllocCurrentDirectory_memset
                                            • String ID: @/L$@/L$SHBrowseForFolderW$SHGetPathFromIDListW$Shell32.dll
                                            • API String ID: 2532054659-2189340400
                                            • Opcode ID: a6fd4338a4381c4fe36c427c2d96d3df916a6f1b81429b137982d582661ae70e
                                            • Instruction ID: c095bc60ee846dac0ee6b09579a757ac3e992aeae7e9b7a79c30b1b31e433d7c
                                            • Opcode Fuzzy Hash: a6fd4338a4381c4fe36c427c2d96d3df916a6f1b81429b137982d582661ae70e
                                            • Instruction Fuzzy Hash: 5E515070900218DFDB15EFA1CC85BDEBBB4AF15304F1040AEE505A7292DBB99A48CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00444C28 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 87registrylibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 00444C3D
                                            • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00444C4D
                                            • RegOpenKeyExW.ADVAPI32(80000003,.Default\Control Panel\desktop\ResourceLocale,00000000,000F003F,?), ref: 00444C86
                                            • RegQueryValueExW.ADVAPI32(?,004C2D7C,00000000,00000000,?,0000000A), ref: 00444C9E
                                            • RegOpenKeyExW.ADVAPI32(80000003,.DEFAULT\Control Panel\International,00000000,000F003F,?), ref: 00444CBF
                                            • RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,?,0000000A), ref: 00444CD9
                                            • __wcstoi64.LIBCMT ref: 00444CFB
                                            Strings
                                            • .DEFAULT\Control Panel\International, xrefs: 00444CB2
                                            • GetSystemDefaultUILanguage, xrefs: 00444C47
                                            • .Default\Control Panel\desktop\ResourceLocale, xrefs: 00444C72
                                            • Kernel32.dll, xrefs: 00444C38
                                            • Locale, xrefs: 00444CD1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: OpenQueryValue$AddressHandleModuleProc__wcstoi64
                                            • String ID: .DEFAULT\Control Panel\International$.Default\Control Panel\desktop\ResourceLocale$GetSystemDefaultUILanguage$Kernel32.dll$Locale
                                            • API String ID: 2065448255-3798069133
                                            • Opcode ID: 0beab6f27266994117a11318befe2c0ba251e351e15b1392993b225ab02f0337
                                            • Instruction ID: dec2fee5953cf9e0dbbcb3b0352eb84763cbe800ecd0f804597b60404a3882f0
                                            • Opcode Fuzzy Hash: 0beab6f27266994117a11318befe2c0ba251e351e15b1392993b225ab02f0337
                                            • Instruction Fuzzy Hash: E9214471E0122EAEFB10DBA1CC81FBF776CEB04745F15003BA911B2181DA689E058BBD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043C3A2 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 84registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043C3AC
                                            • _memset.LIBCMT ref: 0043C3D2
                                            • RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,?), ref: 0043C3F4
                                            • RegQueryValueExW.ADVAPI32(?,CommonFilesDir,00000000,00000000,?,?), ref: 0043C433
                                              • Part of subcall function 00415AF8: __EH_prolog3_GS.LIBCMT ref: 00415AFF
                                              • Part of subcall function 00415AF8: GetLastError.KERNEL32(0000003C,00487419,?,?,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 00415B2A
                                              • Part of subcall function 00415AF8: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415B5B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last$OpenQueryValue_memset
                                            • String ID: @/L$CommonFilesDir$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion$dJ$dJ$lJ$lJ
                                            • API String ID: 1696510972-2331546588
                                            • Opcode ID: 1bd27786b9378dd6905520abf2531d222a44aa79d7a18eb0ca6807fb52d69697
                                            • Instruction ID: b406483aece97984e2f67a5298c2128ff1b561336d28c389f68f5baeca76a5df
                                            • Opcode Fuzzy Hash: 1bd27786b9378dd6905520abf2531d222a44aa79d7a18eb0ca6807fb52d69697
                                            • Instruction Fuzzy Hash: BA313DB19002289BDB24EF56CD91BEDB7B8AF19304F4040EBA50DA3251DB785F848F69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00461F6C Relevance: 19.8, APIs: 13, Instructions: 293COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00464D84: __getptd_noexit.LIBCMT ref: 00464D85
                                            • _wcscmp.LIBCMT ref: 00462052
                                            • _wcscmp.LIBCMT ref: 00462068
                                            • ___get_qualified_locale.LIBCMT ref: 004620B9
                                              • Part of subcall function 0046E1E0: _TranslateName.LIBCMT ref: 0046E220
                                              • Part of subcall function 0046E1E0: _GetLocaleNameFromLangCountry.LIBCMT ref: 0046E239
                                              • Part of subcall function 0046E1E0: _TranslateName.LIBCMT ref: 0046E254
                                              • Part of subcall function 0046E1E0: _GetLocaleNameFromLangCountry.LIBCMT ref: 0046E26A
                                              • Part of subcall function 0046E1E0: IsValidCodePage.KERNEL32(00000000,?,?,00000055,?,?,004620BE,?,?,?,?,00000004,?,00000000), ref: 0046E2BE
                                            • GetACP.KERNEL32(?,?,?,?,?,00000004,?,00000000), ref: 00462150
                                            • _memmove.LIBCMT ref: 00462206
                                            • __invoke_watson.LIBCMT ref: 0046225B
                                            • __lock.LIBCMT ref: 0046227A
                                            • InterlockedDecrement.KERNEL32(00000000), ref: 0046228D
                                            • _free.LIBCMT ref: 004622A3
                                            • __lock.LIBCMT ref: 004622BC
                                            • ___removelocaleref.LIBCMT ref: 004622CB
                                            • ___freetlocinfo.LIBCMT ref: 004622E4
                                            • _free.LIBCMT ref: 004622F7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Name$CountryFromLangLocaleTranslate__lock_free_wcscmp$CodeDecrementInterlockedPageValid___freetlocinfo___get_qualified_locale___removelocaleref__getptd_noexit__invoke_watson_memmove
                                            • String ID:
                                            • API String ID: 186044211-0
                                            • Opcode ID: 65f231167ef966e2e19903536a99e1c99888594b17d5478a5711cc6edae10bdb
                                            • Instruction ID: 8ba6a8e79f3cbfa52e94c298c00d96272bc19f7e46cd040681b3506d6b616aee
                                            • Opcode Fuzzy Hash: 65f231167ef966e2e19903536a99e1c99888594b17d5478a5711cc6edae10bdb
                                            • Instruction Fuzzy Hash: 6091D671900615BBDB209F65CD42BEF77B8AF45314F1440ABFD08A2251FB788E85CB9A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419185 Relevance: 19.7, APIs: 5, Strings: 6, Instructions: 440stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041918F
                                            • _memmove.LIBCMT ref: 004191AF
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 004191EB
                                            • __setjmp3.LIBCMT ref: 0041920C
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 0041A199: __EH_prolog3_GS.LIBCMT ref: 0041A1A0
                                              • Part of subcall function 00418E75: __EH_prolog3_GS.LIBCMT ref: 00418E7F
                                              • Part of subcall function 00418E75: _memmove.LIBCMT ref: 00418EA4
                                              • Part of subcall function 00418E75: lstrcpyW.KERNEL32(?,-00000004), ref: 00418ED9
                                              • Part of subcall function 00418E75: __setjmp3.LIBCMT ref: 00418EFA
                                              • Part of subcall function 00418CDA: _longjmp.LIBCMT ref: 00418D00
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 0040E057: __EH_prolog3_GS.LIBCMT ref: 0040E061
                                              • Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232
                                              • Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210
                                              • Part of subcall function 00418E75: _memmove.LIBCMT ref: 00419163
                                              • Part of subcall function 004090B1: __EH_prolog3_GS.LIBCMT ref: 004090B8
                                              • Part of subcall function 00417EFF: __EH_prolog3.LIBCMT ref: 00417F06
                                            • _memmove.LIBCMT ref: 00419783
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_$ErrorLast$FreeString_memmove$__setjmp3lstrcpy$H_prolog3_longjmp
                                            • String ID: &$.cab$@/L$layout.bin$setup.cpp$setup.inx
                                            • API String ID: 697873258-901562178
                                            • Opcode ID: cb3e79b7c898eaa0216b41af2dd1793d1d7cb792debdc366a6b2bfe39a8d7abc
                                            • Instruction ID: 8575189158bbba3b6d906a6ef7ac19f1f8741dae015d751b75bd54df3e8103d1
                                            • Opcode Fuzzy Hash: cb3e79b7c898eaa0216b41af2dd1793d1d7cb792debdc366a6b2bfe39a8d7abc
                                            • Instruction Fuzzy Hash: 0C026F70A001589FDB14E7A5CD56BEDB7B9AF58344F0000EEE509A3292EB785F48CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00436805 Relevance: 19.6, APIs: 13, Instructions: 118windowmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetObjectW.GDI32(?,00000018,?), ref: 00436827
                                            • CreateCompatibleDC.GDI32(00000000), ref: 0043684B
                                            • SelectObject.GDI32(00000000,?), ref: 0043685B
                                            • GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00436870
                                            • GlobalAlloc.KERNEL32(00000042,00000408), ref: 0043687F
                                            • GlobalLock.KERNEL32(00000000), ref: 0043688C
                                            • GetSystemPaletteEntries.GDI32(?,00000000,0000000A,00000004), ref: 00436927
                                            • GetSystemPaletteEntries.GDI32(?,000000F6,0000000A,000003DC), ref: 00436938
                                            • CreatePalette.GDI32(00000000), ref: 0043693B
                                            • DeleteDC.GDI32(?), ref: 00436947
                                            • GetDC.USER32(00000000), ref: 0043695C
                                            • CreateHalftonePalette.GDI32(00000000), ref: 00436965
                                            • ReleaseDC.USER32(00000000,00000000), ref: 00436972
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Palette$Create$EntriesGlobalObjectSystem$AllocColorCompatibleDeleteHalftoneLockReleaseSelectTable
                                            • String ID:
                                            • API String ID: 1699956756-0
                                            • Opcode ID: 9fffb9183ea9f75ac36f32c1f257a06a84f546f4a87139108fff568328575c93
                                            • Instruction ID: 0e618a48a188d60c81fe0ffe5ce451cc4a34528846e82f1bf0bd46f1c2f94a20
                                            • Opcode Fuzzy Hash: 9fffb9183ea9f75ac36f32c1f257a06a84f546f4a87139108fff568328575c93
                                            • Instruction Fuzzy Hash: 044159B1500264AFC7118F25DC84BEA7FB8EF5A304F0480FAEB46E7242C6749D46CB28
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00411934 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 304COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041193E
                                              • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                                              • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
                                            • GetCommandLineW.KERNEL32 ref: 00411ABF
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040E35C: __EH_prolog3_GS.LIBCMT ref: 0040E363
                                              • Part of subcall function 0040E35C: __itow_s.LIBCMT ref: 0040E39A
                                              • Part of subcall function 0040E35C: SetLastError.KERNEL32(?,?,00000000,00000001), ref: 0040E3C9
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0040E057: __EH_prolog3_GS.LIBCMT ref: 0040E061
                                              • Part of subcall function 0040A017: __wcsnicmp.LIBCMT ref: 0040A05E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$H_prolog3_$CloseCommandH_prolog3HandleLineModule__itow_s__wcsnicmp
                                            • String ID: ISSetupPrerequisistes$%%IS_PREREQ%%-%s$.exe$@/L$@/L$P/L$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\RunOnce$|-L
                                            • API String ID: 3598051681-2365343915
                                            • Opcode ID: b7c71d4c37349b4ab3410b9152d041392dfcdb1d4699871a672d2163f03087cc
                                            • Instruction ID: 5ba13f66eb6bf40d1a68d8553a301f3a621067c2fc7de99ce0a8a9dd4e7a0d18
                                            • Opcode Fuzzy Hash: b7c71d4c37349b4ab3410b9152d041392dfcdb1d4699871a672d2163f03087cc
                                            • Instruction Fuzzy Hash: B8D15F71900218EEDB24EBA5CC95FEDB7B8AF14304F1041AEE509B7191EB746E88CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0045151D Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 240registryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00451527
                                            • wsprintfW.USER32 ref: 00451643
                                            • wsprintfW.USER32 ref: 00451658
                                            • wsprintfW.USER32 ref: 004517C7
                                            • wsprintfW.USER32 ref: 004517DA
                                            • RegSetValueExW.ADVAPI32(?,Count,00000000,00000004,?,00000004), ref: 00451844
                                              • Part of subcall function 00450B11: __EH_prolog3_GS.LIBCMT ref: 00450B18
                                            • DeleteFileW.KERNEL32(?), ref: 0045187C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: wsprintf$H_prolog3_$DeleteFileValue
                                            • String ID: Count$Software\InstallShieldPendingOperation$dest%d$source%d
                                            • API String ID: 2703998930-4089646173
                                            • Opcode ID: 8451693f85238eed414947f0ff557924e9b3c540a4be866a3fc6c72747ce659f
                                            • Instruction ID: 8e9e8d026ccb64995e6bb7a0a4ab435d3ae9af4bc93e76a6530ecb9e04ce2cbe
                                            • Opcode Fuzzy Hash: 8451693f85238eed414947f0ff557924e9b3c540a4be866a3fc6c72747ce659f
                                            • Instruction Fuzzy Hash: 13A1A0718002199EDB24EF54CC85FE9B7B8AF19304F0041EEE559A7192EBB46B88CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004518B9 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 179fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Filewsprintf$DeleteErrorH_prolog3_LastMove
                                            • String ID: Count$InstallShieldPendingOperation$Software$dest%d$source%d
                                            • API String ID: 2653183521-2585182305
                                            • Opcode ID: 2819c8aa42d7301270cb82d7f507ed12c65533ae54492845a85e7cb80b72b319
                                            • Instruction ID: 18e8f3a60b99fad522a7cd0c46d208c56dcb8803b1485228489cfc9843af082e
                                            • Opcode Fuzzy Hash: 2819c8aa42d7301270cb82d7f507ed12c65533ae54492845a85e7cb80b72b319
                                            • Instruction Fuzzy Hash: 49818C71900229DEEB24EB65CC45BEDB7B4AF15304F0041EAE549A3192EB785FC8CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419F3C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 172stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00419F46
                                            • _memset.LIBCMT ref: 00419F95
                                            • _memmove.LIBCMT ref: 00419FAD
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 00419FE2
                                            • __setjmp3.LIBCMT ref: 0041A003
                                            • _wcschr.LIBCMT ref: 0041A01E
                                            • VariantClear.OLEAUT32(?), ref: 0041A081
                                            • _wcsncpy.LIBCMT ref: 0041A09D
                                              • Part of subcall function 00417844: SysAllocString.OLEAUT32(?), ref: 00417865
                                              • Part of subcall function 00418CDA: _longjmp.LIBCMT ref: 00418D00
                                            • VariantClear.OLEAUT32(?), ref: 0041A102
                                            • _memmove.LIBCMT ref: 0041A15F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$ClearFreeVariant_memmove$AllocH_prolog3___setjmp3_longjmp_memset_wcschr_wcsncpylstrcpy
                                            • String ID: setup.cpp
                                            • API String ID: 217399626-2020632666
                                            • Opcode ID: 24bf8db453f537f2ac38769ced95113c6d8937097eff4c97c70a3883aebfabaf
                                            • Instruction ID: f85f04d5041f9a94aa3106536137e34a7d37407c46ebae36e23c02d0bb7d63a7
                                            • Opcode Fuzzy Hash: 24bf8db453f537f2ac38769ced95113c6d8937097eff4c97c70a3883aebfabaf
                                            • Instruction Fuzzy Hash: 4B615171D01219ABDF10EBA4CD49BDEB7B8AF09304F0041DAF909AB291DB749E84CF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004961F0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 119libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0043E2D6: __EH_prolog3_GS.LIBCMT ref: 0043E2DD
                                              • Part of subcall function 0043E2D6: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00444282,?,00000000,00000068,00486772,?,004C2FA0,uxtheme.dll,?,00000000), ref: 0043E335
                                              • Part of subcall function 0043E2D6: __CxxThrowException@8.LIBCMT ref: 0043E362
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                            • LoadLibraryW.KERNEL32(?,004C2FA0,Shcore.dll,?,00000000,?,?), ref: 004962AD
                                            • GetProcAddress.KERNEL32(00000000,GetDpiForMonitor), ref: 004962C5
                                            • MonitorFromPoint.USER32(00000001,00000001,00000002), ref: 004962DB
                                            • GetDC.USER32(00000000), ref: 00496310
                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0049631F
                                            • ReleaseDC.USER32(00000000,00000000), ref: 0049632E
                                            • MulDiv.KERNEL32(00000060,00000064,00000060), ref: 0049633E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$AddressCapsDeviceDirectoryException@8FromH_prolog3H_prolog3_LibraryLoadMonitorPointProcReleaseThrowWindows
                                            • String ID: @/L$GetDpiForMonitor$Shcore.dll$`
                                            • API String ID: 1830457265-1007342126
                                            • Opcode ID: 0e0ae79c68afe802f0bbf342f50a642fd3d05c30491e8acd806336a09873d8ab
                                            • Instruction ID: 61a6fc84fcf242ae177ddf2fcf310ea8999672785abef5f9ab41c710446a3bc6
                                            • Opcode Fuzzy Hash: 0e0ae79c68afe802f0bbf342f50a642fd3d05c30491e8acd806336a09873d8ab
                                            • Instruction Fuzzy Hash: 81418171A00318EEDF21DBA5CC45FDEBBB8AF05704F0001AEF915A7281DBB85908CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004963B0 Relevance: 18.3, APIs: 12, Instructions: 276COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(00000001), ref: 00496401
                                            • DestroyWindow.USER32(00000001,?,?,00000000,004ABE4B,000000FF,?,00495AB7,?,?,00000002,?,?,00000000,00000001), ref: 0049640E
                                            • IsWindow.USER32(?), ref: 00496430
                                            • CreateWindowExW.USER32(00000020,00000000,40000000,00000000,00000000,00000000,00000000,?,00000000,?), ref: 004964A2
                                            • IsWindow.USER32(00000000), ref: 004964AC
                                            • GetWindow.USER32(?,00000003), ref: 004964D0
                                            • SetWindowPos.USER32(00000000,?,00000000,00000000,00000000,00000000,00000003), ref: 004964F3
                                            • MulDiv.KERNEL32(00000000,00000000,00000064), ref: 0049660A
                                            • MulDiv.KERNEL32(00000000,00000000,?), ref: 00496656
                                            • MulDiv.KERNEL32(00000000,00000000,?), ref: 00496679
                                            • MoveWindow.USER32(00000000,?,?,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 004966C8
                                            • ShowWindow.USER32(00000000,00000000), ref: 004966D3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Window$CreateDestroyMoveShow
                                            • String ID:
                                            • API String ID: 3486018820-0
                                            • Opcode ID: 54ad85b1d14f8302e427f7de450e69ecc88b3b4ff6ce2b7702f595ccbfc3fc33
                                            • Instruction ID: 1bf84b70c09bbdd0bcfb24cd7475d3bf2832844d0d10c60855775236acd56808
                                            • Opcode Fuzzy Hash: 54ad85b1d14f8302e427f7de450e69ecc88b3b4ff6ce2b7702f595ccbfc3fc33
                                            • Instruction Fuzzy Hash: CAB17B71A00204AFDF10DFA4D995BAEBFB5AF08314F15806AFD05AB295DB39DC11CB68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402000 Relevance: 18.2, APIs: 12, Instructions: 160fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00402CE0: GetLastError.KERNEL32(2E932D87,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
                                              • Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8
                                            • CreateFileW.KERNEL32(-00000004,C0000000,00000001,00000000,00000004,00000080,00000000,?,?,00000001,2E932D87), ref: 00402066
                                            • GetLastError.KERNEL32(?,?,00000001,2E932D87), ref: 00402079
                                            • SysFreeString.OLEAUT32(?), ref: 00402095
                                            • SysFreeString.OLEAUT32(?), ref: 004020A0
                                            • SetLastError.KERNEL32(?), ref: 004020C0
                                            • ReadFile.KERNEL32(00000000,00000000,00000002,00000000,00000000), ref: 004020F8
                                            • WriteFile.KERNEL32(00000000,00000000,00000002,?), ref: 0040213B
                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00402172
                                            • GetLastError.KERNEL32 ref: 00402193
                                            • SysFreeString.OLEAUT32(?), ref: 004021A9
                                            • SysFreeString.OLEAUT32(?), ref: 004021B4
                                            • SetLastError.KERNEL32(?), ref: 004021D4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FileFreeString$Write$CreateRead
                                            • String ID:
                                            • API String ID: 2306213392-0
                                            • Opcode ID: 74b8f1236cacd319532d57d6b2d5a616290a54c3b6498e0a95c4e9d8e35ed752
                                            • Instruction ID: e106a9f4cbf14f95d49d83af86798c1b7ba84dd5c8c358d7f972cb33e0b1c78b
                                            • Opcode Fuzzy Hash: 74b8f1236cacd319532d57d6b2d5a616290a54c3b6498e0a95c4e9d8e35ed752
                                            • Instruction Fuzzy Hash: 07514931900208AFEB10DFA5DC49FADBBB8FF09704F10406AEA14BB2E1D774A955CB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00456686 Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcpynA.KERNEL32(?,?,?,?,?,?,004568E3,004C2BD0,00000000,?,?), ref: 00456707
                                            • lstrcmpA.KERNEL32(?,NoRemove,?,?,?,004568E3,004C2BD0,00000000,?,?), ref: 00456719
                                            • lstrcmpA.KERNEL32(?,ForceRemove,?,?,?,004568E3,004C2BD0,00000000,?,?), ref: 00456757
                                            • lstrcmpA.KERNEL32(?,val,?,?,?,004568E3,004C2BD0,00000000,?,?), ref: 0045676A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: lstrcmp$lstrcpyn
                                            • String ID: ForceRemove$HKCR$NoRemove$val
                                            • API String ID: 3250216649-3921688442
                                            • Opcode ID: 64b3d32f1e08da20181bbe47fb14463c8ab379f45b1abeeeca8b6f2c410d0799
                                            • Instruction ID: a5d7ce2763394210b2c8c1fb3cb5ab048f1494858562a95f42f6bb40a9617147
                                            • Opcode Fuzzy Hash: 64b3d32f1e08da20181bbe47fb14463c8ab379f45b1abeeeca8b6f2c410d0799
                                            • Instruction Fuzzy Hash: 60413A712043015ED7309A398C84B737BE9BB49316FD6062BEC86C7683D76DF8498B28
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004490F5 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 279COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004490FF
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                            • GetErrorInfo.OLEAUT32(00000000,?,00000264,0043A729,?,?,?,00000001), ref: 0044913B
                                            • CreateErrorInfo.OLEAUT32(?), ref: 0044919A
                                            • ProgIDFromCLSID.OLE32(?,?), ref: 004491C7
                                            • CoTaskMemFree.OLE32(?), ref: 004491EB
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                            • SetErrorInfo.OLEAUT32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00449448
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Error$Info$LastString$AllocCreateFreeFromH_prolog3_ProgTask
                                            • String ID: )$@/L$@/L
                                            • API String ID: 290475581-2532612753
                                            • Opcode ID: c0bd4b3af20aefacb97d58783fba13363f33016cc5667905c6cb5cce283dbbe9
                                            • Instruction ID: 21e2d273a3d2f517428eb9d5f3f77e34d1aad62743345aff31db80580862d89f
                                            • Opcode Fuzzy Hash: c0bd4b3af20aefacb97d58783fba13363f33016cc5667905c6cb5cce283dbbe9
                                            • Instruction Fuzzy Hash: 72C15D71900218AEDB15EBA1CC54BEE7778AF58304F1440EEE409B3292DB785E49DB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00499770 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 242fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                            • __wcsnicmp.LIBCMT ref: 00499826
                                            • __wcsnicmp.LIBCMT ref: 0049987F
                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00499912
                                            • GetFileSize.KERNEL32(00000000,?), ref: 00499935
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00499972
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: File$ErrorLast__wcsnicmp$CreateH_prolog3ReadSize
                                            • String ID: .bmp$.dll$.wmf$dJ$lJ
                                            • API String ID: 712479857-2517244617
                                            • Opcode ID: 36e2a5e6393ac3354ebbffc1edfe716ccb3a7466fc6be135708c91518bc66aed
                                            • Instruction ID: 9a53e38ed3cbee91c574600164a1b9e1fa819cd09071de70aa6fd71bcf447936
                                            • Opcode Fuzzy Hash: 36e2a5e6393ac3354ebbffc1edfe716ccb3a7466fc6be135708c91518bc66aed
                                            • Instruction Fuzzy Hash: D981E671900204EAEF20EB69CC45BEE7B78AF05314F1401BFE815A32D1EB399E49CB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044A200 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 81libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0044A300: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,0044A209), ref: 0044A313
                                              • Part of subcall function 0044A300: GetProcAddress.KERNEL32(00000000), ref: 0044A31A
                                              • Part of subcall function 0044A300: GetCurrentProcess.KERNEL32(00000000,?,?,?,0044A209), ref: 0044A32A
                                            • GetModuleHandleW.KERNEL32(kernel32,Wow64DisableWow64FsRedirection), ref: 0044A223
                                            • GetProcAddress.KERNEL32(00000000), ref: 0044A22C
                                            • GetModuleHandleW.KERNEL32(kernel32,Wow64RevertWow64FsRedirection), ref: 0044A237
                                            • GetProcAddress.KERNEL32(00000000), ref: 0044A23A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc$CurrentProcess
                                            • String ID: Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32
                                            • API String ID: 565683799-3439747844
                                            • Opcode ID: a7d460847f7ac47c9885598faf888c97aae771e5c34a54c084e4059b01bf2cde
                                            • Instruction ID: 13ad9e053d7390241737b19a12295ca612cefdc63b0c677b9ac50012449135f7
                                            • Opcode Fuzzy Hash: a7d460847f7ac47c9885598faf888c97aae771e5c34a54c084e4059b01bf2cde
                                            • Instruction Fuzzy Hash: D711C031681209ABEF14AFA69C51B9B379CBF45344B10406BB902D33A0DBFDDC11EA69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004202C0 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 431stringregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcmpiW.KERNEL32(?,Delete,?,2E932D87,?,00000000,00000000,?,004A37D8,000000FF,?,00420109,?,00000000,00000000,00000000), ref: 0042034D
                                            • lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000,00000000,?,004A37D8,000000FF,?,00420109,?,00000000,00000000,00000000,?,?), ref: 00420364
                                            • lstrcmpiW.KERNEL32(?,NoRemove,?,?,00000000,00000000,?,004A37D8,000000FF,?,00420109,?,00000000,00000000,00000000,?), ref: 0042044A
                                            • lstrcmpiW.KERNEL32(?,Val,?,00000000,00000000,?,004A37D8,000000FF,?,00420109,?,00000000,00000000,00000000,?,?), ref: 00420472
                                              • Part of subcall function 0041D0ED: CharNextW.USER32(?,?,00000000,?,?,?,?,004180FA,?,2E932D87,?,?,?,?,?,004A2661), ref: 0041D128
                                              • Part of subcall function 0041D0ED: CharNextW.USER32(?,?,?,00000000,?,?,?,?,004180FA,?,2E932D87), ref: 0041D1AE
                                            • RegDeleteValueW.ADVAPI32(?,?,?,?), ref: 0042056D
                                              • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                                              • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: lstrcmpi$CharNext$CloseDeleteHandleModuleValue
                                            • String ID: Delete$ForceRemove$NoRemove$Val
                                            • API String ID: 1242246611-1781481701
                                            • Opcode ID: a1d446e6506353cbc252382d4029f75a5ef42e5710bce3a37fa9218991492181
                                            • Instruction ID: 2760f7622405121b3bcfe2dddfac2a0a87bb3b9587d57393e72ef0353ddbb821
                                            • Opcode Fuzzy Hash: a1d446e6506353cbc252382d4029f75a5ef42e5710bce3a37fa9218991492181
                                            • Instruction Fuzzy Hash: 73E1C931E01235ABCB35EB65AC54AAFB7F4AF14704F4045AFE805E2252D7388F84CE95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042114F Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 274COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 004221C3: __EH_prolog3.LIBCMT ref: 004221CA
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 004090B1: __EH_prolog3_GS.LIBCMT ref: 004090B8
                                              • Part of subcall function 00418E75: __EH_prolog3_GS.LIBCMT ref: 00418E7F
                                              • Part of subcall function 00418E75: _memmove.LIBCMT ref: 00418EA4
                                              • Part of subcall function 00418E75: lstrcpyW.KERNEL32(?,-00000004), ref: 00418ED9
                                              • Part of subcall function 00418E75: __setjmp3.LIBCMT ref: 00418EFA
                                              • Part of subcall function 00418CDA: _longjmp.LIBCMT ref: 00418D00
                                              • Part of subcall function 0041CDBA: LoadLibraryW.KERNEL32(-00000004), ref: 0041CDED
                                            • _memmove.LIBCMT ref: 00421625
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$FreeH_prolog3String_memmove$LibraryLoad__setjmp3_longjmplstrcpy
                                            • String ID: '$*$@/L$@/L$@/L$@/L$ISSetup.dll$ISSetup.dll
                                            • API String ID: 3868212671-3271623578
                                            • Opcode ID: f27a9b64ead99a97a793cfd9fb6c14ecb76a49be51d9b9eaf8f32d435d69a777
                                            • Instruction ID: 55a32be16f28225197dd2d98624df9587fbe5d17ea24a4de6dec626459dec031
                                            • Opcode Fuzzy Hash: f27a9b64ead99a97a793cfd9fb6c14ecb76a49be51d9b9eaf8f32d435d69a777
                                            • Instruction Fuzzy Hash: 64B1C270A00158DFDB14EB64C955BEDB7B9AF98304F0040EEF50AA3292DB785F48CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004188B7 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 260stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004188C1
                                            • _memmove.LIBCMT ref: 004188F2
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 00418927
                                            • __setjmp3.LIBCMT ref: 00418948
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                              • Part of subcall function 00418CDA: _longjmp.LIBCMT ref: 00418D00
                                            • SysFreeString.OLEAUT32(?), ref: 00418AFA
                                            • _memmove.LIBCMT ref: 00418C4F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: String$ErrorLast$Free$_memmove$AllocH_prolog3___setjmp3_longjmplstrcpy
                                            • String ID: @/L$SUPPORTDIR$setup.cpp
                                            • API String ID: 4158757861-264556979
                                            • Opcode ID: 1b16957741b8d29ca3f06fc25600420df800334d41fb51d178047b1ecabdff0f
                                            • Instruction ID: 73ab86cc7cfdb58334e1e9dfdae098171c1a2feb4c19dac2799add70096844b1
                                            • Opcode Fuzzy Hash: 1b16957741b8d29ca3f06fc25600420df800334d41fb51d178047b1ecabdff0f
                                            • Instruction Fuzzy Hash: 33B16B70A00218DFCB14DFA5CD95BDEB7B8AF48304F1041DEE509AB281DB74AA85CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00444E82 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 219fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTempFileNameW.KERNEL32(?,_is,00000000,00000000,?,00000104), ref: 00444FED
                                            • GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 00444ECF
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                            • __EH_prolog3_GS.LIBCMT ref: 00444E8C
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                            • DeleteFileW.KERNEL32(?), ref: 00445012
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 004470DB: __EH_prolog3.LIBCMT ref: 004470E2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FileH_prolog3H_prolog3_StringTemp$AllocDeleteNamePath
                                            • String ID: .tmp$@/L$@/L$_is$|-L
                                            • API String ID: 1310056418-130929492
                                            • Opcode ID: bfa92ce111e33304954c1e22dc028abd8667dbeca938ff0335a0f282a9c9091b
                                            • Instruction ID: cdc1113ea4c74d231ccbddbdb057c41b85e82c13c8e367bc0be9af636cdf0889
                                            • Opcode Fuzzy Hash: bfa92ce111e33304954c1e22dc028abd8667dbeca938ff0335a0f282a9c9091b
                                            • Instruction Fuzzy Hash: 2391AF30900248EFEB05EBA1CD55FDD7778AF15308F5400AEF50967192DBB85B49CB6A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042E711 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 213registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0042E71B
                                            • RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\Environment,00000000,00020019,?,000000B8,0042F5CE,?,P/L), ref: 0042E754
                                              • Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
                                              • Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F
                                              • Part of subcall function 004040F0: SysStringLen.OLEAUT32(?), ref: 004040FE
                                              • Part of subcall function 004040F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00404118
                                              • Part of subcall function 004040F0: _wmemcpy_s.LIBCMT ref: 00404145
                                            • RegEnumValueW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?,?,?,?,?), ref: 0042E888
                                              • Part of subcall function 004053A0: GetLastError.KERNEL32(2E932D87,?,?,?,?,004AC278,000000FF), ref: 004053E2
                                              • Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            • RegEnumValueW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,?,?,00000400,?,00000400), ref: 0042E94B
                                              • Part of subcall function 00403CF0: GetLastError.KERNEL32(2E932D87,?,00000000,74DEDFA0,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403D2F
                                              • Part of subcall function 00403CF0: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00403DC9
                                              • Part of subcall function 00403CF0: SysFreeString.OLEAUT32(?), ref: 00403DE3
                                              • Part of subcall function 00403CF0: SysFreeString.OLEAUT32(?), ref: 00403DF0
                                              • Part of subcall function 00403CF0: SetLastError.KERNEL32(?), ref: 00403E14
                                              • Part of subcall function 00403CF0: SetLastError.KERNEL32(?,?,00000000,74DEDFA0,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403E1A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$Free$EnumValue$AllocH_prolog3_Open_wmemcpy_s
                                            • String ID: P/L$P/L$SYSTEM\CurrentControlSet\Control\Session Manager\Environment$T4L$T4L
                                            • API String ID: 802081060-1690745742
                                            • Opcode ID: 308bb98bd5052a1e19987a0a4844abb24b2a51548811d2477baa7fa36349e06b
                                            • Instruction ID: 8cff7c8f36a08ea6961593ecb01b9f7f8e85bfe3ec6f2101e9b3e14620bd614f
                                            • Opcode Fuzzy Hash: 308bb98bd5052a1e19987a0a4844abb24b2a51548811d2477baa7fa36349e06b
                                            • Instruction Fuzzy Hash: 14916271900258DFDB25DFA5C891BDDBBB8BF18304F1040AEE54AB3282DB741A49DF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0049C444 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 142fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?), ref: 0049C47F
                                            • GetFileSize.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 0049C4B6
                                            • CreateFileMappingW.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?), ref: 0049C4C9
                                            • MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 0049C4E1
                                            • __allrem.LIBCMT ref: 0049C520
                                            • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 0049C586
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0049C58F
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 0049C599
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateHandleView$MappingSizeUnmap__allrem
                                            • String ID: lJ
                                            • API String ID: 3476395881-496827753
                                            • Opcode ID: 922d89501ecbc639f8f6c24e6d568a34c74741d8c3fd3899ce6649435f5c27aa
                                            • Instruction ID: 15958081234dcb66c9fc530a50b4672f1d05b3945c41733da6f1a579c2539a87
                                            • Opcode Fuzzy Hash: 922d89501ecbc639f8f6c24e6d568a34c74741d8c3fd3899ce6649435f5c27aa
                                            • Instruction Fuzzy Hash: 9E4160B1900229BFDF119FA5DC859AFBFB8EF09760F01452AF915E3251D734AA10CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00450034 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 116stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,0045028D,?,?,?,00000000,?,00415586,?,?,?,0000010C,004243E8,?,00000003,00000000), ref: 00450064
                                            • wsprintfW.USER32 ref: 00450098
                                            • lstrcatW.KERNEL32(?,?), ref: 004500AC
                                            • ResetEvent.KERNEL32(?,00000002,?,0045028D,?,?,?,00000000,?,00415586,?,?,?,0000010C,004243E8,?), ref: 004500BB
                                            • GetLastError.KERNEL32(?,0045028D,?,?,?,00000000,?,00415586,?,?,?,0000010C,004243E8,?,00000003,00000000), ref: 004500C7
                                            • ResetEvent.KERNEL32(0000000E,00000002,?,0045028D,?,?,?,00000000,?,00415586,?,?,?,0000010C,004243E8,?), ref: 00450122
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorEventLastReset$lstrcatwsprintf
                                            • String ID: A$Range: bytes=%d-$Range: bytes=%d-
                                            • API String ID: 2894917480-4039695729
                                            • Opcode ID: 6fcbd3db4730df72ba2ab927a36c7d3a97c1c80cb252543f66662816af8bc60c
                                            • Instruction ID: b1e300c78a8eb2fc5f889235aff39914ca9957faf1e2b898e1473a8cb950363b
                                            • Opcode Fuzzy Hash: 6fcbd3db4730df72ba2ab927a36c7d3a97c1c80cb252543f66662816af8bc60c
                                            • Instruction Fuzzy Hash: DA416E39100100EFDF199F15ECC9A6A7FA8EF45702B1840AAFE05CA267D736DC45DB29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043E2D6 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043E2DD
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                            • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0043E413
                                              • Part of subcall function 0040B827: __EH_prolog3.LIBCMT ref: 0040B82E
                                              • Part of subcall function 0040B827: GetLastError.KERNEL32(00000004,00416939,00000008,004238F4,dJ,00000001,?,00000000), ref: 0040B847
                                            • __CxxThrowException@8.LIBCMT ref: 0043E362
                                              • Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7
                                            • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00444282,?,00000000,00000068,00486772,?,004C2FA0,uxtheme.dll,?,00000000), ref: 0043E335
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                            • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00444282,?,00000000,00000068,00486772,?,004C2FA0,uxtheme.dll,?,00000000), ref: 0043E3A6
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Directory$H_prolog3_StringWindows$AllocExceptionException@8H_prolog3RaiseSystemThrow
                                            • String ID: @/L$lJ$sysnative$syswow64
                                            • API String ID: 415710860-2847466861
                                            • Opcode ID: be719962b1b9a8d2b8ab7cbedfd67d19f4a841048412a6d19451b464d16df97b
                                            • Instruction ID: 2134382ef336b3a675b4594a16f7ebd393181ec0228d794400fe4d4d7225ed91
                                            • Opcode Fuzzy Hash: be719962b1b9a8d2b8ab7cbedfd67d19f4a841048412a6d19451b464d16df97b
                                            • Instruction Fuzzy Hash: A441A231901248DECB10EBE6C885BDDBB74AF1A308F54806FE54177292DFB85A0DDB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00486650 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 115libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(2E932D87,?,?), ref: 0048668D
                                            • SetLastError.KERNEL32(?,?,?), ref: 004866BD
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                              • Part of subcall function 00444261: __EH_prolog3_GS.LIBCMT ref: 00444268
                                            • LoadLibraryW.KERNEL32(-00000004,?,?), ref: 00486781
                                            • GetProcAddress.KERNEL32(?,SetWindowTheme), ref: 004867C8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$AddressH_prolog3H_prolog3_LibraryLoadProc
                                            • String ID: @/L$SetWindowTheme$dJ$lJ$uxtheme.dll
                                            • API String ID: 2791025668-3152267377
                                            • Opcode ID: 05438a7ba360c899f4ec209ee4ed2754cfea640659ab5f7e611221f13d8250a6
                                            • Instruction ID: 2397f6712057be68e4de63de1d47c0fb54ab9de82be4cf15e2e5ef4b9476a4ff
                                            • Opcode Fuzzy Hash: 05438a7ba360c899f4ec209ee4ed2754cfea640659ab5f7e611221f13d8250a6
                                            • Instruction Fuzzy Hash: 925158B090074AEFD744DF66C988B9ABBB4FF04308F10416EE40597A90D7B9A528CFD4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042DA1E Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 111COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_
                                            • String ID: ..\..\Shared\Setup\SetupPreRequisite.cpp$CSetupPreRequisite::ExecuteMsiWithProgress$Launching MSI prerequisite %s, command line %s$P/L$P/L$T4L$T4L$T4L
                                            • API String ID: 2427045233-2972178079
                                            • Opcode ID: b74f44030ade5f35b2185295704e458ec2cf4f76c92aa5a29ac19143f543c10c
                                            • Instruction ID: 9a26429b9db501e46e10bf836c7dba27a9b9aa523acc5229f19a120faa493376
                                            • Opcode Fuzzy Hash: b74f44030ade5f35b2185295704e458ec2cf4f76c92aa5a29ac19143f543c10c
                                            • Instruction Fuzzy Hash: 8D41A570900218EECB15EBA1CC95BDEBBB8BF05304F5440AFE44967182DB786B49CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00459FCD Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • std::exception::exception.LIBCMT ref: 00459FE0
                                              • Part of subcall function 0045C729: std::exception::_Copy_str.LIBCMT ref: 0045C742
                                            • __CxxThrowException@8.LIBCMT ref: 00459FF5
                                              • Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7
                                            • std::exception::exception.LIBCMT ref: 0045A00E
                                            • __CxxThrowException@8.LIBCMT ref: 0045A023
                                            • std::regex_error::regex_error.LIBCPMT ref: 0045A035
                                              • Part of subcall function 00459CA5: std::exception::exception.LIBCMT ref: 00459CBF
                                            • __CxxThrowException@8.LIBCMT ref: 0045A043
                                            • std::exception::exception.LIBCMT ref: 0045A05C
                                            • __CxxThrowException@8.LIBCMT ref: 0045A071
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                            • String ID: bad function call
                                            • API String ID: 2464034642-3612616537
                                            • Opcode ID: 62ec070fb249bad3c887c7cc24faaad3d93d20169f6d5f22a8d7e1168cb87a47
                                            • Instruction ID: 1cc90383c1ac0bc67d0b26205239dd79d98d37ed18f989b87122f1707719383f
                                            • Opcode Fuzzy Hash: 62ec070fb249bad3c887c7cc24faaad3d93d20169f6d5f22a8d7e1168cb87a47
                                            • Instruction Fuzzy Hash: FD11D37580020CBB8B04EFD5D8859CD7BBCAA08344F50C56BFD1597541EB74A7588FD9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00488E20 Relevance: 15.1, APIs: 10, Instructions: 82windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 00488E44
                                            • ScreenToClient.USER32(?,?), ref: 00488E56
                                            • ScreenToClient.USER32(?,?), ref: 00488E6A
                                            • CreateCompatibleDC.GDI32(?), ref: 00488E87
                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00488E9A
                                            • SelectObject.GDI32(00000000,00000000), ref: 00488EA4
                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00488EC7
                                            • CreatePatternBrush.GDI32(00000000), ref: 00488ECE
                                            • DeleteObject.GDI32(00000000), ref: 00488ED7
                                            • DeleteDC.GDI32(00000000), ref: 00488EDE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Create$ClientCompatibleDeleteObjectScreen$BitmapBrushPatternRectSelectWindow
                                            • String ID:
                                            • API String ID: 3450704212-0
                                            • Opcode ID: cf7c7d20052ae2839674c43f1f87d76bf706b61f0c56962b41ee0e9b41c1e847
                                            • Instruction ID: 2a29c482f22e08526d3cf4e3a7d650e0fdbfea24619a8449f596064a50d39988
                                            • Opcode Fuzzy Hash: cf7c7d20052ae2839674c43f1f87d76bf706b61f0c56962b41ee0e9b41c1e847
                                            • Instruction Fuzzy Hash: 0A31D876900229AFCB00DFA5DC88EEEBFB8FF4D310F14446AE915A7221D6756944CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042CAF6 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 365fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0042CB00
                                              • Part of subcall function 004053A0: GetLastError.KERNEL32(2E932D87,?,?,?,?,004AC278,000000FF), ref: 004053E2
                                              • Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E
                                            • GetModuleHandleW.KERNEL32(?), ref: 0042CC9A
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                              • Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00425464: __EH_prolog3_GS.LIBCMT ref: 0042546E
                                              • Part of subcall function 00425464: __CxxThrowException@8.LIBCMT ref: 004254D3
                                              • Part of subcall function 00425464: GetFileSize.KERNEL32(?,?,00000108,00424345,00000000,00000010,004246AC,?,?,?,?,?,?,00000000), ref: 004254DC
                                              • Part of subcall function 00425464: GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004254E9
                                            • CopyFileW.KERNEL32(?,00000004,00000000,?), ref: 0042CE20
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FileFreeH_prolog3H_prolog3_String$CopyException@8HandleModuleSizeThrow
                                            • String ID: P/L$P/L$T4L$T4L$|-L
                                            • API String ID: 3870862371-422448004
                                            • Opcode ID: 6c388f0004c163faefbbf7cf78ae40eb0d408bf96a58c24b2aa01b12ed92a5ff
                                            • Instruction ID: c36dbe24691370739a9835a1c444a55bb41bf866527fb03aff7f3bd6c98a6da1
                                            • Opcode Fuzzy Hash: 6c388f0004c163faefbbf7cf78ae40eb0d408bf96a58c24b2aa01b12ed92a5ff
                                            • Instruction Fuzzy Hash: DFE17131A00128EEDF24EB65D991BDEB7B4AF15304F9040EEE409A3191DB785B89CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004498B6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 218COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004498C0
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00442F46: __EH_prolog3_GS.LIBCMT ref: 00442F50
                                            • GetLastError.KERNEL32 ref: 0044991A
                                              • Part of subcall function 004496BE: __EH_prolog3.LIBCMT ref: 004496C5
                                            • GetLastError.KERNEL32 ref: 00449992
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3H_prolog3_
                                            • String ID: @/L
                                            • API String ID: 852442433-3803013380
                                            • Opcode ID: 499a8692055b1bd0abb634e00a3efd751056c4f155555fd232e2a900935cf14f
                                            • Instruction ID: 1b2d1e4f24ae07c6c5dbd6125e24edbfe70c6bcde94f42e85396bf2ef9296fe3
                                            • Opcode Fuzzy Hash: 499a8692055b1bd0abb634e00a3efd751056c4f155555fd232e2a900935cf14f
                                            • Instruction Fuzzy Hash: 3981E6B1801218DADB10EF65CC46BDE7B78EF15304F10409FF90A96292EB745E49CBE9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419B97 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 218COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00419BA1
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00441E34: __EH_prolog3_GS.LIBCMT ref: 00441E3E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$FreeH_prolog3String
                                            • String ID: @/L$@/L$@/L$@/L$setup.bmp$setup.gif$setupdir\%04x
                                            • API String ID: 888054269-4254738307
                                            • Opcode ID: 672ac12cd494c294278351bdb7a3fd0961247bd135543c8ec272f2ef48014c1e
                                            • Instruction ID: 2589b504f36761d3e1ad1fc738782170f700540b2eb055d81e53434017a2e2fe
                                            • Opcode Fuzzy Hash: 672ac12cd494c294278351bdb7a3fd0961247bd135543c8ec272f2ef48014c1e
                                            • Instruction Fuzzy Hash: BF917FB190021CEACB15EBA4C951FDEB7B8AF18308F14019FE54963192EBB45B49CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D268 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 174COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040D272
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232
                                              • Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 0044BDFA: __EH_prolog3.LIBCMT ref: 0044BE01
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0044DA4D: __EH_prolog3_GS.LIBCMT ref: 0044DA57
                                              • Part of subcall function 004090B1: __EH_prolog3_GS.LIBCMT ref: 004090B8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last$FreeH_prolog3String
                                            • String ID: %ld$.ini$0x%04x$@/L$@/L$@/L$@/L
                                            • API String ID: 80789219-516300192
                                            • Opcode ID: d8502fec1fd83111db85eb0d82d4ba8d11a4575654ae016aa7c73600f7d73ff0
                                            • Instruction ID: b3cc2b071437a2081222209709ce3d136839505f496cc787cef8989ad92d6d7f
                                            • Opcode Fuzzy Hash: d8502fec1fd83111db85eb0d82d4ba8d11a4575654ae016aa7c73600f7d73ff0
                                            • Instruction Fuzzy Hash: 0571837180021CEADB10EBA5CD45BDDBBB8AF55308F1440DEE509B3182DBB85B48CBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044975D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00449764
                                            • GetModuleHandleW.KERNEL32(shell32.dll,SHFileOperationW,0000003C,004412FC,?,00000000), ref: 00449780
                                            • GetProcAddress.KERNEL32(00000000), ref: 00449789
                                            • GetModuleHandleW.KERNEL32(shell32.dll,SHFileOperationA), ref: 00449817
                                            • GetProcAddress.KERNEL32(00000000), ref: 0044981A
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                              • Part of subcall function 0043DF31: _memset.LIBCMT ref: 0043DF3F
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressErrorHandleLastModuleProcString$AllocH_prolog3H_prolog3__memset
                                            • String ID: SHFileOperationA$SHFileOperationW$shell32.dll
                                            • API String ID: 2238935536-1880307489
                                            • Opcode ID: 403216bd0e91134ddec93d0757ae6b5cf4e04a418ecbec8c7119996f1023fc7d
                                            • Instruction ID: 82e1dcefaf5b38845a4e38a086992c5bfe2de4daf0acf35e94c23cad833e38d1
                                            • Opcode Fuzzy Hash: 403216bd0e91134ddec93d0757ae6b5cf4e04a418ecbec8c7119996f1023fc7d
                                            • Instruction Fuzzy Hash: 6741A671900309AEDB01EFA5CC41FDEBFB89F15304F14405EF905A7292DBB89A45CBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004390EA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPropW.USER32(?,This), ref: 004390F9
                                            • GetWindowLongW.USER32(?,000000F4), ref: 0043913B
                                            • GetSysColor.USER32(00000005), ref: 0043915C
                                            • SetBkColor.GDI32(?,00000000), ref: 00439166
                                            • SetPropW.USER32(?,This,?), ref: 004391D8
                                            • RemovePropW.USER32(?,This), ref: 004391FD
                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0043920F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Prop$ColorWindow$LongProcRemove
                                            • String ID: This
                                            • API String ID: 1744480154-1591487769
                                            • Opcode ID: c3b06b085747a868f0557f887ee4b44ee0eb8835c087535afdb5271996f0c7d5
                                            • Instruction ID: c734fadf3586be9cfb2d03bb6e43c38dc181511a55f91df0914daf74a3f7053e
                                            • Opcode Fuzzy Hash: c3b06b085747a868f0557f887ee4b44ee0eb8835c087535afdb5271996f0c7d5
                                            • Instruction Fuzzy Hash: DB31AD34200905BBDB285FA9DD4CD2B7BA8FF0D315F10188AF466D73A1CBB8DD018A69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405950 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(2E932D87,?,00000003,00000000,?,?,?,?,?,?,?,?,00000000,004AC3E0,000000FF), ref: 004059A4
                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,004AC3E0,000000FF), ref: 004059DA
                                            • GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004AC3E0,000000FF), ref: 00405A25
                                            • SysFreeString.OLEAUT32(000000FF), ref: 00405A41
                                            • SysFreeString.OLEAUT32(?), ref: 00405A4C
                                            • SetLastError.KERNEL32(?), ref: 00405A6C
                                            • SetLastError.KERNEL32(00000003), ref: 00405A76
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString
                                            • String ID: T4L
                                            • API String ID: 2425351278-1354015026
                                            • Opcode ID: 9c97ba61bc56eddfd076f442ad99ff4f6c67ca2cffa0b5ea2a0af6de39cb4a05
                                            • Instruction ID: 1d50ff39d37cd8aa85c9e9d149d21a44b15b42f639968989123202e4cf14c0ac
                                            • Opcode Fuzzy Hash: 9c97ba61bc56eddfd076f442ad99ff4f6c67ca2cffa0b5ea2a0af6de39cb4a05
                                            • Instruction Fuzzy Hash: 79412A75A00209EFDB00DF69C985B9ABBF4FF08314F14412AE819E7690DB75A911CF98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040CDAE Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040CDB8
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232
                                              • Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0044585A: __EH_prolog3_GS.LIBCMT ref: 00445864
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$FreeString$H_prolog3
                                            • String ID: .ini$0x%04x$@/L$@/L$FontName$MS Sans Serif$Properties
                                            • API String ID: 1949661404-2396576412
                                            • Opcode ID: 3497470fb53890255652dcb6219d41613a2223ebb5d32017a503bbd40baa1afb
                                            • Instruction ID: 852665918b4d215c2952b0b1f833bbc88fc080e3296a1f32bd5dd132b01d9c4b
                                            • Opcode Fuzzy Hash: 3497470fb53890255652dcb6219d41613a2223ebb5d32017a503bbd40baa1afb
                                            • Instruction Fuzzy Hash: 1241B671900218EADB14FBA5CC56BEDB7B8AF55704F0040DFF408A7182DBB81B48CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00444D1F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 93COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00444D26
                                            • GetEnvironmentVariableW.KERNEL32(Path,-004D9AE4,-004D9AE4,00000074), ref: 00444D52
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                            • GetEnvironmentVariableW.KERNEL32(Path,00000000,00000000,?,00000001), ref: 00444D99
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                            • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 00444DBC
                                            • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00444E0A
                                              • Part of subcall function 0041525D: __EH_prolog3_GS.LIBCMT ref: 00415264
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$EnvironmentString$H_prolog3_$ExpandFreeStringsVariable$Alloc
                                            • String ID: @/L$@/L$Path
                                            • API String ID: 1074818151-3554151785
                                            • Opcode ID: abbeb50438e57837bb4e655d190607e1fcf6f37cafd40e8cfdc8cf256c917fca
                                            • Instruction ID: 6b91a257a750812075f1071927e0505a25add33ce3993652b0e9007b79f1258f
                                            • Opcode Fuzzy Hash: abbeb50438e57837bb4e655d190607e1fcf6f37cafd40e8cfdc8cf256c917fca
                                            • Instruction Fuzzy Hash: 62316171900218EEDB15EBE5CC95FDEBBBCAF55308F10406EE501B7292DBB85A08CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00438F3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00438F41
                                            • GetDlgItem.USER32(?,000003F2), ref: 00438F56
                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00438F68
                                            • GetDlgItem.USER32(?,000003ED), ref: 00438F7B
                                            • SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 00438F89
                                            • _memset.LIBCMT ref: 00438F95
                                            • SendMessageW.USER32 ref: 00438FB3
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00439266: __EH_prolog3.LIBCMT ref: 0043926D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3MessageSend$ErrorItemLast$_memset
                                            • String ID: @/L
                                            • API String ID: 693980260-3803013380
                                            • Opcode ID: b1417db1badb547c652598dd3526624cd09d6663e1c6ace455e62c8c1152e618
                                            • Instruction ID: adbb50a416dfcfd33e8dcaf3e3114e4bd13b1232064233bf39035550a3ec9bf9
                                            • Opcode Fuzzy Hash: b1417db1badb547c652598dd3526624cd09d6663e1c6ace455e62c8c1152e618
                                            • Instruction Fuzzy Hash: F631A271A00214ABEB10EFA5CD46F5DBBB8EF08714F15815AF505AF2D2C7B49D01CB89
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404960 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00405F80: GetLastError.KERNEL32(00000001,753CE860,2E932D87,?,74DEE010,?,?,004AC698,000000FF,T4L,004049B4), ref: 00405FF4
                                              • Part of subcall function 00405F80: SetLastError.KERNEL32(?,00000007,00000000,000000FF), ref: 00406042
                                            • GetLastError.KERNEL32 ref: 004049C1
                                            • SysFreeString.OLEAUT32(?), ref: 004049DF
                                            • SysFreeString.OLEAUT32(?), ref: 004049EC
                                            • SetLastError.KERNEL32(?), ref: 00404A16
                                            • GetLastError.KERNEL32 ref: 00404A25
                                            • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00404A7F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString
                                            • String ID: T4L$T4L
                                            • API String ID: 2425351278-3367740000
                                            • Opcode ID: 058cff7a5df4e6d868abe48a367cce014fb2891f3a17672302919ae29e5b005f
                                            • Instruction ID: 32c3651e55e86741e28abfdec92bbce572763d66b3ad848a02f8ce83922ad317
                                            • Opcode Fuzzy Hash: 058cff7a5df4e6d868abe48a367cce014fb2891f3a17672302919ae29e5b005f
                                            • Instruction Fuzzy Hash: 64312AB1508741AFD700CF29C845B16BBE4FF88318F104A2EF855976A1D7B5E819CF8A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00422806 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90librarystringloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00422810
                                            • _memmove.LIBCMT ref: 0042282A
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 00422860
                                            • __setjmp3.LIBCMT ref: 00422881
                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004228A0
                                            • _memmove.LIBCMT ref: 0042292A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString_memmove$AddressH_prolog3_Proc__setjmp3lstrcpy
                                            • String ID: DllGetClassObject$setup.cpp
                                            • API String ID: 1563037923-408802517
                                            • Opcode ID: 66f1c59ac71a33efdcddd3dcdf49953bf7b0f9f938df8a0b2696b01515643e3b
                                            • Instruction ID: ecd6348c71aad56a1ed06a8bc105ad6356619fc000b3944777252f3456d37dc4
                                            • Opcode Fuzzy Hash: 66f1c59ac71a33efdcddd3dcdf49953bf7b0f9f938df8a0b2696b01515643e3b
                                            • Instruction Fuzzy Hash: 1831A471A00209AFDB14EBA5CC41FAE7778BB44704F1440AEF509E7281DBB8AF488B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004711D1 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 80COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • UnDecorator::getArgumentList.LIBCMT ref: 004711F4
                                              • Part of subcall function 004710C7: Replicator::operator[].LIBCMT ref: 00471143
                                              • Part of subcall function 004710C7: DName::operator+=.LIBCMT ref: 0047114B
                                            • DName::operator+.LIBCMT ref: 0047124F
                                            • DName::DName.LIBCMT ref: 004712A7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                            • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                            • API String ID: 834187326-2211150622
                                            • Opcode ID: 8217b5c887c384039c40dde4328477bc28f00afdf0f4efe002ef6c57d57cf4e5
                                            • Instruction ID: cbe1d6784aac912a255005b07126b8380ed1ee788e7090444351a289da9a6356
                                            • Opcode Fuzzy Hash: 8217b5c887c384039c40dde4328477bc28f00afdf0f4efe002ef6c57d57cf4e5
                                            • Instruction Fuzzy Hash: 692166706012459FCB04CF5CE594AE63BE4EB09304B14C2ABE44AEB762CB38D941CB8D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041C603 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 79librarystringloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041C60D
                                            • _memmove.LIBCMT ref: 0041C627
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 0041C65D
                                            • __setjmp3.LIBCMT ref: 0041C67E
                                            • GetProcAddress.KERNEL32(?,InstallEngineTypelib), ref: 0041C69D
                                            • _memmove.LIBCMT ref: 0041C6FF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString_memmove$AddressH_prolog3_Proc__setjmp3lstrcpy
                                            • String ID: InstallEngineTypelib$setup.cpp
                                            • API String ID: 1563037923-24250156
                                            • Opcode ID: ad1e05325df397600887e60f66f81ba6f3dbdac367ad2acabdb569ca3327d36c
                                            • Instruction ID: ba1a2fa3717a30956a3fb256af288c02464c9cae350b84fb67c140e2a21bc26d
                                            • Opcode Fuzzy Hash: ad1e05325df397600887e60f66f81ba6f3dbdac367ad2acabdb569ca3327d36c
                                            • Instruction Fuzzy Hash: 3421EA71640205EBDF14EB95CC91FAE7778AF44705F00406EF906A7192DF789E488BAD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00439468 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPropW.USER32(?,This), ref: 00439478
                                            • EnableMenuItem.USER32(?,0000F030,00000003), ref: 004394B2
                                            • EnableMenuItem.USER32(?,0000F000,00000003), ref: 004394BE
                                            • IsWindow.USER32(?), ref: 004394E7
                                            • SendMessageW.USER32(?,00000111,00000002,00000000), ref: 00439503
                                            • SetPropW.USER32(?,This,?), ref: 00439516
                                            • RemovePropW.USER32(?,This), ref: 00439527
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Prop$EnableItemMenu$MessageRemoveSendWindow
                                            • String ID: This
                                            • API String ID: 2617454859-1591487769
                                            • Opcode ID: 8431ab33346b0fbe61acedda2eb80ad25f733ad79c3b441b84b841987ec0a053
                                            • Instruction ID: 49fd111743158434b0272aa931994b9fd5ab21aa3a63de756cb8bcf00940d983
                                            • Opcode Fuzzy Hash: 8431ab33346b0fbe61acedda2eb80ad25f733ad79c3b441b84b841987ec0a053
                                            • Instruction Fuzzy Hash: E1212432200208BBDF265F25EC48F6B7BA8EB09754F045426FA51972A1E7F4DD819B58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00425464 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0042546E
                                            • __CxxThrowException@8.LIBCMT ref: 004254D3
                                            • GetFileSize.KERNEL32(?,?,00000108,00424345,00000000,00000010,004246AC,?,?,?,?,?,?,00000000), ref: 004254DC
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004254E9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorException@8FileH_prolog3_LastSizeThrow
                                            • String ID: dJ$dJ$lJ$lJ
                                            • API String ID: 4197087271-2563680426
                                            • Opcode ID: 76ee42e62e10112f8e60142eaba49cefafcabdb8c402dca8384c3a42177a4f5b
                                            • Instruction ID: b2082534f39979bccaf32d7e782aa233bb087002ff19d54df1b5e64b96e7a666
                                            • Opcode Fuzzy Hash: 76ee42e62e10112f8e60142eaba49cefafcabdb8c402dca8384c3a42177a4f5b
                                            • Instruction Fuzzy Hash: 2D21B3B1900218EBC710EFA1DC84AEEB7BCBF14314F40426FE925A3281DB749E44CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004451AC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004451B6
                                            • __CxxThrowException@8.LIBCMT ref: 00445218
                                            • GetFileTime.KERNEL32(?,@/L,?,?,00000108,004417D5,?,?,?,004AFFB8,80000000,00000001,00000080,00000003,00000000,00000000), ref: 00445222
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ThrowTime
                                            • String ID: @/L$dJ$dJ$lJ$lJ
                                            • API String ID: 2876734416-2881729011
                                            • Opcode ID: 5cd39d362dc08eda42560986b5ed758ae809d9a615f56a0f14e5b1a66db2cbd4
                                            • Instruction ID: 09ae8387e76ab4fe6258251d74e8dc5e22117f4eef0919e0a1f8ca21e18f499a
                                            • Opcode Fuzzy Hash: 5cd39d362dc08eda42560986b5ed758ae809d9a615f56a0f14e5b1a66db2cbd4
                                            • Instruction Fuzzy Hash: C81138B5910208EBDB20EF91CC45EEEB7B8BF14705F10815FE556A3241DB78AA09CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004714B1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 54COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • UnDecorator::UScore.LIBCMT ref: 004714B9
                                            • DName::DName.LIBCMT ref: 004714C3
                                              • Part of subcall function 0046F8DF: DName::doPchar.LIBCMT ref: 0046F90D
                                            • UnDecorator::getScopedName.LIBCMT ref: 00471503
                                            • DName::operator+=.LIBCMT ref: 0047150D
                                            • DName::operator+=.LIBCMT ref: 0047151C
                                            • DName::operator+=.LIBCMT ref: 00471528
                                            • DName::operator+=.LIBCMT ref: 00471535
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                            • String ID: void
                                            • API String ID: 1480779885-3531332078
                                            • Opcode ID: 3aed77dbc54723e35303aa731f1e32ff93f60b25ff97cd009afca9a8e09628b5
                                            • Instruction ID: c7e38856e69c193cf3e608dde28ec5eb22488e24ee85ebedf2e190f0a7fcbdf9
                                            • Opcode Fuzzy Hash: 3aed77dbc54723e35303aa731f1e32ff93f60b25ff97cd009afca9a8e09628b5
                                            • Instruction Fuzzy Hash: B411C272501244ABCB08EF68D946AF97B74EB14308F40809FE00A5B3A2DB78DA45C719
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00449616 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 39libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 0044961D
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,SetFileAttributesW,00000000,00441E05,?,00000000), ref: 00449637
                                            • GetProcAddress.KERNEL32(00000000), ref: 0044963A
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,SetFileAttributesA), ref: 00449661
                                            • GetProcAddress.KERNEL32(00000000), ref: 00449664
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc$H_prolog3
                                            • String ID: SetFileAttributesA$SetFileAttributesW$kernel32.dll
                                            • API String ID: 1623054726-3589348009
                                            • Opcode ID: d8697c1983845be022ac2fd6a8baa6782a64e7cfa578b7963039f5216ac1d9a4
                                            • Instruction ID: f5a7adeeb259beac87689d7c1297ac4d20245e928a6042eb8aa96612b803b1c2
                                            • Opcode Fuzzy Hash: d8697c1983845be022ac2fd6a8baa6782a64e7cfa578b7963039f5216ac1d9a4
                                            • Instruction Fuzzy Hash: 84F08C31600308ABCF15BF66CC19E8E7B68AFA0B50B12411AFC0297150DB7DDA45DBAC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00449033 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 0044903A
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,RemoveDirectoryW,00000000,00442362), ref: 00449054
                                            • GetProcAddress.KERNEL32(00000000), ref: 00449057
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,RemoveDirectoryA), ref: 0044907B
                                            • GetProcAddress.KERNEL32(00000000), ref: 0044907E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc$H_prolog3
                                            • String ID: RemoveDirectoryA$RemoveDirectoryW$kernel32.dll
                                            • API String ID: 1623054726-1796459256
                                            • Opcode ID: 50ceb3d4d04defea5bae08c69ad30f9a6bbd054d28951227a46f9cc3e051c533
                                            • Instruction ID: 177c85f1501f4e119657a32248533c9b0affb9b454dd3b706eb46c5f598a4413
                                            • Opcode Fuzzy Hash: 50ceb3d4d04defea5bae08c69ad30f9a6bbd054d28951227a46f9cc3e051c533
                                            • Instruction Fuzzy Hash: 07F0A931600304ABCF14BB768C09A8F7A64AF90B50B12452EF80697180DB7CCA41CBAC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00441D3D Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00441D44
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteFileW,00000000,0040E878), ref: 00441D5E
                                            • GetProcAddress.KERNEL32(00000000), ref: 00441D61
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteFileA), ref: 00441D85
                                            • GetProcAddress.KERNEL32(00000000), ref: 00441D88
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc$H_prolog3
                                            • String ID: DeleteFileA$DeleteFileW$kernel32.dll
                                            • API String ID: 1623054726-1437360270
                                            • Opcode ID: 4b1681924df6c003450726dee01bd950833c4300358f64b5df3b8fbc1bd87e85
                                            • Instruction ID: 661ce79cb93eaffdecf0edf13d19ed5daf71837a4785dddfabb2fe5da01197a9
                                            • Opcode Fuzzy Hash: 4b1681924df6c003450726dee01bd950833c4300358f64b5df3b8fbc1bd87e85
                                            • Instruction Fuzzy Hash: 3BF0CDB1A00314ABCF14BF768C15F8E7B74AF90B40B16452AF81197290DB7CEA45CBAC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00438520 Relevance: 13.6, APIs: 9, Instructions: 102windowstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043852A
                                            • SendDlgItemMessageW.USER32(?,00000034,00000031,00000000,00000000), ref: 00438576
                                            • GetObjectW.GDI32(00000000,0000005C,?), ref: 00438586
                                            • lstrcpyW.KERNEL32(?,?), ref: 004385B2
                                            • CreateFontIndirectW.GDI32(?), ref: 004385BF
                                            • SendDlgItemMessageW.USER32(?,00000034,00000030,?,00000001), ref: 004385F5
                                            • SetDlgItemTextW.USER32(?,0000000C,-00000004), ref: 0043862A
                                            • GetDlgItem.USER32(?,0000000C), ref: 0043863D
                                            • EnableWindow.USER32(00000000,?), ref: 0043864F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Item$MessageSend$CreateEnableFontH_prolog3_IndirectObjectTextWindowlstrcpy
                                            • String ID:
                                            • API String ID: 3548785438-0
                                            • Opcode ID: 35739956977d5c24e42256c85f6c1a3fb3544202f2c811fb29d1601fd4175961
                                            • Instruction ID: 9b928afee46878dec40976792e43a107672440310506abb88115be7aa064bc6c
                                            • Opcode Fuzzy Hash: 35739956977d5c24e42256c85f6c1a3fb3544202f2c811fb29d1601fd4175961
                                            • Instruction Fuzzy Hash: 7A414C71500214EFDB14EBA5DC99E9ABBB8FF19308F00846EF656971A1DB74E904CB14
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00451288 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 157COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00451292
                                            • wsprintfW.USER32 ref: 0045133E
                                            • wsprintfW.USER32 ref: 0045134E
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeLastStringwsprintf$H_prolog3_
                                            • String ID: Count$Software\InstallShieldPendingOperation$dest%d$source%d
                                            • API String ID: 3447950213-4089646173
                                            • Opcode ID: b3fda8f5182cfb88cd5b242456661aa8ffeae84f34dd71114ef13c9ab0267b9c
                                            • Instruction ID: 04ab352abc95b7cbce87444a30eeff6c331f2d8b74f57c41ef50cafc384b38ec
                                            • Opcode Fuzzy Hash: b3fda8f5182cfb88cd5b242456661aa8ffeae84f34dd71114ef13c9ab0267b9c
                                            • Instruction Fuzzy Hash: 0C616E718402299EDB25EF65CC51BEDB7B4AF15304F0041EEE949A3292EB785B88CF58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004480B2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 004480B9
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 004496BE: __EH_prolog3.LIBCMT ref: 004496C5
                                            • LoadTypeLib.OLEAUT32(?,?), ref: 0044812F
                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00448149
                                            • RegOverridePredefKey.ADVAPI32(80000000,00000000), ref: 004481EB
                                              • Part of subcall function 00448BA8: GetVersionExW.KERNEL32(?), ref: 00448BCC
                                              • Part of subcall function 0043F607: RegOverridePredefKey.ADVAPI32(80000000,?), ref: 0043F63F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3$ErrorLastOverridePredefType$LoadRegisterVersion
                                            • String ID: @/L
                                            • API String ID: 3828359244-3803013380
                                            • Opcode ID: ba97af5791e2f9eb4dace3015c792bf3d9894ed4bbb607fb01cbd0ea7e3c024f
                                            • Instruction ID: a187f700d9e3457ba3fee34f782bd667abac8c0fda7a9e350cb96ee8d41f69a3
                                            • Opcode Fuzzy Hash: ba97af5791e2f9eb4dace3015c792bf3d9894ed4bbb607fb01cbd0ea7e3c024f
                                            • Instruction Fuzzy Hash: D8417170600109EFEF04DF65C884AAE7BB8AF15308F60846FF815DB251DB79D946CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E72E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 110COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_Window
                                            • String ID: @/L$DownloadFiles: %s$P/L$T4L$J
                                            • API String ID: 2696129371-3407581839
                                            • Opcode ID: ecb82e952684bb07feb0a449aeddfb08d8b09897805050005903c7cdd6b546ec
                                            • Instruction ID: de23dfaef23a451ab727cd009e5c9a7a2e24c9d9a3dbe1c19b831f440d0632a1
                                            • Opcode Fuzzy Hash: ecb82e952684bb07feb0a449aeddfb08d8b09897805050005903c7cdd6b546ec
                                            • Instruction Fuzzy Hash: 7F41C575D00208DBCB14EFA1C881A9DB7B8BF04304F24457FE905B7292DB799A09CF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004043D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                            • GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                            • SysFreeString.OLEAUT32(?), ref: 004044BD
                                            • SysFreeString.OLEAUT32(?), ref: 004044C8
                                            • SetLastError.KERNEL32(?), ref: 004044E8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString
                                            • String ID: T4L
                                            • API String ID: 2425351278-1354015026
                                            • Opcode ID: 77a5511f58a867ba2974a95759635336675508833ab717c16b0faf72b683717b
                                            • Instruction ID: c1a8e6e27e6d95d5599461cddef750d2e346726b17c2bafc7bb77502d4853971
                                            • Opcode Fuzzy Hash: 77a5511f58a867ba2974a95759635336675508833ab717c16b0faf72b683717b
                                            • Instruction Fuzzy Hash: 4A413AB1900209EFDB00CF65C944B9EFBB4FF48314F14812AE819A7791E779A925CF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404AB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00406060: SysFreeString.OLEAUT32(?), ref: 004060C2
                                              • Part of subcall function 00406060: GetLastError.KERNEL32(2E932D87,?,74DEE010,00000000,00000000,?,004ACA98,000000FF,T4L,00404B04), ref: 004060ED
                                              • Part of subcall function 00406060: SetLastError.KERNEL32(?,00000004,00000000,000000FF), ref: 0040613E
                                            • GetLastError.KERNEL32 ref: 00404B11
                                            • SysFreeString.OLEAUT32(?), ref: 00404B2F
                                            • SysFreeString.OLEAUT32(?), ref: 00404B3C
                                            • SetLastError.KERNEL32(?), ref: 00404B66
                                            • GetLastError.KERNEL32 ref: 00404B75
                                            • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00404BCF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString
                                            • String ID: T4L
                                            • API String ID: 2425351278-1354015026
                                            • Opcode ID: be714e4bf5fa390a1e12a13b6dba38f14e6c359a4fb5016913e6aa85f2a16c1e
                                            • Instruction ID: 09830f44d83ceb23d2da7353d6a015d3463f55c871dcda439cef5f342e7a354a
                                            • Opcode Fuzzy Hash: be714e4bf5fa390a1e12a13b6dba38f14e6c359a4fb5016913e6aa85f2a16c1e
                                            • Instruction Fuzzy Hash: E63118B1508245AFD700CF69C845B16BBE4FF88328F10462EF855976A1D7B5E815CF8A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040CF3D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040CF47
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232
                                              • Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0044575F: __EH_prolog3_GS.LIBCMT ref: 00445769
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$FreeString$H_prolog3
                                            • String ID: .ini$0x%04x$@/L$@/L$FontSize$Properties
                                            • API String ID: 1949661404-2293665164
                                            • Opcode ID: d3fc68d9228e65f8b8f5e34e919c4f5d1c5ea8712fe81b29909fa070ed62ed28
                                            • Instruction ID: 7b5d863ec8f61f1dcf2dbdbf51602eaf4a1d24238f66e5dda1212ad8cbdd6bc2
                                            • Opcode Fuzzy Hash: d3fc68d9228e65f8b8f5e34e919c4f5d1c5ea8712fe81b29909fa070ed62ed28
                                            • Instruction Fuzzy Hash: 693175B1900218EADB04F7A5CC56BED7778AF14348F1400EFF54567182DBB85B48CBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041562E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 69fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00415638
                                            • __CxxThrowException@8.LIBCMT ref: 004156AE
                                            • ReadFile.KERNEL32(?,?,?,?,00000000,0000010C), ref: 004156C0
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ReadThrow
                                            • String ID: dJ$dJ$lJ$lJ
                                            • API String ID: 2465803405-2563680426
                                            • Opcode ID: f5528ae6309ebde28be606ac58c7bbfe8d800abaed0a5fefaba59f26cf88d074
                                            • Instruction ID: 29ade8ddb5b8e31f19fab82f36335d99cdf2997279f3780005d12579531462b7
                                            • Opcode Fuzzy Hash: f5528ae6309ebde28be606ac58c7bbfe8d800abaed0a5fefaba59f26cf88d074
                                            • Instruction Fuzzy Hash: DD213BB5900218EBDB24DB91CC81EEE77BCAB54304F10855FE515A7181EB74AA89CA94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00415716 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 69fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00415720
                                            • __CxxThrowException@8.LIBCMT ref: 00415796
                                            • ReadFile.KERNEL32(?,?,?,?,00000000,0000010C), ref: 004157A8
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ReadThrow
                                            • String ID: dJ$dJ$lJ$lJ
                                            • API String ID: 2465803405-2563680426
                                            • Opcode ID: c44976d86162bbcae354d64867d5edce7c095827d11b6bf8f2e66fc5b9320c45
                                            • Instruction ID: ebf3c470cbe134efa20adb9b6bb058dd50925e91a06f4d371b6f080ce125d79f
                                            • Opcode Fuzzy Hash: c44976d86162bbcae354d64867d5edce7c095827d11b6bf8f2e66fc5b9320c45
                                            • Instruction Fuzzy Hash: 9E213DB5900218EACB14DB91CC82EEE777CAF04304F10855FF515A7181DB74AE85CA64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043A743 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 69fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043A74D
                                            • __CxxThrowException@8.LIBCMT ref: 0043A7C3
                                            • ReadFile.KERNEL32(?,?,?,?,00000000,0000010C), ref: 0043A7D5
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ReadThrow
                                            • String ID: dJ$dJ$lJ$lJ
                                            • API String ID: 2465803405-2563680426
                                            • Opcode ID: 7c3b8ab523904aec74a11c0b0d003628ea066790ae45aef98a5a6a3663d1f3fa
                                            • Instruction ID: cec8f0084c9be4eb951c905ee080aae46aec25b526ee36491d38213f57d09f16
                                            • Opcode Fuzzy Hash: 7c3b8ab523904aec74a11c0b0d003628ea066790ae45aef98a5a6a3663d1f3fa
                                            • Instruction Fuzzy Hash: DC216BB5900218EACB24EB91CC81EEE73BCAB04704F0085AFE555A3141DB74AE49CE94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043E006 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 68fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043E010
                                            • __CxxThrowException@8.LIBCMT ref: 0043E088
                                            • ReadFile.KERNEL32(?,?,?,?,00000000,0000010C), ref: 0043E09A
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ReadThrow
                                            • String ID: dJ$dJ$lJ$lJ
                                            • API String ID: 2465803405-2563680426
                                            • Opcode ID: 08d357c00eeadaf12dde479b25a40ac9af096a5e8f0c5e4936017e76caca7874
                                            • Instruction ID: e1dbd68a572265f0ecc85e34a384e9eede5618ab68833088d82e4bb60bc65976
                                            • Opcode Fuzzy Hash: 08d357c00eeadaf12dde479b25a40ac9af096a5e8f0c5e4936017e76caca7874
                                            • Instruction Fuzzy Hash: 55211BB5900218EBCB64DF91CC85EEEB7BCAB14304F10856FB955A3181DB749E49CE94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043E0F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 68fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043E0FA
                                            • __CxxThrowException@8.LIBCMT ref: 0043E172
                                            • ReadFile.KERNEL32(?,?,?,?,00000000,0000010C), ref: 0043E184
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ReadThrow
                                            • String ID: dJ$dJ$lJ$lJ
                                            • API String ID: 2465803405-2563680426
                                            • Opcode ID: 7584e551157f17f1128810f93755ddab4299be7a373236d0cceefcda8dc5eb74
                                            • Instruction ID: 775ab8e83fb4e0760137eb86773a438fb7358c8de11670e13780449baabe43ab
                                            • Opcode Fuzzy Hash: 7584e551157f17f1128810f93755ddab4299be7a373236d0cceefcda8dc5eb74
                                            • Instruction Fuzzy Hash: 51212CB5900218EBDB54DB92CC81EEFB7BCAF05704F10856FA915A3181DB749E49CE94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043E1DA Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 68fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043E1E4
                                            • __CxxThrowException@8.LIBCMT ref: 0043E259
                                            • ReadFile.KERNEL32(?,?,?,?,00000000,0000010C), ref: 0043E26B
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ReadThrow
                                            • String ID: dJ$dJ$lJ$lJ
                                            • API String ID: 2465803405-2563680426
                                            • Opcode ID: 62bd3570f250307fabb95880af3c509add9fdf3ee3895430ba2b38a1d137bb4b
                                            • Instruction ID: 8a3114d9d7f673727c6ba355215924bceca11f7637ce64c5eabad576f17db6b3
                                            • Opcode Fuzzy Hash: 62bd3570f250307fabb95880af3c509add9fdf3ee3895430ba2b38a1d137bb4b
                                            • Instruction Fuzzy Hash: DB212CB5900218EBCB14DF91CC85EEFB7BCAF04304F1085AFA916A3181DB74AA49CF58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042C627 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0042C62E
                                            • SetWindowTextW.USER32(00000000,?), ref: 0042C705
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_TextWindow
                                            • String ID: ..\..\Shared\Setup\SetupPreRequisite.cpp$@/L$P/L$PrereqEngine: $T4L
                                            • API String ID: 2928184256-3046138960
                                            • Opcode ID: 68a4f8a286727cb4533fdacfe7cb15d6e405c1b421d956392f763aeebacd1dd3
                                            • Instruction ID: c3ec2bdf6a7a5a4986fd96f18d36534da28e7fd18ae2f263c25a6e9e12bb549a
                                            • Opcode Fuzzy Hash: 68a4f8a286727cb4533fdacfe7cb15d6e405c1b421d956392f763aeebacd1dd3
                                            • Instruction Fuzzy Hash: 6121F5B0600244AEC715EB61D885BEF7768AB41308F44411FF6416B1D2DBBC6A4AC76C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044C4A7 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                            • std::exception::exception.LIBCMT ref: 00459F32
                                            • __CxxThrowException@8.LIBCMT ref: 00459F47
                                            • __CxxThrowException@8.LIBCMT ref: 00459F6B
                                            • std::exception::exception.LIBCMT ref: 00459F84
                                            • __CxxThrowException@8.LIBCMT ref: 00459F99
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$std::exception::exception$_malloc
                                            • String ID: |-L$uK
                                            • API String ID: 3942750879-472808943
                                            • Opcode ID: 222f84c4230ce3889c6ed273af93a17112adc430d284c1d5cb4bb1544bc2eea0
                                            • Instruction ID: 789974fd95566fa97475cb8d0a5471cb1fd929a59e2e63bdb17a9d95ebafa182
                                            • Opcode Fuzzy Hash: 222f84c4230ce3889c6ed273af93a17112adc430d284c1d5cb4bb1544bc2eea0
                                            • Instruction Fuzzy Hash: C0118975900209AEC704EFE5C495ADEB7B8AF04304F54815FE91597642D7789708CF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00428AD4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                            • std::exception::exception.LIBCMT ref: 00459F32
                                            • __CxxThrowException@8.LIBCMT ref: 00459F47
                                            • __CxxThrowException@8.LIBCMT ref: 00459F6B
                                            • std::exception::exception.LIBCMT ref: 00459F84
                                            • __CxxThrowException@8.LIBCMT ref: 00459F99
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$std::exception::exception$_malloc
                                            • String ID: |-L$uK
                                            • API String ID: 3942750879-472808943
                                            • Opcode ID: b381152e977c8d7341d8f794c755a762df2c3e655ea57013d94dce9eb9958b6b
                                            • Instruction ID: c08fe74c4ff2020f982ad2ac76490017d19278fe576dccc4cab8603ebb60b3a0
                                            • Opcode Fuzzy Hash: b381152e977c8d7341d8f794c755a762df2c3e655ea57013d94dce9eb9958b6b
                                            • Instruction Fuzzy Hash: 1D118974900209AECB04EFE5C495ADEB7B8AF04304F50815FA91597642EBB8A708CF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00431EE8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                            • std::exception::exception.LIBCMT ref: 00459F32
                                            • __CxxThrowException@8.LIBCMT ref: 00459F47
                                            • __CxxThrowException@8.LIBCMT ref: 00459F6B
                                            • std::exception::exception.LIBCMT ref: 00459F84
                                            • __CxxThrowException@8.LIBCMT ref: 00459F99
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$std::exception::exception$_malloc
                                            • String ID: |-L$uK
                                            • API String ID: 3942750879-472808943
                                            • Opcode ID: 3c71e6772a25887af338c7b1a9071669af199ba063547484c287422ccb17af9c
                                            • Instruction ID: 101c7218b0ad70a17ecada5e6019e606067e8f302c15b8e63c7ed2b541ff5ea4
                                            • Opcode Fuzzy Hash: 3c71e6772a25887af338c7b1a9071669af199ba063547484c287422ccb17af9c
                                            • Instruction Fuzzy Hash: DA118974800209AEC704EFE5C455FDEB7B8AF04305F50815FE91597642D7789708CF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00431EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                            • std::exception::exception.LIBCMT ref: 00459F32
                                            • __CxxThrowException@8.LIBCMT ref: 00459F47
                                            • __CxxThrowException@8.LIBCMT ref: 00459F6B
                                            • std::exception::exception.LIBCMT ref: 00459F84
                                            • __CxxThrowException@8.LIBCMT ref: 00459F99
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$std::exception::exception$_malloc
                                            • String ID: |-L$uK
                                            • API String ID: 3942750879-472808943
                                            • Opcode ID: 222f84c4230ce3889c6ed273af93a17112adc430d284c1d5cb4bb1544bc2eea0
                                            • Instruction ID: 526b36643461760f01d76a3ed06622be3f02d2a016b336a421431f81254153db
                                            • Opcode Fuzzy Hash: 222f84c4230ce3889c6ed273af93a17112adc430d284c1d5cb4bb1544bc2eea0
                                            • Instruction Fuzzy Hash: F9118974800209AEC704EFE5C495EDEB7B8AF04304F50815FE91597692D7789708CFA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00431F13 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                            • std::exception::exception.LIBCMT ref: 00459F32
                                            • __CxxThrowException@8.LIBCMT ref: 00459F47
                                            • __CxxThrowException@8.LIBCMT ref: 00459F6B
                                            • std::exception::exception.LIBCMT ref: 00459F84
                                            • __CxxThrowException@8.LIBCMT ref: 00459F99
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$std::exception::exception$_malloc
                                            • String ID: |-L$uK
                                            • API String ID: 3942750879-472808943
                                            • Opcode ID: 9d2878be798f1f3f03251c0306e5382a7017339454eb9044bcd97a538a89c0c7
                                            • Instruction ID: 1b76edc9d4cf2e2a490cf1636d60bb88ce6a17b7841ee013f64fecf17d76aeb7
                                            • Opcode Fuzzy Hash: 9d2878be798f1f3f03251c0306e5382a7017339454eb9044bcd97a538a89c0c7
                                            • Instruction Fuzzy Hash: EB118974900209AEC704EFE5C455EDEB7B8AF04304F50815FE91597642D7789708CF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00444840 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52libraryloadertimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId), ref: 00444861
                                            • GetProcAddress.KERNEL32(00000000), ref: 00444868
                                            • OpenProcess.KERNEL32(001FFFFF,00000001,?), ref: 00444888
                                            • GetProcessTimes.KERNEL32(?,?,?,?,?), ref: 004448A1
                                            • CloseHandle.KERNEL32(?), ref: 004448AE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: HandleProcess$AddressCloseModuleOpenProcTimes
                                            • String ID: GetProcessId$kernel32.dll
                                            • API String ID: 4254294609-399901964
                                            • Opcode ID: d9dd75881622ae1a5251324709c78a041525cfc1c7e314dbfbf79ae1e38753b5
                                            • Instruction ID: 70ec993c6545ce782f9c3288f8f2c7a82e84c3b42845133a85a5c509c0c0755a
                                            • Opcode Fuzzy Hash: d9dd75881622ae1a5251324709c78a041525cfc1c7e314dbfbf79ae1e38753b5
                                            • Instruction Fuzzy Hash: BF01F7376416556F6F125FA59C04AAB7B9DAE8A7A17090036FD20D3200C738DC0147E8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043A5E7 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0043A5F9
                                            • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0043A609
                                            • EncodePointer.KERNEL32(00000000), ref: 0043A612
                                            • DecodePointer.KERNEL32(00000000), ref: 0043A620
                                            • LCMapStringW.KERNEL32(00000000,?,?,?,?,?), ref: 0043A664
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProcString
                                            • String ID: LCMapStringEx$kernel32.dll
                                            • API String ID: 405835482-327329431
                                            • Opcode ID: b1fd236d22805b4a8d86d6e3e0e7ae531a58f2b2358628097268813cc7cb2d51
                                            • Instruction ID: 3ebc672357b0c79b86528f874e75da5eadc0ccec512779a76a81e18060f75be9
                                            • Opcode Fuzzy Hash: b1fd236d22805b4a8d86d6e3e0e7ae531a58f2b2358628097268813cc7cb2d51
                                            • Instruction Fuzzy Hash: 2A01173244221ABB8F025FA1DD09DDA3F6ABB0C350B044426FE55A1120C73AC831ABA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043A583 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 36libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0043A595
                                            • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0043A5A5
                                            • EncodePointer.KERNEL32(00000000), ref: 0043A5AE
                                            • DecodePointer.KERNEL32(00000000), ref: 0043A5BC
                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 0043A5DB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressCountCriticalDecodeEncodeHandleInitializeModuleProcSectionSpin
                                            • String ID: InitializeCriticalSectionEx$kernel32.dll
                                            • API String ID: 131412094-2762503851
                                            • Opcode ID: abac890a2fa14da345cc0afd31ad1f666ba2fd5c609074f4cb34cf5d1db72c27
                                            • Instruction ID: 98aa1212746d2abb31ba45571c3b63d748fb16505e8d7a7dcc8baac04e696ada
                                            • Opcode Fuzzy Hash: abac890a2fa14da345cc0afd31ad1f666ba2fd5c609074f4cb34cf5d1db72c27
                                            • Instruction Fuzzy Hash: 41F09071542315BB8F011F61DC08D9A7FA8AB0D7517044436FC12D2220D739CA219BAE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041C305 Relevance: 12.2, APIs: 8, Instructions: 229stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 0041C30C
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            • __setjmp3.LIBCMT ref: 0041C32D
                                            • _memmove.LIBCMT ref: 0041C568
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                              • Part of subcall function 004375D6: __EH_prolog3_GS.LIBCMT ref: 004375DD
                                              • Part of subcall function 00418CDA: _longjmp.LIBCMT ref: 00418D00
                                            • GetDlgItem.USER32(?,00000009), ref: 0041C3B3
                                            • EnableWindow.USER32(00000000), ref: 0041C3BC
                                            • GetDlgItem.USER32(?,00000002), ref: 0041C3C8
                                            • EnableWindow.USER32(00000000), ref: 0041C3CB
                                            • GetTickCount.KERNEL32 ref: 0041C3CD
                                              • Part of subcall function 00414870: GetDlgItem.USER32(?,0000012D), ref: 0041489A
                                              • Part of subcall function 00414870: SendMessageW.USER32(00000000), ref: 004148A1
                                              • Part of subcall function 0041CAE7: __EH_prolog3_GS.LIBCMT ref: 0041CAEE
                                              • Part of subcall function 0041CAE7: GetPrivateProfileIntW.KERNEL32(Startup,AllUsers,00000000,-00000004), ref: 0041CB30
                                              • Part of subcall function 004378CF: IsWindow.USER32 ref: 004378D4
                                              • Part of subcall function 004369B6: ShowWindow.USER32(?,00000000), ref: 004369C1
                                              • Part of subcall function 0041448F: __EH_prolog3.LIBCMT ref: 00414496
                                              • Part of subcall function 0041448F: IsWindow.USER32(?), ref: 004144B5
                                              • Part of subcall function 0041448F: IsWindowVisible.USER32(?), ref: 004144C2
                                              • Part of subcall function 0041448F: DestroyWindow.USER32(?), ref: 0041453B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Window$Item$EnableErrorFreeH_prolog3_LastString$CountDestroyH_prolog3MessagePrivateProfileSendShowTickVisible__setjmp3_longjmp_malloc_memmovelstrcpy
                                            • String ID:
                                            • API String ID: 2072090708-0
                                            • Opcode ID: 036881cd2d13414f4c23a7ea2108021718b75e6ee4f09b76fcbd2aceb0b8b584
                                            • Instruction ID: 50899d2ed20d14522423bfaa138997f549d6c493735f3b94975bc422c530e66e
                                            • Opcode Fuzzy Hash: 036881cd2d13414f4c23a7ea2108021718b75e6ee4f09b76fcbd2aceb0b8b584
                                            • Instruction Fuzzy Hash: 3571C374740300ABEB04BB364DA2BEE26565F85709F00547EB50BAB2C3CE7C9D8947AC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00450306 Relevance: 12.2, APIs: 8, Instructions: 163COMMON
                                            Download Yara Rule
                                            APIs
                                            • QueryPerformanceCounter.KERNEL32(00000003,00000000,00000002,00000000,00000003,00000000,00000000), ref: 0045035F
                                            • GetTickCount.KERNEL32 ref: 00450367
                                            • ResetEvent.KERNEL32(?), ref: 00450377
                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004503CA
                                            • GetTickCount.KERNEL32 ref: 004503D8
                                            • __alldvrm.LIBCMT ref: 00450445
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045045C
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00450481
                                              • Part of subcall function 004506A2: GetTickCount.KERNEL32 ref: 004506B1
                                              • Part of subcall function 004506A2: GetTickCount.KERNEL32 ref: 004506DA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CountTick$CounterPerformanceQueryUnothrow_t@std@@@__ehfuncinfo$??2@$EventReset__alldvrm
                                            • String ID:
                                            • API String ID: 3317835756-0
                                            • Opcode ID: d16b528da79db4ddab010a0689fe53a8e0c77fd8337804de8dac239bae16cf7a
                                            • Instruction ID: 1de5cc299959bb9d8008332be90f542bea3513a19c7deaf59c50281ee03b1f76
                                            • Opcode Fuzzy Hash: d16b528da79db4ddab010a0689fe53a8e0c77fd8337804de8dac239bae16cf7a
                                            • Instruction Fuzzy Hash: 3F51AF75A007049FDB20DFA5C885BABB7F5BF84316F00882EE986D6252D778A849CF14
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00439FA1 Relevance: 12.1, APIs: 8, Instructions: 135libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 00439FEA
                                            • GetLastError.KERNEL32 ref: 00439FF6
                                            • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0043A029
                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 0043A03B
                                            • FreeLibrary.KERNEL32(00000000), ref: 0043A046
                                            • GetProcAddress.KERNEL32(?,?), ref: 0043A09C
                                            • GetLastError.KERNEL32(?,?), ref: 0043A0A8
                                            • RaiseException.KERNEL32(C06D007F,00000000,00000001,?,?,?), ref: 0043A0DB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorExceptionLastLibraryRaise$AddressExchangeFreeInterlockedLoadProc
                                            • String ID:
                                            • API String ID: 1994051085-0
                                            • Opcode ID: d6d279557d3772d08fd834ecde2f80e56dfc619d52b6997c38a782c16a8d3b21
                                            • Instruction ID: b09d4d15343738db40406fc93d292fd75250eae57af22d19ab6e0ae143a5ba0b
                                            • Opcode Fuzzy Hash: d6d279557d3772d08fd834ecde2f80e56dfc619d52b6997c38a782c16a8d3b21
                                            • Instruction Fuzzy Hash: F241A232940216AFDB26CF94CC84FAEB7B4BB58750F01402AE951E7390DB78DD14CB9A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004889A0 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 92COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32 ref: 004889EE
                                            • SetLastError.KERNEL32(004AE96C,00000000,00000000,000000FF), ref: 00488A48
                                            • GetLastError.KERNEL32(?), ref: 00488A6F
                                            • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00488AC5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID: dJ$lJ$lJ$lJ
                                            • API String ID: 1452528299-2128537396
                                            • Opcode ID: dee73e4fbed32baa2116eae85850d8993472f4027a078f2ebaf978bafc4a1bf1
                                            • Instruction ID: b45a341a48a650650591193acb68afe1818dbe9b5ef5f27e3f1df00c08abf371
                                            • Opcode Fuzzy Hash: dee73e4fbed32baa2116eae85850d8993472f4027a078f2ebaf978bafc4a1bf1
                                            • Instruction Fuzzy Hash: 0E414BB1900208DFDB14DF95C814B9EBBF4FF49318F20465EE825A7390DB79A905CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00486570 Relevance: 12.0, APIs: 4, Strings: 4, Instructions: 35COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000000,00492C07,?,?,?,?,?,?,?,?,?,2E932D87,?,000001A4,00000000), ref: 00486581
                                            • SetLastError.KERNEL32(53746547,?,?,?,?,?,?,?,?,?,2E932D87,?,000001A4,00000000), ref: 004865B1
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,2E932D87,?,000001A4,00000000), ref: 004865C5
                                            • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,2E932D87,?,000001A4,00000000), ref: 004865F5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID: dJ$dJ$lJ$lJ
                                            • API String ID: 1452528299-2563680426
                                            • Opcode ID: 200ef8c29c30ac6504fc3dfcc34c797f3523c37566ed5c9f370429ceb4e7eaf7
                                            • Instruction ID: 769be1a6fd4e13e5598b14c51293e14b84b93e7813666d87a52011dac865fccf
                                            • Opcode Fuzzy Hash: 200ef8c29c30ac6504fc3dfcc34c797f3523c37566ed5c9f370429ceb4e7eaf7
                                            • Instruction Fuzzy Hash: 32114BB5901240CFDB84CF69D5C87057FE4BF19308B2191AAEC18CB26AE779D854CF49
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004404B0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch_GS.LIBCMT ref: 004404BA
                                              • Part of subcall function 0043EB5D: __EH_prolog3.LIBCMT ref: 0043EB64
                                              • Part of subcall function 00409FA9: SysFreeString.OLEAUT32(00000000), ref: 00409FB8
                                              • Part of subcall function 00416831: __EH_prolog3.LIBCMT ref: 00416838
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                              • Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            • GetLastError.KERNEL32(004AFFB8,80000000,00000001,00000080,00000003,00000000,00000000), ref: 00440599
                                              • Part of subcall function 004176D4: __EH_prolog3.LIBCMT ref: 004176DB
                                              • Part of subcall function 0043EE10: __EH_prolog3.LIBCMT ref: 0043EE17
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3$ErrorLast$FreeString$H_prolog3_catch_
                                            • String ID: ISc($SOFTWARE\InstallShield\Cryptography\Trust$|-L
                                            • API String ID: 2869626631-3440964114
                                            • Opcode ID: 28eaa4bff5f9303c212a3fbbb80522e7ce5eadba56775aa586a4d31dea7c39ed
                                            • Instruction ID: 8c60fa6b941845c39817024feef3a3d6fdd4788c9263d7afa4f198da3635eca0
                                            • Opcode Fuzzy Hash: 28eaa4bff5f9303c212a3fbbb80522e7ce5eadba56775aa586a4d31dea7c39ed
                                            • Instruction Fuzzy Hash: 3DD1D270804618EEDB11EB65CC95BEEBB78AF14309F0041DEE40967292DB386F98DF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00490100 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 203COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(2E932D87,?,00000000,?), ref: 0049014B
                                            • SetLastError.KERNEL32(004C2FA8,?,00000000,?), ref: 0049017D
                                            • GetLastError.KERNEL32(?,00000000,?), ref: 0049018D
                                            • SetLastError.KERNEL32(004C2FA8,?,00000000,?), ref: 004901B9
                                              • Part of subcall function 00494EB0: GetLastError.KERNEL32(2E932D87,74DEE010,00000000,?,?,004ABC58,000000FF,?,004901ED,?,00000000,00000000,004B1A74,00000000), ref: 00494EEE
                                              • Part of subcall function 00494EB0: SetLastError.KERNEL32(?,00000000,?,00000000,?,004901ED,?,00000000,00000000,004B1A74,00000000), ref: 00494F4A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID: ALL$x/L$x/L
                                            • API String ID: 1452528299-300393698
                                            • Opcode ID: 77f42b1bd8677d11b66f4f2e523c9e19174658048120b00dd2a9d37c1e768aa9
                                            • Instruction ID: b426142df9c32a6d7b358cb21288f099e10c7965672089d3627bba96ba26348b
                                            • Opcode Fuzzy Hash: 77f42b1bd8677d11b66f4f2e523c9e19174658048120b00dd2a9d37c1e768aa9
                                            • Instruction Fuzzy Hash: 6F817B31900258AFCF14DFA4C851BEEBBB8AF14304F1441ABE515B72D1EB786A48CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042E11C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 114COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0042E126
                                              • Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
                                              • Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_
                                            • String ID: P/L$P/L$T4L$T4L$T4L
                                            • API String ID: 3339191932-3027285444
                                            • Opcode ID: e2d4f048723bd054f10c888b1840e2f795b652f25687683406468bc7da83aa47
                                            • Instruction ID: 92359c65e40d2edf19a11a822b678bd799faada778dec1b6b0f0137984284bbd
                                            • Opcode Fuzzy Hash: e2d4f048723bd054f10c888b1840e2f795b652f25687683406468bc7da83aa47
                                            • Instruction Fuzzy Hash: 8341D771D01158DEDB11EF91C945BDEBBBCAF14304F10406FE509A7282DBB81E05DBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004550BE Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 103stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181
                                            • GetLastError.KERNEL32 ref: 00455104
                                              • Part of subcall function 004551C9: _wcsstr.LIBCMT ref: 004551D3
                                              • Part of subcall function 004551C9: lstrlenW.KERNEL32(?,00000000,?,0045516C,00000000,2.5.4.3,?), ref: 004551E3
                                              • Part of subcall function 004551C9: _wcsstr.LIBCMT ref: 004551F5
                                            • lstrcpynW.KERNEL32(?,00000000,?,00000000,2.5.4.3,?), ref: 00455146
                                            • lstrlenW.KERNEL32(00000000,00000000,1.2.840.113549.1.9.1,?,00000000,2.5.4.10,?,00000000,2.5.4.11,?,00000000,2.5.4.3,?), ref: 004551BE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _wcsstrlstrlen$ErrorLast_malloclstrcpyn
                                            • String ID: 1.2.840.113549.1.9.1$2.5.4.10$2.5.4.11$2.5.4.3
                                            • API String ID: 3960672464-2689139351
                                            • Opcode ID: bbf54130cddc796be71c83d564c6a3d96693d52503d9355564910892199186a4
                                            • Instruction ID: f5d2370faaa406121b57e90a4b04f141a1cce7fcf5fbf07f2968b0e51ee89e79
                                            • Opcode Fuzzy Hash: bbf54130cddc796be71c83d564c6a3d96693d52503d9355564910892199186a4
                                            • Instruction Fuzzy Hash: D8317031600A05BF8B019F69DCA1EFB3BA9EF89351B11046BFC06C7242DA75DD488768
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0049A3D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memmove.LIBCMT ref: 0049A41A
                                            • _memmove.LIBCMT ref: 0049A43A
                                            • lstrcmpA.KERNEL32(0000000B,NETSCAPE2.0,?,?,?,?,00000000,?,?,0049A70C,0049A70D), ref: 0049A44F
                                            • _memmove.LIBCMT ref: 0049A467
                                            • _memmove.LIBCMT ref: 0049A48D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _memmove$lstrcmp
                                            • String ID: NETSCAPE2.0
                                            • API String ID: 1993653321-1278374441
                                            • Opcode ID: a4fa64b6d87acade666cc8a3977ed79d75b3c52297e1fa9762e53d964d4f5fc1
                                            • Instruction ID: 3e520c9362377f432e9dd8ed6ead6f72ff7c9741bbdfae2883ad40be41d2d1ca
                                            • Opcode Fuzzy Hash: a4fa64b6d87acade666cc8a3977ed79d75b3c52297e1fa9762e53d964d4f5fc1
                                            • Instruction Fuzzy Hash: 9531AD71900219EFCF21DFA8D849AAEBBF8FF59314F10086EE540A7101E3B89555CB9A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00421647 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00421651
                                            • _memmove.LIBCMT ref: 0042166B
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 004216A1
                                            • __setjmp3.LIBCMT ref: 004216C2
                                            • _memmove.LIBCMT ref: 00421712
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString_memmove$H_prolog3___setjmp3lstrcpy
                                            • String ID: setup.cpp
                                            • API String ID: 3036740637-2020632666
                                            • Opcode ID: d7b618ac555a883af92fda6e564d1a15298a512bc9806faaaa4f80804c2209e7
                                            • Instruction ID: 34987dae8071f6da1c7759080f16604cae73d5b2f35546376972d6297ad30ec1
                                            • Opcode Fuzzy Hash: d7b618ac555a883af92fda6e564d1a15298a512bc9806faaaa4f80804c2209e7
                                            • Instruction Fuzzy Hash: D321AE71A00214DBDB14EB91DD42FAF7378AB44705F00405EF505E7142EB7C9B098BA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00421B48 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00421B52
                                            • _memmove.LIBCMT ref: 00421B6C
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(2E932D87,74DEDFA0,?,74DEE010,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
                                              • Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
                                              • Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
                                              • Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8
                                            • lstrcpyW.KERNEL32(?,-00000004), ref: 00421BA2
                                            • __setjmp3.LIBCMT ref: 00421BC3
                                            • _memmove.LIBCMT ref: 00421C11
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString_memmove$H_prolog3___setjmp3lstrcpy
                                            • String ID: setup.cpp
                                            • API String ID: 3036740637-2020632666
                                            • Opcode ID: 5ff24315c6064dd979eadb27dfc15860c64ea6c8bd52747b95b044732f161898
                                            • Instruction ID: c6bc1e970fe75999aa5f31fbcb257421081f06be1b76ed2ef1863a06f5de16f5
                                            • Opcode Fuzzy Hash: 5ff24315c6064dd979eadb27dfc15860c64ea6c8bd52747b95b044732f161898
                                            • Instruction Fuzzy Hash: 6D210B71A00208DBDB14EB91CC41F9E7378FF44305F0040AEF605EB152EB78AA098B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004442C5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004442CC
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                            • UuidToStringW.RPCRT4(?,?), ref: 0044430C
                                              • Part of subcall function 00449C16: __EH_prolog3.LIBCMT ref: 00449C1D
                                              • Part of subcall function 00449C16: CharUpperW.USER32(00000000,?,?,0000000C,00444337), ref: 00449C3F
                                            • RpcStringFreeW.RPCRT4(00000000), ref: 0044433B
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$Free$H_prolog3$CharH_prolog3_UpperUuid
                                            • String ID: 4OD$@/L$|-L
                                            • API String ID: 1620240345-1624138275
                                            • Opcode ID: 7413501ce0a506d984526813058e47a664beb516ea88e38bf8437740fe2ce372
                                            • Instruction ID: 00656392063dec48de0538246a3a7f9acd77e9e4c82ad09656b3f43602c32f3f
                                            • Opcode Fuzzy Hash: 7413501ce0a506d984526813058e47a664beb516ea88e38bf8437740fe2ce372
                                            • Instruction Fuzzy Hash: 72113D71A10618DBDB01EFD1C881BDEB7B8BF04305F40402EE506AB195DBB89E09CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00461CE4 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 0046227A
                                              • Part of subcall function 0046323D: __mtinitlocknum.LIBCMT ref: 0046324F
                                              • Part of subcall function 0046323D: EnterCriticalSection.KERNEL32(00000000,?,00464E54,0000000D), ref: 00463268
                                            • InterlockedDecrement.KERNEL32(00000000), ref: 0046228D
                                            • _free.LIBCMT ref: 004622A3
                                              • Part of subcall function 0045D646: HeapFree.KERNEL32(00000000,00000000), ref: 0045D65A
                                              • Part of subcall function 0045D646: GetLastError.KERNEL32(00000000), ref: 0045D66C
                                            • __lock.LIBCMT ref: 004622BC
                                            • ___removelocaleref.LIBCMT ref: 004622CB
                                            • ___freetlocinfo.LIBCMT ref: 004622E4
                                            • _free.LIBCMT ref: 004622F7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: __lock_free$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref__mtinitlocknum
                                            • String ID:
                                            • API String ID: 3591963704-0
                                            • Opcode ID: 9df0484432a67de8240ea8c8d9d2ee98c9bba21a710338ad1286fc58c8396b15
                                            • Instruction ID: 91b7aee2d9029cf32220af31cd7ca88b65452e6977f58c487dfc33e9b6bf9e1b
                                            • Opcode Fuzzy Hash: 9df0484432a67de8240ea8c8d9d2ee98c9bba21a710338ad1286fc58c8396b15
                                            • Instruction Fuzzy Hash: 4801C031400B01FAEB306F65DA6A75A73A0AF00719F20859FF454662D1EFBC8980E95F
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004747C3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Name::operator+$NameName::
                                            • String ID: throw(
                                            • API String ID: 168861036-3159766648
                                            • Opcode ID: 7d357e8c950c87c18ea6a8dcab8b966a0d45a0aecf2070b465aaf561f91a024c
                                            • Instruction ID: 1f155977238a1120919fc8ac32a1240b4a1713caf9c2389d332131adb83828ca
                                            • Opcode Fuzzy Hash: 7d357e8c950c87c18ea6a8dcab8b966a0d45a0aecf2070b465aaf561f91a024c
                                            • Instruction Fuzzy Hash: 4A018430A0020CAFDF04FB64D892EFE3BA4AB04308F10406AB1059B2A1EB7499458799
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004496EA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004496F4
                                            • SetFileTime.KERNEL32(?,@/L,?,?,00000084,00441A50,?,?,?,00000000,?,00000000,00000000,?,00000000), ref: 0044970A
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00416910: __EH_prolog3.LIBCMT ref: 00416917
                                            • __CxxThrowException@8.LIBCMT ref: 00449750
                                              • Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$ExceptionException@8FileH_prolog3_RaiseThrowTime
                                            • String ID: @/L$dJ$lJ
                                            • API String ID: 2956807928-3790234748
                                            • Opcode ID: 1a5f5289fd77c0c317e7df027fef9e9c90b9169484537770177ea6aa96869be5
                                            • Instruction ID: 4f968d0901fb261016ef6a77dc16ba74f83c660e7ca175533af5cb92d994887a
                                            • Opcode Fuzzy Hash: 1a5f5289fd77c0c317e7df027fef9e9c90b9169484537770177ea6aa96869be5
                                            • Instruction Fuzzy Hash: 1BF01DB5900209EBDB00EF92CC45FDE777CFB14314F00815AF914A7141DB78AA15CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418089 Relevance: 9.2, APIs: 6, Instructions: 245COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00422F30: lstrcmpiW.KERNEL32(?,?,?,00418115,?,?,?,2E932D87,?,?,?,?,?,004A2661,000000FF), ref: 00422F9F
                                            • CharNextW.USER32(00000000), ref: 004181D0
                                            • CharNextW.USER32(00000000), ref: 004181ED
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CharNext$lstrcmpi
                                            • String ID:
                                            • API String ID: 3586774192-0
                                            • Opcode ID: 75b86480ff2c86fd2d090e7e758453bfd5abd0492945ca745e44ec5188ac908d
                                            • Instruction ID: 6a41891641c1f6e907db44587bebe3775a3a591930b1439f5653ddd4b393185a
                                            • Opcode Fuzzy Hash: 75b86480ff2c86fd2d090e7e758453bfd5abd0492945ca745e44ec5188ac908d
                                            • Instruction Fuzzy Hash: F191A171900229DADB25CF14CC499EAB7B4EB18714F1500EFEA09A3240DB789ED5CFA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00480CE0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(2E932D87), ref: 00480D2C
                                            • SetLastError.KERNEL32(004C2FA8,00000000,00000000,000000FF), ref: 00480D86
                                            • GetLastError.KERNEL32(00000008,00000006), ref: 00480DCA
                                            • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00480E15
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID: @/L$x/L
                                            • API String ID: 1452528299-2858065147
                                            • Opcode ID: e961a0b0f9d055aa17c2c2ff96e24db3c7e7f9ecbe40eb67382e4c2da16102ce
                                            • Instruction ID: 87cbe82e4f6a84a4fc0e74222b28a6edac924dc311e6d795d9505ff1b75f8955
                                            • Opcode Fuzzy Hash: e961a0b0f9d055aa17c2c2ff96e24db3c7e7f9ecbe40eb67382e4c2da16102ce
                                            • Instruction Fuzzy Hash: D2419F71900219EFDB00DF95C944BAEBBF4FF08318F10466AE815AB7D0D7B9A905CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004982E0 Relevance: 9.1, APIs: 6, Instructions: 93windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(00000000), ref: 00498366
                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 00498389
                                            • RealizePalette.GDI32(00000000), ref: 0049839D
                                            • CreateDIBitmap.GDI32(00000000,00490AAE,00000004,?,00490AAE,00000000), ref: 004983BF
                                            • SelectPalette.GDI32(00000000,00490AAE,00000000), ref: 004983D3
                                            • ReleaseDC.USER32(00000000,00000000), ref: 004983DC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Palette$Select$BitmapCreateRealizeRelease
                                            • String ID:
                                            • API String ID: 1213237138-0
                                            • Opcode ID: 5b15afb5b321e723f6070fe6d0f84394cd560d501ca0fa69a53005f137dd0ad7
                                            • Instruction ID: ff78eb9a913cebc5bb2bceec31f5aa190bdab4a5028c9e9516796416ac309b9a
                                            • Opcode Fuzzy Hash: 5b15afb5b321e723f6070fe6d0f84394cd560d501ca0fa69a53005f137dd0ad7
                                            • Instruction Fuzzy Hash: 4E318071200204EFEB208F59CC48B6A7FE8FB09714F04452EF959CB691D7B9E810DB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00415BA9 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00415BB0
                                            • GetLastError.KERNEL32(00000004,00415B83,?,00000000,?,00000001), ref: 00415BD2
                                            • SetLastError.KERNEL32(?), ref: 00415C05
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00415C26
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000002,00000000,00000000,00000000), ref: 00415C4D
                                            • SetLastError.KERNEL32(?), ref: 00415C5B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$ByteCharMultiWide$H_prolog3
                                            • String ID:
                                            • API String ID: 1573742327-0
                                            • Opcode ID: f2d3b0cf66e7c967414c43329dad7f4141967efb014add3b33b19b5fffbd63df
                                            • Instruction ID: 0f8399f5b9376ae8944e464de6d227f6b76d96672a4cc19da16e8883afb6f630
                                            • Opcode Fuzzy Hash: f2d3b0cf66e7c967414c43329dad7f4141967efb014add3b33b19b5fffbd63df
                                            • Instruction Fuzzy Hash: F72135B5600205EFDB149F24D848B9ABBF8FF08305F10852EF9598B660C774EA90CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00439345 Relevance: 9.1, APIs: 6, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(?), ref: 0043936D
                                            • GetLastError.KERNEL32(?,004392EC,?), ref: 0043937E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLastWindow
                                            • String ID:
                                            • API String ID: 3412209079-0
                                            • Opcode ID: d27f0231de802d445c3b072352a253c743c9f550ff1ce657ff39b1a739ef6d00
                                            • Instruction ID: e688a35ebf01f56fabc1fd3875367781bcaad1d41129e3fba9ba954d3712bcce
                                            • Opcode Fuzzy Hash: d27f0231de802d445c3b072352a253c743c9f550ff1ce657ff39b1a739ef6d00
                                            • Instruction Fuzzy Hash: B7115E752006019FD720AB16C844F2AB7E5AF4C714F15946EF856CB7B0DBB5EC009F49
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00464EBE Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __init_pointers.LIBCMT ref: 00464EBE
                                              • Part of subcall function 00469D50: EncodePointer.KERNEL32(00000000,?,00464EC3,0045E4DC,004D1058,00000014), ref: 00469D53
                                              • Part of subcall function 00469D50: __initp_misc_winsig.LIBCMT ref: 00469D74
                                            • __mtinitlocks.LIBCMT ref: 00464EC3
                                              • Part of subcall function 0046338C: InitializeCriticalSectionAndSpinCount.KERNEL32(004D8080,00000FA0,?,?,00464EC8,0045E4DC,004D1058,00000014), ref: 004633AA
                                            • __mtterm.LIBCMT ref: 00464ECC
                                            • __calloc_crt.LIBCMT ref: 00464EF1
                                            • GetCurrentThreadId.KERNEL32 ref: 00464F1A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CountCriticalCurrentEncodeInitializePointerSectionSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm
                                            • String ID:
                                            • API String ID: 1171689812-0
                                            • Opcode ID: 9ed9ff9c79525ccba196cb86994961807a4002e0fbb4ecb00196dcfda7a6676b
                                            • Instruction ID: 20af4970a0db3dc8a5f1186cb77c2bf6006b431b8befc4f1009f0620512e13c0
                                            • Opcode Fuzzy Hash: 9ed9ff9c79525ccba196cb86994961807a4002e0fbb4ecb00196dcfda7a6676b
                                            • Instruction Fuzzy Hash: 75F0963251A31119EE297B76BC026572684AF41B39B200B2FF464D61D2FF698941419F
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004381E1 Relevance: 9.0, APIs: 6, Instructions: 33windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003ED), ref: 00438201
                                            • EnableWindow.USER32(00000000), ref: 00438204
                                            • GetDlgItem.USER32(?,000003ED), ref: 0043821D
                                            • EnableWindow.USER32(00000000), ref: 00438220
                                            • GetDlgItem.USER32(?,000003ED), ref: 0043822E
                                            • SetFocus.USER32(00000000), ref: 00438231
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Item$EnableWindow$Focus
                                            • String ID:
                                            • API String ID: 864471436-0
                                            • Opcode ID: 521c9d7ff4334e20008520358b1e2aea969bce8bddf0d41c56acd09bcfa40655
                                            • Instruction ID: 98e4fc65aeec09a17ce24f06ce20b163942264de00335bed607774db40b71a55
                                            • Opcode Fuzzy Hash: 521c9d7ff4334e20008520358b1e2aea969bce8bddf0d41c56acd09bcfa40655
                                            • Instruction Fuzzy Hash: C7F0A731940704BBDB216BA2EC4DF5BBEADEB95712F014435F216950E0DBB49510CA54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004314E3 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch_GS.LIBCMT ref: 004314ED
                                              • Part of subcall function 00402CE0: GetLastError.KERNEL32(2E932D87,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
                                              • Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8
                                              • Part of subcall function 0042EA79: __EH_prolog3_GS.LIBCMT ref: 0042EA80
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_H_prolog3_catch_
                                            • String ID: @/L$P/L$PrereqEngine: $|-L
                                            • API String ID: 1178870419-2914931958
                                            • Opcode ID: a8d650027d0ba58344cb67626ee904bca68d43b86af8dec93370246e911b16fe
                                            • Instruction ID: e1fab1a8d7f8bc83cc4d25d4c28cdd714708b1fcc9c5f65e0ec4b13bbffdab30
                                            • Opcode Fuzzy Hash: a8d650027d0ba58344cb67626ee904bca68d43b86af8dec93370246e911b16fe
                                            • Instruction Fuzzy Hash: 5E71B471A00155AFDB18EFA5CD55BDEB7B8AF04304F0042AFE41AB32A1DB746A44CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043C53C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 180memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043C546
                                            • SysAllocString.OLEAUT32(00000000), ref: 0043C567
                                            • SysFreeString.OLEAUT32(00000000), ref: 0043C720
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: String$AllocFreeH_prolog3_
                                            • String ID: $lJ
                                            • API String ID: 1289132702-3830903251
                                            • Opcode ID: 28c54697bb10edc6d98e753aee2b3e6f6e0fe5acef60e22b62bda0c2a55f0755
                                            • Instruction ID: ec6441d05a39f0ffc0adcb86b733734612cfa54150e513cac135d75922fbb199
                                            • Opcode Fuzzy Hash: 28c54697bb10edc6d98e753aee2b3e6f6e0fe5acef60e22b62bda0c2a55f0755
                                            • Instruction Fuzzy Hash: 53619170A00214DFCF14EFA8C9816AEB7B5BF09704F14606FE451BB291DB789D46CB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00424AC0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 172COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00424ACA
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3H_prolog3_
                                            • String ID: %20$@/L$@/L$file://
                                            • API String ID: 852442433-164781276
                                            • Opcode ID: 8ee605a93a8b1580ba6785ed4adb835d79298e97e6297695f1123718b497e686
                                            • Instruction ID: 1528c8e5819f77cde185752bd69a75e8e9a6e4fcefa1701a804399f640097435
                                            • Opcode Fuzzy Hash: 8ee605a93a8b1580ba6785ed4adb835d79298e97e6297695f1123718b497e686
                                            • Instruction Fuzzy Hash: 3F619E70A00218EEDB14EBA1CC42BDDB7B8EF54718F5041AFE045B71D1DBB86A49CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00431267 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 147COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00431271
                                              • Part of subcall function 004053A0: GetLastError.KERNEL32(2E932D87,?,?,?,?,004AC278,000000FF), ref: 004053E2
                                              • Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E
                                              • Part of subcall function 00403FB0: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
                                              • Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                              • Part of subcall function 00404580: GetLastError.KERNEL32(2E932D87,?,?,?,00000000,004ACAC8,000000FF,T4L,004050D6,00000000,00000001,000000FF), ref: 004045BE
                                              • Part of subcall function 00404580: SetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 0040461A
                                              • Part of subcall function 004034E0: GetLastError.KERNEL32 ref: 0040354B
                                              • Part of subcall function 004034E0: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 004035B4
                                              • Part of subcall function 004034E0: SysFreeString.OLEAUT32(?), ref: 004036A6
                                              • Part of subcall function 00404640: GetLastError.KERNEL32 ref: 004046A7
                                              • Part of subcall function 00404640: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 0040470A
                                              • Part of subcall function 00404640: GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000,?,?), ref: 00404792
                                              • Part of subcall function 00404640: SysFreeString.OLEAUT32(?), ref: 004047AC
                                              • Part of subcall function 00404640: SysFreeString.OLEAUT32(?), ref: 004047BC
                                              • Part of subcall function 00448D7A: __EH_prolog3_GS.LIBCMT ref: 00448D81
                                              • Part of subcall function 00448D7A: RegQueryValueExW.KERNELBASE(?,?,00000000,00000008,00000000,@/L,0000005C,0041AB68,?,-80000001,?,?), ref: 00448DF6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$H_prolog3_$QueryValue
                                            • String ID: P/L$T4L$T4L$[]
                                            • API String ID: 3993292288-649137697
                                            • Opcode ID: b6b7e1a41def31ab5f0c4c1ae1c42f3cf733ba18225d35173c3565cd8c40adae
                                            • Instruction ID: d76bb1c3bbeafd0692d2ed4f9c8c159ccc08e12f840e244448e537af8664d64f
                                            • Opcode Fuzzy Hash: b6b7e1a41def31ab5f0c4c1ae1c42f3cf733ba18225d35173c3565cd8c40adae
                                            • Instruction Fuzzy Hash: 6D515C71910258EEDB14EBA5CC41FEDB7B8AF14304F5040AEE509B71D2DBB86A48CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A206 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040A210
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$H_prolog3H_prolog3_
                                            • String ID: @/L$@/L$\$|-L
                                            • API String ID: 2488494826-1945259057
                                            • Opcode ID: 9b365b95b0b80999ab82a1f3eda1171a76954f55c9bfd30b69770c826da1e718
                                            • Instruction ID: a68700e8c92d30bc852636d4d0c0e4b585e1e741e8c94725aea4fe52d274327e
                                            • Opcode Fuzzy Hash: 9b365b95b0b80999ab82a1f3eda1171a76954f55c9bfd30b69770c826da1e718
                                            • Instruction Fuzzy Hash: 2A517B30910218DEDB14EBA1CC51BEEB778BF14304F1441AEE846B72D1DBB86A49CF56
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00440F17 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00440F1E
                                            • GetLastError.KERNEL32(00000048), ref: 00440F2A
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00457CBF: __EH_prolog3.LIBCMT ref: 00457CC6
                                              • Part of subcall function 00457CBF: GetLastError.KERNEL32(0000000C,00440F6F), ref: 00457CDE
                                              • Part of subcall function 00457CBF: GetModuleHandleW.KERNEL32(Kernel32,CreateFileW), ref: 00457CF5
                                              • Part of subcall function 00457CBF: GetProcAddress.KERNEL32(00000000), ref: 00457CFC
                                              • Part of subcall function 00457CBF: GetModuleHandleW.KERNEL32(Kernel32,CreateFileMappingW), ref: 00457DAF
                                              • Part of subcall function 00457CBF: GetProcAddress.KERNEL32(00000000), ref: 00457DB6
                                              • Part of subcall function 00457CBF: GetModuleHandleW.KERNEL32(Kernel32,MapViewOfFile), ref: 00457E29
                                              • Part of subcall function 00457CBF: GetProcAddress.KERNEL32(00000000), ref: 00457E30
                                              • Part of subcall function 00445FB9: GetModuleHandleW.KERNEL32(Advapi32.lib,IsTextUnicode), ref: 00445FCE
                                              • Part of subcall function 00445FB9: GetProcAddress.KERNEL32(00000000), ref: 00445FD5
                                            • WideCharToMultiByte.KERNEL32(?,00000240,?,?,?,?,004B6B30,?), ref: 00441005
                                            • GetLastError.KERNEL32 ref: 00441012
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$AddressHandleModuleProc$H_prolog3$ByteCharMultiWide
                                            • String ID: @/L
                                            • API String ID: 731440430-3803013380
                                            • Opcode ID: 9074dba6f0d79529d269ef715dec41c30736de720ddd714637b9d6d85d5dbac7
                                            • Instruction ID: 4ccc9405fa1d0ff21b8dea3ffeff9d778c02987faaa330ebfbda5f0824da2204
                                            • Opcode Fuzzy Hash: 9074dba6f0d79529d269ef715dec41c30736de720ddd714637b9d6d85d5dbac7
                                            • Instruction Fuzzy Hash: 2D418BB1801108EFDF00EFE5C986AEE7B74AF15308F50446EF805A7252EBB95A4DC799
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00441078 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 0044107F
                                            • GetLastError.KERNEL32(00000044), ref: 0044108B
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00457CBF: __EH_prolog3.LIBCMT ref: 00457CC6
                                              • Part of subcall function 00457CBF: GetLastError.KERNEL32(0000000C,00440F6F), ref: 00457CDE
                                              • Part of subcall function 00457CBF: GetModuleHandleW.KERNEL32(Kernel32,CreateFileW), ref: 00457CF5
                                              • Part of subcall function 00457CBF: GetProcAddress.KERNEL32(00000000), ref: 00457CFC
                                              • Part of subcall function 00457CBF: GetModuleHandleW.KERNEL32(Kernel32,CreateFileMappingW), ref: 00457DAF
                                              • Part of subcall function 00457CBF: GetProcAddress.KERNEL32(00000000), ref: 00457DB6
                                              • Part of subcall function 00457CBF: GetModuleHandleW.KERNEL32(Kernel32,MapViewOfFile), ref: 00457E29
                                              • Part of subcall function 00457CBF: GetProcAddress.KERNEL32(00000000), ref: 00457E30
                                              • Part of subcall function 00457CBF: GetModuleHandleW.KERNEL32(Kernel32,CreateFileA), ref: 00457D4D
                                              • Part of subcall function 00457CBF: GetProcAddress.KERNEL32(00000000), ref: 00457D54
                                              • Part of subcall function 00457CBF: GetModuleHandleW.KERNEL32(Kernel32,CreateFileMappingA), ref: 00457DEA
                                              • Part of subcall function 00457CBF: GetProcAddress.KERNEL32(00000000), ref: 00457DF1
                                              • Part of subcall function 00457CBF: GetModuleHandleW.KERNEL32(Kernel32,GetFileSize), ref: 00457E70
                                              • Part of subcall function 00457CBF: GetProcAddress.KERNEL32(00000000), ref: 00457E77
                                              • Part of subcall function 00457CBF: GetLastError.KERNEL32 ref: 00457E96
                                            • MultiByteToWideChar.KERNEL32(?,00000006,?,?,?,?), ref: 00441140
                                            • GetLastError.KERNEL32 ref: 0044114D
                                              • Part of subcall function 004496BE: __EH_prolog3.LIBCMT ref: 004496C5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressErrorHandleLastModuleProc$H_prolog3$ByteCharMultiWide
                                            • String ID: @/L
                                            • API String ID: 2799633331-3803013380
                                            • Opcode ID: d19cdf18f1ed80e7a62f4794d7fd558e597bc7de43e361250c91ad3dc42c925d
                                            • Instruction ID: 6d174138ddec6eafbbae5650927020fe4c4cdda27c0102c4e703617ed521e5d8
                                            • Opcode Fuzzy Hash: d19cdf18f1ed80e7a62f4794d7fd558e597bc7de43e361250c91ad3dc42c925d
                                            • Instruction Fuzzy Hash: AD31AB70801109DFDB00EFA5C945BED7BB8EF14308F50446EF805A7362EB795A49CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042C535 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0042C53C
                                              • Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
                                              • Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F
                                            • SetWindowTextW.USER32(?,?), ref: 0042C611
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_TextWindow
                                            • String ID: %s,%s,%s,%s,%s,%s$P/L$T4L
                                            • API String ID: 1521029078-449185663
                                            • Opcode ID: 3b0af938fc60b054702839d12fc549c013868f068eec0b6e43668b5e35d989f8
                                            • Instruction ID: f4a01a30335409e87c1402612f90d7242f43d1f19d236d3418f45e74084d0199
                                            • Opcode Fuzzy Hash: 3b0af938fc60b054702839d12fc549c013868f068eec0b6e43668b5e35d989f8
                                            • Instruction Fuzzy Hash: 23316CB0A00219DFDF14DF94D980A9EB7B8FF48309F14402AE906AB305D734FA45CBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00442017 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch_GS.LIBCMT ref: 00442021
                                              • Part of subcall function 00416831: __EH_prolog3.LIBCMT ref: 00416838
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0
                                            • __CxxThrowException@8.LIBCMT ref: 004420E0
                                              • Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7
                                              • Part of subcall function 004176D4: __EH_prolog3.LIBCMT ref: 004176DB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3$ErrorLast$FreeString$ExceptionException@8H_prolog3_catch_RaiseThrow
                                            • String ID: $dJ$lJ
                                            • API String ID: 1995314774-4228904431
                                            • Opcode ID: d72664996292a832660e258d41729dba9f94cab7d23e73910a39a2347f54ec67
                                            • Instruction ID: 2cac7d60a1659bea1cbe3e71f3f451ce9cb96ef96a3828fbbf95e3a3f1390ee8
                                            • Opcode Fuzzy Hash: d72664996292a832660e258d41729dba9f94cab7d23e73910a39a2347f54ec67
                                            • Instruction Fuzzy Hash: D831D770800258EADB00EBE1C955BDEBB78AF15348F44409FF94577282EBB85B4CC769
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040DF46 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040DF50
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$H_prolog3
                                            • String ID: .$@/L$@/L$@/L
                                            • API String ID: 532146472-1829882848
                                            • Opcode ID: f78363ac1fd4950693921e9715f40583ca3c7ac7207f9ec00c014efd490f8519
                                            • Instruction ID: 3aaa0816592bffb927c1c55b48c1853e7177ff1124f314acb2e9864149553947
                                            • Opcode Fuzzy Hash: f78363ac1fd4950693921e9715f40583ca3c7ac7207f9ec00c014efd490f8519
                                            • Instruction Fuzzy Hash: 66319E71A0021CEECB14EB95C891FDEB3B8AF05354F1041AEE446732D2DBB81A49CB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00444685 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0044468C
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$String$FreeH_prolog3_$AllocH_prolog3
                                            • String ID: @/L$@/L$@/L$InstalledProductName
                                            • API String ID: 1908522000-464250035
                                            • Opcode ID: c0ad12979af53723aecf2eabf73064a48643d41ff655fb4c2c7e3f9c0365bf5a
                                            • Instruction ID: 4ce88fb489b31431c67c6434e6b4d49d01b104afd3fbd7af1a4c8fd3ffeb4cb2
                                            • Opcode Fuzzy Hash: c0ad12979af53723aecf2eabf73064a48643d41ff655fb4c2c7e3f9c0365bf5a
                                            • Instruction Fuzzy Hash: 55316D7090020CDFDB10EFA5C981FDDBBB8AF54308F60406EE40567182DBB86A49CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406060 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                            Download Yara Rule
                                            APIs
                                            • SysFreeString.OLEAUT32(?), ref: 004060C2
                                            • GetLastError.KERNEL32(2E932D87,?,74DEE010,00000000,00000000,?,004ACA98,000000FF,T4L,00404B04), ref: 004060ED
                                            • SetLastError.KERNEL32(?,00000004,00000000,000000FF), ref: 0040613E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString
                                            • String ID: T4L$T4L
                                            • API String ID: 2425351278-3367740000
                                            • Opcode ID: a6b69ad884260e6fe1279f533801e44a3f4ab40c8d68d46f95a94baddbe35e48
                                            • Instruction ID: 629e363ae452715e4872db6da9b6f1349ee8222f95c2eceb5ad296e4585bfe0f
                                            • Opcode Fuzzy Hash: a6b69ad884260e6fe1279f533801e44a3f4ab40c8d68d46f95a94baddbe35e48
                                            • Instruction Fuzzy Hash: E7318CB5100605AFDB14CF05C984B56FBF8FF09724F10422EE81A9BA90DB79E919CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00445E5F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00445E69
                                              • Part of subcall function 0043B19F: _memset.LIBCMT ref: 0043B1C8
                                              • Part of subcall function 004090B1: __EH_prolog3_GS.LIBCMT ref: 004090B8
                                              • Part of subcall function 0040B51F: __EH_prolog3_GS.LIBCMT ref: 0040B529
                                              • Part of subcall function 0040B51F: GetModuleHandleW.KERNEL32(KERNEL32.DLL,00000274,0043AD95,?,00000000), ref: 0040B54C
                                              • Part of subcall function 0040B51F: GetProcAddress.KERNEL32(00000000,GetSystemWindowsDirectoryW), ref: 0040B560
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_$ErrorLast$AddressH_prolog3HandleModuleProc_memset
                                            • String ID: @/L$Kernel32.dll$Z$d]K
                                            • API String ID: 1928657999-3552983298
                                            • Opcode ID: 19acca324db21ccbd1ba635798ccbd968111daec21f8e43c2c9d8be41a5d15ce
                                            • Instruction ID: cf6786969702b16d9ab89bc759fdb6fa891230425e7a63acc45e68e3e3330f35
                                            • Opcode Fuzzy Hash: 19acca324db21ccbd1ba635798ccbd968111daec21f8e43c2c9d8be41a5d15ce
                                            • Instruction Fuzzy Hash: BE21A03180021C9EDB54EBA1CC92BDD7378AF11348F5080EEE649A7192DFB85B8DCB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0042E638 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0042E63F
                                              • Part of subcall function 0042A559: __EH_prolog3_GS.LIBCMT ref: 0042A560
                                              • Part of subcall function 004053A0: GetLastError.KERNEL32(2E932D87,?,?,?,?,004AC278,000000FF), ref: 004053E2
                                              • Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeH_prolog3_String
                                            • String ID: P/L$P/L$T4L$T4L
                                            • API String ID: 2608676048-673155060
                                            • Opcode ID: 34769bdbd17288f9b187b0de44e4f3ee3bbee69823220b28ae765076dae3336f
                                            • Instruction ID: 41ab91050ac571f607761228635aadb25f44560ff2b13d81e0a4351a069aad8b
                                            • Opcode Fuzzy Hash: 34769bdbd17288f9b187b0de44e4f3ee3bbee69823220b28ae765076dae3336f
                                            • Instruction Fuzzy Hash: 5E210A75E00219DFCB18EFAAD881ADDBBB4FF48304F60812EE415A7242DB749944CF58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00411846 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00411850
                                            • IsWindow.USER32(?), ref: 0041186C
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                            • SendMessageW.USER32(?,00001074,?,?), ref: 00411911
                                            • SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 0041191C
                                              • Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeH_prolog3_MessageSendString$Window
                                            • String ID: @/L
                                            • API String ID: 2791905285-3803013380
                                            • Opcode ID: 3cedaffb465134b779036b10a0e75ce7b998d30634b62b3286c912cf0eed8af3
                                            • Instruction ID: 12518d9f41e52af1591d8649f7039d0d8875e44d4071d6e35b2d9060ab8ff554
                                            • Opcode Fuzzy Hash: 3cedaffb465134b779036b10a0e75ce7b998d30634b62b3286c912cf0eed8af3
                                            • Instruction Fuzzy Hash: A8218374D00218EBCB20EFA1CC81ADEBB78AF59314F10416FE915A3291DB749985CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041075B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00410762
                                              • Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
                                              • Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F
                                              • Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272
                                            • GetDlgItem.USER32(?,00000009), ref: 0041080E
                                            • EnableWindow.USER32(00000000), ref: 00410815
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last$EnableItemWindow
                                            • String ID: P/L$T4L
                                            • API String ID: 3351711136-1441100843
                                            • Opcode ID: 80099bf43ed76395b9d3c0e38b4b1092d2807debf15ad943e91290ebf2f91982
                                            • Instruction ID: 92aafb0a12a64cd0c720c3678079f4b25f9e2631f54a8c95f635e59e36f6dbd3
                                            • Opcode Fuzzy Hash: 80099bf43ed76395b9d3c0e38b4b1092d2807debf15ad943e91290ebf2f91982
                                            • Instruction Fuzzy Hash: F021C870901104DFCB08EBE4D855ADE77B8AB19308F14406FE101A7292DB789949CBAD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004390E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPropW.USER32(?,This), ref: 004390F9
                                            • GetWindowLongW.USER32(?,000000F4), ref: 0043913B
                                            • GetSysColor.USER32(00000005), ref: 0043915C
                                            • SetBkColor.GDI32(?,00000000), ref: 00439166
                                            • SetPropW.USER32(?,This,?), ref: 004391D8
                                            • RemovePropW.USER32(?,This), ref: 004391FD
                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0043920F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Prop$ColorWindow$LongProcRemove
                                            • String ID: This
                                            • API String ID: 1744480154-1591487769
                                            • Opcode ID: 6daab33f45359e3d3e223e2fa8aa0b52895a46a2103faf114659f214a8c6f608
                                            • Instruction ID: 7e6c8b6f070356f6548fe97aad1e5ffc2959d9617391469b22c43f7681fd9779
                                            • Opcode Fuzzy Hash: 6daab33f45359e3d3e223e2fa8aa0b52895a46a2103faf114659f214a8c6f608
                                            • Instruction Fuzzy Hash: 5701A2391045067BEF285F59DD4C9773B28EB0E321F14191BF926E27E18AB99C408A28
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004655CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___BuildCatchObject.LIBCMT ref: 004655E3
                                              • Part of subcall function 00465CC5: ___BuildCatchObjectHelper.LIBCMT ref: 00465CF7
                                              • Part of subcall function 00465CC5: ___AdjustPointer.LIBCMT ref: 00465D0E
                                            • _UnwindNestedFrames.LIBCMT ref: 004655FA
                                            • ___FrameUnwindToState.LIBCMT ref: 0046560C
                                            • CallCatchBlock.LIBCMT ref: 00465630
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                            • String ID: .ZF
                                            • API String ID: 2901542994-309977987
                                            • Opcode ID: 2f1fa3ba8d70241b2f2e5c4a20c78a85ef59c472543cd984938a00c080775d32
                                            • Instruction ID: 9df4bb594ba8ab9e53586d2ba8fc2de2e45928ed4bf921fec758b8966dfb1063
                                            • Opcode Fuzzy Hash: 2f1fa3ba8d70241b2f2e5c4a20c78a85ef59c472543cd984938a00c080775d32
                                            • Instruction Fuzzy Hash: 58016D32000509BBCF129F55CC05EDA3B76FF48754F00401AF91861121D739E561DF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00415C6B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00415C72
                                            • __ltow_s.LIBCMT ref: 00415CAA
                                            • SetLastError.KERNEL32(00000000,?,00000000,00000001), ref: 00415CD9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last__ltow_s
                                            • String ID: T4L$T4L
                                            • API String ID: 2344196725-3367740000
                                            • Opcode ID: ce8571a7f45c33a6dc205b5f7dfbe96753ea443827b73530ae3ad932b8f79a73
                                            • Instruction ID: 75c9b1489ebe3ba8daf5c5e16b76b1339e5cbcf910cdae0d049cc33581855a00
                                            • Opcode Fuzzy Hash: ce8571a7f45c33a6dc205b5f7dfbe96753ea443827b73530ae3ad932b8f79a73
                                            • Instruction Fuzzy Hash: 6801B175800208EBDB11EF91C841DDEBBB9EF48318F04411EF9156B241DB799648CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041992F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00419956
                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00419966
                                              • Part of subcall function 0041FFBE: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00419946,?,?), ref: 0041FFD0
                                              • Part of subcall function 0041FFBE: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0041FFE0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Advapi32.dll$RegDeleteKeyExW
                                            • API String ID: 1646373207-2191092095
                                            • Opcode ID: 98a83dec90ec41d81bd412a0a98b450627653b02796f9c1216922e5379c6364e
                                            • Instruction ID: 902e33575af748e3db428ed96261716dfc2668b29adcdf146d10b84daccf405a
                                            • Opcode Fuzzy Hash: 98a83dec90ec41d81bd412a0a98b450627653b02796f9c1216922e5379c6364e
                                            • Instruction Fuzzy Hash: CB01A274225204EBDF214F52EC51BD57FA4EB05740B10003FF446D6360C6B68CC19B9E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004AD020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32 ref: 004AD033
                                            • SysFreeString.OLEAUT32 ref: 004AD04F
                                            • SysFreeString.OLEAUT32(00000000), ref: 004AD082
                                            • SetLastError.KERNEL32(00000000), ref: 004AD0B2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeLastString
                                            • String ID: @/L
                                            • API String ID: 3822639702-3803013380
                                            • Opcode ID: bc9d888e813814a8b604d3ef3019b5dff5942de5106ead92d7a24d24495f09ed
                                            • Instruction ID: 2f33e07fc9b6c7b70261af2d5168667edc93356a4bb56aae989d04b228a06726
                                            • Opcode Fuzzy Hash: bc9d888e813814a8b604d3ef3019b5dff5942de5106ead92d7a24d24495f09ed
                                            • Instruction Fuzzy Hash: B1015A7141A010DFCB04AF65EC49A887BE8FB09319B41417BE805E3273DB366C26CB5D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00451DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00451DAA
                                            • SetFileAttributesW.KERNEL32(0000000E,?,00000084,00451154,00000000,00000000,?,80000000,00000001,00000080,00000001,00000000,00000000), ref: 00451DC1
                                            • __CxxThrowException@8.LIBCMT ref: 00451E04
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AttributesException@8FileH_prolog3_Throw
                                            • String ID: dJ$lJ
                                            • API String ID: 5089079-817211891
                                            • Opcode ID: 1a5a182d45d9370a403e0012f71ac5e843f08d65a5b162f5b6d2234409c175af
                                            • Instruction ID: 58dc865b074bbdbfdd0d69d1d0f7c95722a4cb58a5495478cdf2ccf39dcc0725
                                            • Opcode Fuzzy Hash: 1a5a182d45d9370a403e0012f71ac5e843f08d65a5b162f5b6d2234409c175af
                                            • Instruction Fuzzy Hash: 7CF0E7B5910218EBCB00EF92C849B9E7778FF1130AF40405AE915AB152DB78AA48CB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00450E91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00450E9B
                                            • GetFileAttributesW.KERNEL32(00000000,00000084,00451BE3,?,000002E0,0048B00C,?,00000001), ref: 00450EAF
                                            • __CxxThrowException@8.LIBCMT ref: 00450EF4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AttributesException@8FileH_prolog3_Throw
                                            • String ID: dJ$lJ
                                            • API String ID: 5089079-817211891
                                            • Opcode ID: b6937180b8a45b4674d69da4b71e9fe98ecc86c9883427c513f0f06cf72d3c29
                                            • Instruction ID: ffae53588641cf7c41be7d381b956b5c16ae4c834ca872dedd5057a05e3e7f97
                                            • Opcode Fuzzy Hash: b6937180b8a45b4674d69da4b71e9fe98ecc86c9883427c513f0f06cf72d3c29
                                            • Instruction Fuzzy Hash: C2F06DB0810208DBCB10EBA1CC4AB9E7778BF11319F60459AE554A7192DB78AA48CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044A300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,0044A209), ref: 0044A313
                                            • GetProcAddress.KERNEL32(00000000), ref: 0044A31A
                                            • GetCurrentProcess.KERNEL32(00000000,?,?,?,0044A209), ref: 0044A32A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressCurrentHandleModuleProcProcess
                                            • String ID: IsWow64Process$kernel32
                                            • API String ID: 4190356694-3789238822
                                            • Opcode ID: cd45caf602d2a6247137919ef74e8e603cd873b69f0d460b58ffe72d33558a16
                                            • Instruction ID: 3aa68ca420b248d80ddc3eaab1b136185529c8bbfc48f43d21bb5d53c2e2ea19
                                            • Opcode Fuzzy Hash: cd45caf602d2a6247137919ef74e8e603cd873b69f0d460b58ffe72d33558a16
                                            • Instruction Fuzzy Hash: 89E04F72C52328ABDF109BF19D0DBCE7AACAB05752B114966A801E7140D67899008BA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041D0ED Relevance: 7.6, APIs: 5, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharNextW.USER32(?,?,00000000,?,?,?,?,004180FA,?,2E932D87,?,?,?,?,?,004A2661), ref: 0041D128
                                            • CharNextW.USER32(?,?,?,00000000,?,?,?,?,004180FA,?,2E932D87), ref: 0041D1AE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CharNext
                                            • String ID:
                                            • API String ID: 3213498283-0
                                            • Opcode ID: e90fe34de0c56ef539260235f840a89aeb828c0f6892347de83d64bf835d2955
                                            • Instruction ID: 5b03f7e7b6dc4165ddfde88aad88aea70e2b03ac8d79821d352ebacc75d9c403
                                            • Opcode Fuzzy Hash: e90fe34de0c56ef539260235f840a89aeb828c0f6892347de83d64bf835d2955
                                            • Instruction Fuzzy Hash: AB41D6B5A00206EFCB108F68C8845AAB7F5FF683457A4456FE985D7304E7789D80CB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00480F50 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(2E932D87,753CE860), ref: 00480F9C
                                            • SetLastError.KERNEL32(004C2F90,00000000,00000000,000000FF), ref: 00480FFC
                                            • GetLastError.KERNEL32(00000000,00000000,000000FF), ref: 0048102A
                                            • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00481078
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID: l4L
                                            • API String ID: 1452528299-2060195098
                                            • Opcode ID: b5973da97ed9c19e7ef98f98cf0b86ecd60b36868eb3a0694684b92734cdff23
                                            • Instruction ID: f820ac7b94b0dd66d1845ddc3e8f71694ff784bb10c4c77703a22b291f2c1c09
                                            • Opcode Fuzzy Hash: b5973da97ed9c19e7ef98f98cf0b86ecd60b36868eb3a0694684b92734cdff23
                                            • Instruction Fuzzy Hash: CD414E759002089FDB10DF95C954B9EBBB4FF48328F20462EE815A7790DBB9A905CF98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0046A8D6 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _malloc.LIBCMT ref: 0046A8E2
                                              • Part of subcall function 0045D6BB: __FF_MSGBANNER.LIBCMT ref: 0045D6D2
                                              • Part of subcall function 0045D6BB: __NMSG_WRITE.LIBCMT ref: 0045D6D9
                                              • Part of subcall function 0045D6BB: RtlAllocateHeap.NTDLL(00850000,00000000,00000001,00000000,?,00000000,?,00469FAC,00000008,00000008,00000008,?,?,00463326,00000018,004D1140), ref: 0045D6FE
                                            • _free.LIBCMT ref: 0046A8F5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AllocateHeap_free_malloc
                                            • String ID:
                                            • API String ID: 1020059152-0
                                            • Opcode ID: 220bedd117adfc024dcfa8f4f7cdc1ccc7371f18159f582d72fedfa87c4aa4f6
                                            • Instruction ID: bacc400861e2c67f57d531eabac997b1c2955910872e5d050c8d85f79984949e
                                            • Opcode Fuzzy Hash: 220bedd117adfc024dcfa8f4f7cdc1ccc7371f18159f582d72fedfa87c4aa4f6
                                            • Instruction Fuzzy Hash: F3119872901715ABCB313F76A80565A37949F00369B21493BF845A6252FA3CC8698A9F
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004142CB Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004142EF
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004142FD
                                            • GetTickCount.KERNEL32 ref: 00414307
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414326
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041434F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CountTick
                                            • String ID:
                                            • API String ID: 404621862-0
                                            • Opcode ID: f4bc687d1110c110fb7360082256821c0f0a303b3c03fa378aa55a52a6154090
                                            • Instruction ID: 2883a0e806b46b5af5fe376a5d6804c938433d3231752d4f6cc73808c672cf93
                                            • Opcode Fuzzy Hash: f4bc687d1110c110fb7360082256821c0f0a303b3c03fa378aa55a52a6154090
                                            • Instruction Fuzzy Hash: D0215871200305AFEB258F25C881F6B77B9EF84715F10461EA9128B2A1C739AC55CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00415D9D Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00415DA4
                                            • GetLastError.KERNEL32(00000004,00416E97,?,?,?,00000000), ref: 00415DCC
                                            • SetLastError.KERNEL32(00000000), ref: 00415DF1
                                            • SysStringLen.OLEAUT32(00000000), ref: 00415E0E
                                            • SetLastError.KERNEL32(?,00000000,00000000,00000001), ref: 00415E3A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3String
                                            • String ID:
                                            • API String ID: 2160793888-0
                                            • Opcode ID: d517fdbc2243c532d8e67b05f02769ec25b5c23ea0d15799a9168d4e0643caa1
                                            • Instruction ID: 396adce6e6fbb270940b12cd01ddca4a5a44da954095b05863c7fa30c8363c18
                                            • Opcode Fuzzy Hash: d517fdbc2243c532d8e67b05f02769ec25b5c23ea0d15799a9168d4e0643caa1
                                            • Instruction Fuzzy Hash: C3216A75600606DFCB00DF25C948B9ABBB5FF84325F04C65AEC14973A2CBB4E960CB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00461CE9 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00464D84: __getptd_noexit.LIBCMT ref: 00464D85
                                            • __calloc_crt.LIBCMT ref: 00462332
                                              • Part of subcall function 00469F4C: __calloc_impl.LIBCMT ref: 00469F5B
                                              • Part of subcall function 00469F4C: Sleep.KERNEL32(00000000,?,00464DC4,00000001,000003BC), ref: 00469F72
                                            • __lock.LIBCMT ref: 00462368
                                            • ___addlocaleref.LIBCMT ref: 00462374
                                            • __lock.LIBCMT ref: 00462388
                                            • InterlockedIncrement.KERNEL32(?), ref: 00462398
                                              • Part of subcall function 0045D506: __getptd_noexit.LIBCMT ref: 0045D506
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: __getptd_noexit__lock$IncrementInterlockedSleep___addlocaleref__calloc_crt__calloc_impl
                                            • String ID:
                                            • API String ID: 1863923389-0
                                            • Opcode ID: 3b804aec16b2c4d5b431872ab7c0007534d1df999f4367e51c0938a159ff34e9
                                            • Instruction ID: 6c1296e15dd3d7cec33572ec4da61334e12c45d9ee9fb5c6581632bde4754d6d
                                            • Opcode Fuzzy Hash: 3b804aec16b2c4d5b431872ab7c0007534d1df999f4367e51c0938a159ff34e9
                                            • Instruction Fuzzy Hash: 23014C31500741FAEB20BFB6D906B5C7BA0AF44729F20455FF8549B2D2EBBC49809B5B
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00495190 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,0049569A,2E932D87), ref: 004951A0
                                            • SetLastError.KERNEL32(?), ref: 004951D0
                                            • GetLastError.KERNEL32 ref: 004951E4
                                            • SetLastError.KERNEL32(?), ref: 00495214
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID: x/L
                                            • API String ID: 1452528299-3369456940
                                            • Opcode ID: 2c0356588e6b2b73322a8590bf25a31072e6d38a63a135457447cc9c1b18425d
                                            • Instruction ID: a06e00c6071701050331629b83cba3710f8a47ae2c54fb01fb9eb1a37d996d6d
                                            • Opcode Fuzzy Hash: 2c0356588e6b2b73322a8590bf25a31072e6d38a63a135457447cc9c1b18425d
                                            • Instruction Fuzzy Hash: 20214BB4501281CFDB94DF29C9C87043FE5BB09324B2183A9AC288F2EAD7B5C855DF44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00449C69 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 202COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00449C73
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00433E81: __EH_prolog3_GS.LIBCMT ref: 00433E88
                                              • Part of subcall function 00408EF3: __EH_prolog3.LIBCMT ref: 00408EFA
                                              • Part of subcall function 00408EF3: GetLastError.KERNEL32(00000004,0040AAE9,?,004492B4,00000098,?,00000000,?,?,?,0040A496,004C2FA0,00000000,00000002,0000003A,00000001), ref: 00408F1C
                                              • Part of subcall function 00408EF3: SetLastError.KERNEL32(?,00000000,004492B4,00000098,00000000,?,004492B4,00000098,?,00000000,?,?,?,0040A496,004C2FA0,00000000), ref: 00408F5D
                                              • Part of subcall function 00413C81: __EH_prolog3_GS.LIBCMT ref: 00413C88
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$FreeH_prolog3String
                                            • String ID: @/L$@/L$@/L
                                            • API String ID: 888054269-1531812684
                                            • Opcode ID: d1924b708926aacd3d920f40b3c627372f2665ffb338599f9a9020ca1be70ce0
                                            • Instruction ID: 25368a2cf1d057b32843f9f1438c65d892e9a7fe7a3782f85ba25ed49c8d758e
                                            • Opcode Fuzzy Hash: d1924b708926aacd3d920f40b3c627372f2665ffb338599f9a9020ca1be70ce0
                                            • Instruction Fuzzy Hash: B3815E7180021CAADB14EBA0CC81FDEB778AF14308F54419EE555B7192EBB85F89CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044E60F Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last
                                            • String ID: @/L$@/L
                                            • API String ID: 1018228973-2149722323
                                            • Opcode ID: dbff18d48915e8253eb8bfcc5fb8918688ab9f5e78dcda952c4f27f08dad56fb
                                            • Instruction ID: 96d107957e89ee672848440bf88a5f81ff19480339046cbe6f3af3f1dd4e001a
                                            • Opcode Fuzzy Hash: dbff18d48915e8253eb8bfcc5fb8918688ab9f5e78dcda952c4f27f08dad56fb
                                            • Instruction Fuzzy Hash: 0D81E771800158DEDF15EF65C985BEDBBB8BF14304F4440EFE849A7282DB789A88CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00490930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: __wcsnicmp
                                            • String ID: .bmp$.gif
                                            • API String ID: 1038674560-4134359634
                                            • Opcode ID: d5ee4679ab97b95a357d9a7390bc0dde59ce169020835a5af1e112e83ac73baa
                                            • Instruction ID: 23337b657ad670b4955280bc9165c19bba8a9d854e1dc5dde6e5a49d25f5db86
                                            • Opcode Fuzzy Hash: d5ee4679ab97b95a357d9a7390bc0dde59ce169020835a5af1e112e83ac73baa
                                            • Instruction Fuzzy Hash: 20518F72A00200DFDB14DF29C984B5A7BF1FF58314F10456EE95A8B392D73AE905CB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004421BF Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 004421C6
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00441E34: __EH_prolog3_GS.LIBCMT ref: 00441E3E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$H_prolog3_
                                            • String ID: *.*$@/L$@/L
                                            • API String ID: 2324316964-697157344
                                            • Opcode ID: 1529db69d000bd04958078a1227af3c3374886cc3cf9c75debb9461d189073cd
                                            • Instruction ID: 89f30ae774d1c92cc3312d47f784a4ea73d75d711fb3758fd06acb861d4ef3b0
                                            • Opcode Fuzzy Hash: 1529db69d000bd04958078a1227af3c3374886cc3cf9c75debb9461d189073cd
                                            • Instruction Fuzzy Hash: 9E51CAB1D10108ABEB00EFA5C542BDDBBB8AF15348F54005FF9056B291D7FA4A45C7DA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004140D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 143COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004140DA
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414258
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: @/L$@/L
                                            • API String ID: 2661724416-2149722323
                                            • Opcode ID: 2e37487fcc0d612c4a4aabad9b4bfa38acc56bc6bdab711d0c5ee56dd30ccd6b
                                            • Instruction ID: 7f8b69b7c0cfc839a46880284997a531e60b82fb44abd950f79b84a05636c143
                                            • Opcode Fuzzy Hash: 2e37487fcc0d612c4a4aabad9b4bfa38acc56bc6bdab711d0c5ee56dd30ccd6b
                                            • Instruction Fuzzy Hash: 3F514B71A00218EFDB14DFA5DC41BDDB7B9BB58704F1084AEE509B7281DB74AA88CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004248A5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004248AF
                                              • Part of subcall function 00415AF8: __EH_prolog3_GS.LIBCMT ref: 00415AFF
                                              • Part of subcall function 00415AF8: GetLastError.KERNEL32(0000003C,00487419,?,?,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 00415B2A
                                              • Part of subcall function 00415AF8: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415B5B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last
                                            • String ID: @/L$@/L$@/L
                                            • API String ID: 1018228973-1531812684
                                            • Opcode ID: f77e1779362924b4f86d6fe6658f144e5a4ee6c4fdbb78cd078e585e38d5eec1
                                            • Instruction ID: 47cef3b0f5a60dd72e808ae00f6117344c4aae0cf94f65d0ddd0526fbf07d1bc
                                            • Opcode Fuzzy Hash: f77e1779362924b4f86d6fe6658f144e5a4ee6c4fdbb78cd078e585e38d5eec1
                                            • Instruction Fuzzy Hash: 4251B770A403289EDB24DFA4CC96BDE7774AF44314F94029FE559721D2DBB81AC4CB19
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00441457 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0044145E
                                            • GetLastError.KERNEL32 ref: 00441519
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00441E34: __EH_prolog3_GS.LIBCMT ref: 00441E3E
                                              • Part of subcall function 0044238A: __EH_prolog3.LIBCMT ref: 00442391
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3H_prolog3_
                                            • String ID: @/L$@/L
                                            • API String ID: 852442433-2149722323
                                            • Opcode ID: 18b633588536fc3556b312eb2767111f8ed008853cee608f29f0e465f35420d6
                                            • Instruction ID: ca7dc6c868d018f54e1714aac4ffb2e93b6abd56c175b53e8142f67364613833
                                            • Opcode Fuzzy Hash: 18b633588536fc3556b312eb2767111f8ed008853cee608f29f0e465f35420d6
                                            • Instruction Fuzzy Hash: 9D41B9B1801208ABEB01FFA5C942ADE7B689F11348F54005FFC0A57292EB799749C7DA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004494E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004494EB
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 00446730: FindResourceExW.KERNEL32(?,00000006,?,?,?,00000000,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 0044674F
                                            • SetDlgItemTextW.USER32(?,?,?), ref: 004495F1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FindH_prolog3_ItemResourceText
                                            • String ID: @/L$@/L
                                            • API String ID: 3193201603-2149722323
                                            • Opcode ID: 61775e02b86d4fc196a0079a0078e1fc1635a5cb9fdb3f55c74c0a56bf59e588
                                            • Instruction ID: 83d4a2b31712f25d30c36e18ce140b205fce767b9fc0766cb3e08890c8e9a973
                                            • Opcode Fuzzy Hash: 61775e02b86d4fc196a0079a0078e1fc1635a5cb9fdb3f55c74c0a56bf59e588
                                            • Instruction Fuzzy Hash: 8441FBB2D04219EBEF11DFE1C881ADF7BB8BF14354F24402EE911A3242EB759909DB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004411E1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 004411E8
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 004470DB: __EH_prolog3.LIBCMT ref: 004470E2
                                            • GetLastError.KERNEL32 ref: 00441246
                                              • Part of subcall function 004496BE: __EH_prolog3.LIBCMT ref: 004496C5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3$ErrorLast
                                            • String ID: @/L$@/L
                                            • API String ID: 1123136255-2149722323
                                            • Opcode ID: 5174fe8b374c6b7a9ac8ae674579a91729ac3cf13792580d7d36851c2e6a1b54
                                            • Instruction ID: 89c8dd2ae1046a31f8cf59a7c06f84b172a8825f62a3a02bc19f017da8567411
                                            • Opcode Fuzzy Hash: 5174fe8b374c6b7a9ac8ae674579a91729ac3cf13792580d7d36851c2e6a1b54
                                            • Instruction Fuzzy Hash: 0831BBB1401104ABEB40FF66C942ADE7B689F11358F54006FFC169B2A2EF794B4AC7D9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040CBA2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch_GS.LIBCMT ref: 0040CBA9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_catch_
                                            • String ID: @/L$@/L$@/L
                                            • API String ID: 1329019490-1531812684
                                            • Opcode ID: b4b8d0bccd8865372fee80d71a4fd1f4faf3588b2307c216d6ac2676aa97a12d
                                            • Instruction ID: ab691274893ebf0844c0e0d1ad410fcec29b29683fd2bd70487116ea5d299ff9
                                            • Opcode Fuzzy Hash: b4b8d0bccd8865372fee80d71a4fd1f4faf3588b2307c216d6ac2676aa97a12d
                                            • Instruction Fuzzy Hash: 66316FB0904208DBEF14DF95CA95A9E77B8EF54704F10413FF805AB285E778AE058B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00448201 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0044820B
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 004496BE: __EH_prolog3.LIBCMT ref: 004496C5
                                              • Part of subcall function 0043EA24: __EH_prolog3.LIBCMT ref: 0043EA2B
                                            • GetLastError.KERNEL32(00000000,?), ref: 00448336
                                              • Part of subcall function 00456844: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00456862
                                              • Part of subcall function 0043F4EF: __EH_prolog3_GS.LIBCMT ref: 0043F4F6
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                              • Part of subcall function 0045694B: __EH_prolog3.LIBCMT ref: 00456952
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3$FreeH_prolog3_String$CreateFile
                                            • String ID: @/L$MODULEPATH
                                            • API String ID: 2148655774-1165621402
                                            • Opcode ID: fc25e01a7d7fdf90eff841afebe2f6be3fa73b2a01ed11080dbcc4225fed6a22
                                            • Instruction ID: a39fe0fc4e1563b36d0505ab6326b35323791632e0ca0553d56d5292fb730f37
                                            • Opcode Fuzzy Hash: fc25e01a7d7fdf90eff841afebe2f6be3fa73b2a01ed11080dbcc4225fed6a22
                                            • Instruction Fuzzy Hash: DE41A670501248DEDB01EFA1C861AED7778AF28348F4440AFFD1597182EF789B49CB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0045264F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00452656
                                              • Part of subcall function 00452135: __EH_prolog3.LIBCMT ref: 0045213C
                                              • Part of subcall function 00452135: GetLastError.KERNEL32(00000004,00452674,00000004,00000001,0000003C,00452BE2,?,00000000,00000000,00000000,00452D7F,00000000,00000001), ref: 00452164
                                              • Part of subcall function 00452135: SetLastError.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00452190
                                            • _Find_unchecked1.LIBCPMT ref: 0045269B
                                            • SysStringLen.OLEAUT32(004522F2), ref: 0045274C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$Find_unchecked1String
                                            • String ID: ;
                                            • API String ID: 637338078-1661535913
                                            • Opcode ID: 4b5f2109a4cfafca856feffcd59ac57aade2a2f942d3a31ace33901e6914069a
                                            • Instruction ID: 158181cd351aca08523b2fc94ea085efbae1f9dd9860d670ed74b22edaea46a9
                                            • Opcode Fuzzy Hash: 4b5f2109a4cfafca856feffcd59ac57aade2a2f942d3a31ace33901e6914069a
                                            • Instruction Fuzzy Hash: 1531C531904208ABDF14EF65C941BEE77B5EF19305F10801BEC51A7392EBB89A4DCB59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00414905 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041490F
                                            • CreateDialogIndirectParamW.USER32(?,00000000,?,?,?), ref: 00414A10
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CreateDialogH_prolog3_IndirectParam
                                            • String ID: @/L$MS Sans Serif
                                            • API String ID: 2249790658-1405392024
                                            • Opcode ID: e74a179f1cde51984c56fb91bc04bde9db33032d3706bad77dfb32ba41f80360
                                            • Instruction ID: 52fb60251a7ffe828c46daecbe5eb3af03773a261b3c7b63d1d1446236159fcf
                                            • Opcode Fuzzy Hash: e74a179f1cde51984c56fb91bc04bde9db33032d3706bad77dfb32ba41f80360
                                            • Instruction Fuzzy Hash: B9317E70900219DFDB10EFA5C941BEDBBB4BF14318F10009EF85473282DB385A48DBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D57E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040D588
                                            • DialogBoxIndirectParamW.USER32(?,00000000,?,?,?), ref: 0040D67E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: DialogH_prolog3_IndirectParam
                                            • String ID: @/L$MS Sans Serif
                                            • API String ID: 1500191164-1405392024
                                            • Opcode ID: 651f1df24f56bfd1744395bf788dab6bf8e9b69c0575406befba744741c2f046
                                            • Instruction ID: 6c97f12c2579d663ac2fa2d2ae49c1a787b4e135a5e0fd399ed3c0006abe2c68
                                            • Opcode Fuzzy Hash: 651f1df24f56bfd1744395bf788dab6bf8e9b69c0575406befba744741c2f046
                                            • Instruction Fuzzy Hash: 1B316D70800219EBDF10EFA5C845BADBBB4BF14318F1040AEF85577282DB799A18DFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040A3F4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040A3FB
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_
                                            • String ID: @/L$@/L$\
                                            • API String ID: 3339191932-1296846978
                                            • Opcode ID: 7a204939a124c2f9f1a4f9f25c686d009697cb9fd76fae9dab094465814943a2
                                            • Instruction ID: 306ac0c9b03c69df38530ff60417970c5a4f7d0040f34b3fa8105968ae412025
                                            • Opcode Fuzzy Hash: 7a204939a124c2f9f1a4f9f25c686d009697cb9fd76fae9dab094465814943a2
                                            • Instruction Fuzzy Hash: 15317371500208EADB15EFA5C955EDEB378AF14348F14412FF412B72C2DBB85A0ACF5A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00448902 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00448909
                                              • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                                              • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
                                              • Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117
                                            • RegEnumValueW.ADVAPI32(@/L,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000105,00000058,0044855C,?), ref: 004489A2
                                              • Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
                                              • Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                              • Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_String$AllocCloseEnumHandleModuleValue
                                            • String ID: @/L$@/L
                                            • API String ID: 705673673-2149722323
                                            • Opcode ID: 47444105dc51eae271228f2752207a39b4515bd285bde9af11e42b8b431dadd8
                                            • Instruction ID: b9e9197ec95c8b87ec65736cad70f42ce84a11fb00f895f772036ee2ffec2f11
                                            • Opcode Fuzzy Hash: 47444105dc51eae271228f2752207a39b4515bd285bde9af11e42b8b431dadd8
                                            • Instruction Fuzzy Hash: E2316DB0C00248DFDB05EF95C856BEEBBB8FF14308F10416EE401A7292DBB85A49CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00450160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0045016A
                                              • Part of subcall function 00416A04: __EH_prolog3.LIBCMT ref: 00416A0B
                                              • Part of subcall function 00416A04: InterlockedIncrement.KERNEL32(004D9B10), ref: 00416A9F
                                              • Part of subcall function 0044F463: _memset.LIBCMT ref: 0044F47A
                                            • lstrcmpA.KERNEL32(?,00000000,?,?,?,?,00000000,80400100,rrs,00007530,00000000,00000000,00000000,00000000,000000B4), ref: 00450217
                                              • Part of subcall function 0044F4A5: WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 0044F4C9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ByteCharH_prolog3H_prolog3_IncrementInterlockedMultiWide_memsetlstrcmp
                                            • String ID: D$rrs
                                            • API String ID: 961569304-3346118193
                                            • Opcode ID: a5b8ea0d6aa923d3b3bb1d2961d6e4b1d039563022ae69027cf7a2d00be23436
                                            • Instruction ID: 5cb9f4cd0249b3b6b3f79495009f76f2e98c5ccf60ddb58ea5ad4a801079376a
                                            • Opcode Fuzzy Hash: a5b8ea0d6aa923d3b3bb1d2961d6e4b1d039563022ae69027cf7a2d00be23436
                                            • Instruction Fuzzy Hash: DA216F34801129AADF21EF62CC45AEF7B34EF01369F10029AFC1577192DB395F19CAA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043804C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00438056
                                              • Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272
                                            • SendMessageW.USER32(?,00001061,00000000,00000007), ref: 004380BC
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            • SendMessageW.USER32(?,00001061,00000001,00000007), ref: 00438130
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeH_prolog3_LastMessageSendString
                                            • String ID: d
                                            • API String ID: 2693188226-2564639436
                                            • Opcode ID: ef9d1edcb89efa8c6e2d08d9f3294f9fdf307bd875bec6154d271783c0280ab1
                                            • Instruction ID: 405798b49a4cc02314469e73b4382bd3cd167c32690a2220d85af05d06923347
                                            • Opcode Fuzzy Hash: ef9d1edcb89efa8c6e2d08d9f3294f9fdf307bd875bec6154d271783c0280ab1
                                            • Instruction Fuzzy Hash: 07210A70A04218EFDB14DFA5C895F9DB7B8FF08308F1080AEE509A7291DB74AA48CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00494FF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00495037
                                            • _memset.LIBCMT ref: 00495044
                                              • Part of subcall function 0049A110: GetDC.USER32(?), ref: 0049A119
                                              • Part of subcall function 0049A110: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049A12A
                                              • Part of subcall function 0049A110: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0049A131
                                              • Part of subcall function 0049A110: ReleaseDC.USER32(?,00000000), ref: 0049A139
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CapsDevice_memset$Release
                                            • String ID: d$d
                                            • API String ID: 2582967517-195624457
                                            • Opcode ID: 81cb2d8101b08f121c4dd023ed4d4fc32ade68db69279e4716fbfcd15e893a97
                                            • Instruction ID: 00c04b6f922662b8a3f5af3b6c4a2b3da97842220d81aa921867386ebda7a6af
                                            • Opcode Fuzzy Hash: 81cb2d8101b08f121c4dd023ed4d4fc32ade68db69279e4716fbfcd15e893a97
                                            • Instruction Fuzzy Hash: 6C21F4B1600244EFEB54DF59C885B4ABBE8FB08714F1041AAED149B386D3BAA914CB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00485600 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00485645
                                              • Part of subcall function 0040B827: __EH_prolog3.LIBCMT ref: 0040B82E
                                              • Part of subcall function 0040B827: GetLastError.KERNEL32(00000004,00416939,00000008,004238F4,dJ,00000001,?,00000000), ref: 0040B847
                                            • __CxxThrowException@8.LIBCMT ref: 00485666
                                              • Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: DirectoryErrorExceptionException@8H_prolog3LastRaiseSystemThrow
                                            • String ID: dJ$lJ
                                            • API String ID: 2288906325-817211891
                                            • Opcode ID: f79db7bb528015d6b8d7cdc9d10a8cd1d78b0dfc3e3fb013d10bf4576eda0776
                                            • Instruction ID: 04f0ae1ddffe1d4c74c414f1cdde0518e1659f42c00016f295f9005a1c702405
                                            • Opcode Fuzzy Hash: f79db7bb528015d6b8d7cdc9d10a8cd1d78b0dfc3e3fb013d10bf4576eda0776
                                            • Instruction Fuzzy Hash: 2E2163719042189ACB50EF95CC89BDEB7B8EB08714F4042ABF419A3290DF785A84CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0043C2FD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0043C304
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3H_prolog3_
                                            • String ID: $dJ$lJ
                                            • API String ID: 852442433-4228904431
                                            • Opcode ID: 3f0a4861da36dd5a40cbf06b983f3560b0091071b80d416a95a953627830e5ed
                                            • Instruction ID: cccd1857e250a2a10cb6b794379f302050849049fab3bff43cad3f7dbb8eaa59
                                            • Opcode Fuzzy Hash: 3f0a4861da36dd5a40cbf06b983f3560b0091071b80d416a95a953627830e5ed
                                            • Instruction Fuzzy Hash: 6C11C470900314EADB14EBA5C885B9E7674EF04714F10401FF905BB1C1CBB85D49C799
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401BE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                                              • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
                                            • RegQueryValueExW.ADVAPI32(00000000,DoVerboseLogging,00000000,?,?,?), ref: 00401C3D
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00401C5D
                                            Strings
                                            • DoVerboseLogging, xrefs: 00401C29
                                            • SOFTWARE\InstallShield\22.0\Professional, xrefs: 00401BED
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Close$HandleModuleQueryValue
                                            • String ID: DoVerboseLogging$SOFTWARE\InstallShield\22.0\Professional
                                            • API String ID: 2971604672-398011643
                                            • Opcode ID: 8cc20be989dc51849c091718715fdedceaf8bed04bd78701e6e68f63824f9245
                                            • Instruction ID: 1cc1df9e7d31757cdd2194b6cee3a3b915efef72443f0914441939a2da38a891
                                            • Opcode Fuzzy Hash: 8cc20be989dc51849c091718715fdedceaf8bed04bd78701e6e68f63824f9245
                                            • Instruction Fuzzy Hash: 5801D475D85229EBEF10DF90C845BEFBBBCAB00305F10006AE905B2180D3B85B48CBE9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E35C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040E363
                                            • __itow_s.LIBCMT ref: 0040E39A
                                            • SetLastError.KERNEL32(?,?,00000000,00000001), ref: 0040E3C9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last__itow_s
                                            • String ID: T4L
                                            • API String ID: 3681815494-1354015026
                                            • Opcode ID: 93d8a98974931669597e84cf0fe73a075055e349f5b6a5ed09eafe4503104574
                                            • Instruction ID: f1ef69440b21ec92f15213ddb203a28be4cea890c84e1ea6b4a8fdf8eb887722
                                            • Opcode Fuzzy Hash: 93d8a98974931669597e84cf0fe73a075055e349f5b6a5ed09eafe4503104574
                                            • Instruction Fuzzy Hash: E101B175800208ABD710FF92D841EAEB7B8FF44704F10442EF945AB281DB799949CB88
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004108FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,0040E8EA,?,?,00000000,?,?,?,?,?,?), ref: 0041090E
                                            • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0041091E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                            • API String ID: 1646373207-2994018265
                                            • Opcode ID: c83e1466f133f5e565ba8414087bb2036b09d6c06009ef89a88353506975e311
                                            • Instruction ID: c05c990c2d585fc2824dd3440cc7b36747f037b6809ac8df7c296296ccd00d78
                                            • Opcode Fuzzy Hash: c83e1466f133f5e565ba8414087bb2036b09d6c06009ef89a88353506975e311
                                            • Instruction Fuzzy Hash: 30F0373211020AEFEF124FA6DC04BDA7FA5AB09751F04442AFA14A1060C2BAC4E0EB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401820 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401830
                                            • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00401840
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                            • API String ID: 1646373207-3913318428
                                            • Opcode ID: 352e823b9f780ac13da28e5b479450b2374df0ed46c6a572c3d5d0b2c78ddd51
                                            • Instruction ID: d0bb64c75dc60e8bd2f98a84e8563cd39cd9bd73ca4ad5fc3a144f34ce47f663
                                            • Opcode Fuzzy Hash: 352e823b9f780ac13da28e5b479450b2374df0ed46c6a572c3d5d0b2c78ddd51
                                            • Instruction Fuzzy Hash: F4F05B33100219ABDF215FA5DC04FD77BA5EB04751F04843BF910911B0C7B6C5A0D7A4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409574 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040957B
                                            • GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
                                            • SetLastError.KERNEL32(00000000), ref: 004095D6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_
                                            • String ID: |-L
                                            • API String ID: 3339191932-4259979122
                                            • Opcode ID: 24f43d2936b3ad16fab0b86d5cca8314c2428bcf3ba4f71db9654ee6d5e40029
                                            • Instruction ID: 714b6096e22ced05593d0ab476309d218eb8cdadfdafa15c31b76b9f64aaa364
                                            • Opcode Fuzzy Hash: 24f43d2936b3ad16fab0b86d5cca8314c2428bcf3ba4f71db9654ee6d5e40029
                                            • Instruction Fuzzy Hash: D8F0DC31500205DBDB15EB62C854B6DB3B8AF84309F00446EE042671D2CB7DEC4ACB48
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00408FDF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00408FE6
                                            • GetLastError.KERNEL32(00000004,00409224,00000000,?,0043A706,00000000,00000000,?,00409F4E,?,00000000,?,00000001,00000048,00409E02,004C2FA0), ref: 00409008
                                            • SetLastError.KERNEL32(?,00000000,?,0043A706,?,00409F4E,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000), ref: 00409044
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3
                                            • String ID: |-L
                                            • API String ID: 3502553090-4259979122
                                            • Opcode ID: ea055b06ae94e280d7ba610d09059c28fdaebb8ea6135063e608ee3838a4fbef
                                            • Instruction ID: 7135aa5b5c6711000976b1a5063b62f77656cbc11f1e0439027cdd843273076e
                                            • Opcode Fuzzy Hash: ea055b06ae94e280d7ba610d09059c28fdaebb8ea6135063e608ee3838a4fbef
                                            • Instruction Fuzzy Hash: E3014675500616EFCB01DF06C944A59BBF4FF48715B01862AF8189BB62C7B8EA60DFC8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00445FB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(Advapi32.lib,IsTextUnicode), ref: 00445FCE
                                            • GetProcAddress.KERNEL32(00000000), ref: 00445FD5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Advapi32.lib$IsTextUnicode
                                            • API String ID: 1646373207-3723215607
                                            • Opcode ID: 1e844ae8459809b4531c415c7125214c5ae695be30b9232cf70e5085d4d845a9
                                            • Instruction ID: 5890916d41243b8dae1628dc5aed9f08788239c8a3b298eb17c7d36771733127
                                            • Opcode Fuzzy Hash: 1e844ae8459809b4531c415c7125214c5ae695be30b9232cf70e5085d4d845a9
                                            • Instruction Fuzzy Hash: 62E0ED32200326A7AF308FA59C05AAB3B6C9B027183094027FD1597241CA3DD8449BAE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E23E Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040E245
                                              • Part of subcall function 00402CE0: GetLastError.KERNEL32(2E932D87,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
                                              • Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,74DEDFA0,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8
                                              • Part of subcall function 004053A0: GetLastError.KERNEL32(2E932D87,?,?,?,?,004AC278,000000FF), ref: 004053E2
                                              • Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$H_prolog3_
                                            • String ID: @/L$P/L$T4L
                                            • API String ID: 2549205776-2391459764
                                            • Opcode ID: 03acca1fd10c74d24323e4ac8bcb1e2e1618de5294f8b1fd4570b5cc9c8217b9
                                            • Instruction ID: 0cce9d4a209e61f97a9b47e53ff479a0c066b02d32d24b5715c309192cc3a6ce
                                            • Opcode Fuzzy Hash: 03acca1fd10c74d24323e4ac8bcb1e2e1618de5294f8b1fd4570b5cc9c8217b9
                                            • Instruction Fuzzy Hash: 3DF03A306102049BDB15AF52CC82B9E73B8EF44319F50402EF801BB2C2CBBC69098B9C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00444817 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId), ref: 00444824
                                            • GetProcAddress.KERNEL32(00000000), ref: 0044482B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: GetProcessId$kernel32.dll
                                            • API String ID: 1646373207-399901964
                                            • Opcode ID: f2698d3107329d0d2acceb1f59049789d40aba2147da7d285d87ccfc0c815085
                                            • Instruction ID: ee93fd962a4e704cc6191df0c74bc4abb2c3d25071bdf5bb63bce5f2597ed56f
                                            • Opcode Fuzzy Hash: f2698d3107329d0d2acceb1f59049789d40aba2147da7d285d87ccfc0c815085
                                            • Instruction Fuzzy Hash: 49D012312843086BAE006FF6BC09E567F5C9A91B513040436B81CC1051DA7BD450966C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00445E1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId), ref: 00445E28
                                            • GetProcAddress.KERNEL32(00000000), ref: 00445E2F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: GetProcessId$kernel32.dll
                                            • API String ID: 1646373207-399901964
                                            • Opcode ID: 94e73091009f22638df0306b64ebb9fe43951cfe0381b593e4467f811eb0770e
                                            • Instruction ID: 461e5980d865bde67dc41995be2e1f9ad7d80831c0895847c5d1f89e5c21943c
                                            • Opcode Fuzzy Hash: 94e73091009f22638df0306b64ebb9fe43951cfe0381b593e4467f811eb0770e
                                            • Instruction Fuzzy Hash: D3B092B02D2306568E041BB99C0EE547E645662B033201A297412C20D4CAA94040472C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00485FB0 Relevance: 6.3, APIs: 5, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(2E932D87,?,?,?,?,00000000,004AAFB9,000000FF,?,00485F4A,?,00000000), ref: 00485FF3
                                            • SetLastError.KERNEL32(?,?,00485F4A,?,00000000), ref: 0048602C
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,004C2BD0,?,00000000,00000000,?,00485F4A,?,00000000), ref: 00486052
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00485F4A,?,00000000), ref: 0048609E
                                            • SetLastError.KERNEL32(?,?,00485F4A,?,00000000), ref: 004860AC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$ByteCharMultiWide
                                            • String ID:
                                            • API String ID: 3361762293-0
                                            • Opcode ID: f0bbbf2a11e0f237163f922194f58a55702dddeddcada36f90401c58c9216d03
                                            • Instruction ID: cf214800c4b9537dc2f9a1ef72162d9cd2e773d5810633010d7e9cd007b42dfc
                                            • Opcode Fuzzy Hash: f0bbbf2a11e0f237163f922194f58a55702dddeddcada36f90401c58c9216d03
                                            • Instruction Fuzzy Hash: B6317571600605EFD724CF28D844B5ABBF4FF09710F114A2EE90ADBBA0D7B5A910CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409E2B Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00409E32
                                            • _strlen.LIBCMT ref: 00409E62
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181,?,004C2BD0), ref: 00409E7E
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00409EB0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$H_prolog3__strlen
                                            • String ID:
                                            • API String ID: 708778256-0
                                            • Opcode ID: 3ff0b101afdb4a01fe1ed1b608dab2a2c398aa181afe49de57f13ce1d2201eb0
                                            • Instruction ID: c16194bb0586814343e66e998a05e2ed2fd8b15da2402ce4b41418a516c6c1c6
                                            • Opcode Fuzzy Hash: 3ff0b101afdb4a01fe1ed1b608dab2a2c398aa181afe49de57f13ce1d2201eb0
                                            • Instruction Fuzzy Hash: 57315F71900218ABDB15EFA9CC91AEFB778EF48314F14012EF905A72C3DB789D058B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404F90 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(2E932D87,00000000,74DEDFA0,74DEE010), ref: 00405053
                                            • SysFreeString.OLEAUT32(?), ref: 0040506F
                                            • SysFreeString.OLEAUT32(?), ref: 0040507A
                                            • SetLastError.KERNEL32(?), ref: 0040509A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeLastString
                                            • String ID:
                                            • API String ID: 3822639702-0
                                            • Opcode ID: 7d9971b677ed3547416a1e96bdc9c8d55c6c6ae2ced54b5d5e6be12a684c2120
                                            • Instruction ID: dc07c803cd88c785bac4382bc7a008622eb629c4022d0baeaf30a320184b776a
                                            • Opcode Fuzzy Hash: 7d9971b677ed3547416a1e96bdc9c8d55c6c6ae2ced54b5d5e6be12a684c2120
                                            • Instruction Fuzzy Hash: 48418C31600609ABCF10DF24C944B9E77A8FF05718F10863AF816A72D1DB39E909CF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041448F Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Window$DestroyH_prolog3Visible
                                            • String ID:
                                            • API String ID: 447219068-0
                                            • Opcode ID: 6535ce3da3dfe8c8fae5c6415aa38829919470400cb8e8467b52c3ae6c7187e0
                                            • Instruction ID: 10d8122a03d87b9e53297850a7b574bfc71cfa9d350298393abf2021dee12dc4
                                            • Opcode Fuzzy Hash: 6535ce3da3dfe8c8fae5c6415aa38829919470400cb8e8467b52c3ae6c7187e0
                                            • Instruction Fuzzy Hash: 65313C70A0020AEFDB04DFA5C988AAEBBB9BF85308F54846DE545DB250DB35D942CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00481210 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeLastString
                                            • String ID:
                                            • API String ID: 3822639702-0
                                            • Opcode ID: fe35cccfbf9e5a3f593cf7162847fd55fd397e685196ccef59ce5074b387abdc
                                            • Instruction ID: aa51ca18b2d1fff8e3d27f6db536b0836a09aaf9c92cd217795a71d3ef195011
                                            • Opcode Fuzzy Hash: fe35cccfbf9e5a3f593cf7162847fd55fd397e685196ccef59ce5074b387abdc
                                            • Instruction Fuzzy Hash: B941A2719002549FDB21EF28C484B56BBE4AF05354F19C4EAE848DB3B2C739EC95CB88
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004558E0 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsBadReadPtr.KERNEL32(?,00000004,?,?,?,?,?,?,00455889,?,?,?), ref: 004558F6
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00455889,?,?,?), ref: 004558FC
                                            • IsBadReadPtr.KERNEL32(?,00000000,?,?,?,?,?,?,00455889,?,?,?), ref: 0045591C
                                            • _memmove.LIBCMT ref: 0045594D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Read$ErrorLast_memmove
                                            • String ID:
                                            • API String ID: 1328700803-0
                                            • Opcode ID: c4aae03040e1a6920ebe8e2464de68e00dbec1315c3fdf7faa0ea0ec383c4fe9
                                            • Instruction ID: 37118492d2d27c06ff67bb7b1bfe15760d817bb993575a2f60638aa9d941978f
                                            • Opcode Fuzzy Hash: c4aae03040e1a6920ebe8e2464de68e00dbec1315c3fdf7faa0ea0ec383c4fe9
                                            • Instruction Fuzzy Hash: F131C47160061AFBCB119F65CC85AABBBA8FF05755B00002BFC00D7252DB79E869CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00411DB8 Relevance: 6.1, APIs: 4, Instructions: 94windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(00000000), ref: 00411DE0
                                            • GetTickCount.KERNEL32 ref: 00411E21
                                            • SendDlgItemMessageW.USER32(00000000,000003EC,0000000C,00000000,-00000004), ref: 00411E5D
                                            • SendDlgItemMessageW.USER32(00000000,000003ED,0000000C,00000000,-00000004), ref: 00411E96
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ItemMessageSend$CountTickWindow
                                            • String ID:
                                            • API String ID: 373309326-0
                                            • Opcode ID: bda43ab3aa73ed3b6580bfb436eff82d05a1d0117a080dd23e6f6f8dd1455ca2
                                            • Instruction ID: 4915500c2b095ac1a06dae2888b7d95e742b2d67e67b059be9a7b7c69c46ba4f
                                            • Opcode Fuzzy Hash: bda43ab3aa73ed3b6580bfb436eff82d05a1d0117a080dd23e6f6f8dd1455ca2
                                            • Instruction Fuzzy Hash: 91316B71A00208AFDB15EFA5DC85FDEBBB9AF49704F00002AF506E72A0DB34A945CB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004185B0 Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: String$AllocFree
                                            • String ID:
                                            • API String ID: 344208780-0
                                            • Opcode ID: 0f87246907ec6dad1821d0284ee8a40f15c2a80fcf2c218f651bc4d8811b3553
                                            • Instruction ID: e2a93df44556aa96fba24b739c68fcf8784a70e1de55fb2db12a4582bbdcab65
                                            • Opcode Fuzzy Hash: 0f87246907ec6dad1821d0284ee8a40f15c2a80fcf2c218f651bc4d8811b3553
                                            • Instruction Fuzzy Hash: FF218175A00209FBDB109FA5DC45B9E7BACEF44304F10842EFA48D6251EA3ADA94CB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00446730 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindResourceExW.KERNEL32(?,00000006,?,?,?,00000000,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 0044674F
                                            • FindResourceExW.KERNEL32(?,00000006,00000000,?,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 00446787
                                            • FindResourceExW.KERNEL32(?,00000006,00000000,00000400,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 004467B4
                                            • FindResourceExW.KERNEL32(?,00000006,00000000,00000000,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 004467DE
                                              • Part of subcall function 004466BC: __EH_prolog3_GS.LIBCMT ref: 004466C3
                                              • Part of subcall function 004466BC: LoadResource.KERNEL32(?,?,00000038,004467F9,?,?,?,?,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 004466DA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Resource$Find$H_prolog3_Load
                                            • String ID:
                                            • API String ID: 4133745404-0
                                            • Opcode ID: 2a14182a8ac0c3ba1b6ee19d6025a79b9e32e148616e5c35e7273d5272ec49e1
                                            • Instruction ID: c04375f7cb1f775b0624f4cd81cbfe2b65d1f622a7719965cbfa827d9e203ade
                                            • Opcode Fuzzy Hash: 2a14182a8ac0c3ba1b6ee19d6025a79b9e32e148616e5c35e7273d5272ec49e1
                                            • Instruction Fuzzy Hash: AE219FBA501218BAFF205F55CC05EEB3BBCEF02394F018066FD14E6250E636DA119B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00456844 Relevance: 6.1, APIs: 4, Instructions: 88fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00456862
                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00456878
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00456896
                                            • CloseHandle.KERNEL32(00000000), ref: 004568A2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateHandleReadSize
                                            • String ID:
                                            • API String ID: 3919263394-0
                                            • Opcode ID: fdbe7ea60a04a2aa99c2c8901891f117a30f6abd793104fa4f390d1af85b99e6
                                            • Instruction ID: 5cc11132e6fe83f1aaf8af0a023e13796a0c4990fab693f4363b781b69500085
                                            • Opcode Fuzzy Hash: fdbe7ea60a04a2aa99c2c8901891f117a30f6abd793104fa4f390d1af85b99e6
                                            • Instruction Fuzzy Hash: 2521F1712002047FEB116F728C95BBF7A9EEF45395F50052AFD02972C2DAB8AC0586A8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004863B0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID: lJ$x/L
                                            • API String ID: 1452528299-2084575886
                                            • Opcode ID: 680b3210779487154902a057d0c53d623c99271879db3dc87b7e9dae6b5aa421
                                            • Instruction ID: 3a501fbf316c0f788db0ef6a65775761f0142b598b54e12e26dc5a84000f79ba
                                            • Opcode Fuzzy Hash: 680b3210779487154902a057d0c53d623c99271879db3dc87b7e9dae6b5aa421
                                            • Instruction Fuzzy Hash: 4041C2B0605A46EFE349DF75C5597C6FBA0BF1A308F00835AD46C8B291DBB92128CBD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00412638 Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00412642
                                            • lstrcpyA.KERNEL32(?,00000000), ref: 004126AF
                                              • Part of subcall function 0040CF3D: __EH_prolog3_GS.LIBCMT ref: 0040CF47
                                            • lstrcpyA.KERNEL32(?,00000000,?), ref: 004126E4
                                              • Part of subcall function 00489C10: wsprintfA.USER32 ref: 00489C9A
                                              • Part of subcall function 00489C10: GetLastError.KERNEL32 ref: 00489CF2
                                              • Part of subcall function 00489C10: SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00489D40
                                              • Part of subcall function 00489C10: lstrcpyA.KERNEL32(000000D0,?), ref: 00489D89
                                            • lstrcpyA.KERNEL32(?,00000000,00000174,004127F5,?), ref: 00412692
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLastlstrcpy$FreeH_prolog3_String$wsprintf
                                            • String ID:
                                            • API String ID: 2054042452-0
                                            • Opcode ID: e2fe78531564187412f5e0d5137fc88091f709716f3cab77cda37fafe312e2d8
                                            • Instruction ID: 011a801ff203930292c958755fb28e9b1da450eb53cdd22da8326c7ef5194b1d
                                            • Opcode Fuzzy Hash: e2fe78531564187412f5e0d5137fc88091f709716f3cab77cda37fafe312e2d8
                                            • Instruction Fuzzy Hash: 21216271901118EBCB01EBA1C951AEDB7B8BF14344F1441AFF506A7291DF38AF49CB54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405F80 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000001,753CE860,2E932D87,?,74DEE010,?,?,004AC698,000000FF,T4L,004049B4), ref: 00405FF4
                                            • SetLastError.KERNEL32(?,00000007,00000000,000000FF), ref: 00406042
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID: T4L$T4L
                                            • API String ID: 1452528299-3367740000
                                            • Opcode ID: 34e76b3064816e2e363bd4b779f942a68d86df45ac07e1a49613212acc1760b3
                                            • Instruction ID: 9bed8527b8b7e85d28746ae17e32732ee4bb0f1d43bb12fc2b8a4590157dc814
                                            • Opcode Fuzzy Hash: 34e76b3064816e2e363bd4b779f942a68d86df45ac07e1a49613212acc1760b3
                                            • Instruction Fuzzy Hash: 28218E71500701AFDB10CF15C904B66BBF4FB49328F20866EE8169B790D7BAE906CF98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404580 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(2E932D87,?,?,?,00000000,004ACAC8,000000FF,T4L,004050D6,00000000,00000001,000000FF), ref: 004045BE
                                            • SetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 0040461A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID: T4L$T4L
                                            • API String ID: 1452528299-3367740000
                                            • Opcode ID: 028d496f95f1f2086f3ede9ab10eddeccf2bf6aa6fe664a70430d69ee2f9d859
                                            • Instruction ID: b61b599f1261bc151d4a2ec42bda8dabf60b11823f162ddbf0e1926f641f9eca
                                            • Opcode Fuzzy Hash: 028d496f95f1f2086f3ede9ab10eddeccf2bf6aa6fe664a70430d69ee2f9d859
                                            • Instruction Fuzzy Hash: 601149B6504704AFD7248F15C804B56BBF4FF89728F10466EE81A87790D7BAA516CB88
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00495D80 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 00495DA3
                                            • IntersectRect.USER32(?,?,?), ref: 00495DB8
                                            • GetWindowTextW.USER32(?,?,00000104), ref: 00495DCF
                                            • InvalidateRect.USER32(?,?,00000000), ref: 00495DFB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Rect$Window$IntersectInvalidateText
                                            • String ID:
                                            • API String ID: 1165118807-0
                                            • Opcode ID: 1b682eccdefb00082ca9042ab887f519d3585eac787215dceb92691bfc60fa50
                                            • Instruction ID: ca9be610bba992bcdc185148715d49844e0133e9df47b6330c6477a6a45c1c88
                                            • Opcode Fuzzy Hash: 1b682eccdefb00082ca9042ab887f519d3585eac787215dceb92691bfc60fa50
                                            • Instruction Fuzzy Hash: 3C11A176501108ABCF10DBA5EC88EFEB77CEB49304F1440AAF915D7240E674AF4ACBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00411EFB Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040F22B: FindWindowExW.USER32(000000FD,00000000,IsPrqHook,-00000004), ref: 0040F272
                                            • SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 00411F1E
                                            • SendMessageW.USER32(00000000,00000111,00000002,00000000), ref: 00411F2E
                                              • Part of subcall function 0041075B: __EH_prolog3_GS.LIBCMT ref: 00410762
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: MessageSend$FindH_prolog3_Window
                                            • String ID:
                                            • API String ID: 1301945986-0
                                            • Opcode ID: f18b38117d297aae988f310ef4ccb808226c6ddcca8c2facf53a6d4395670db9
                                            • Instruction ID: dfbab758616002f1ff868f44dc3689de48fde5ebc6277f01b98288258da681dd
                                            • Opcode Fuzzy Hash: f18b38117d297aae988f310ef4ccb808226c6ddcca8c2facf53a6d4395670db9
                                            • Instruction Fuzzy Hash: 3901F531248200BFE7215B51EC89FAABBA89B59724F10807BF305961F2C7B8C889871C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00499AE0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindResourceW.KERNEL32(?,?,00000002,?,00000000,00000001,?,0049A1B2,?,?,00000000,004998EA,?,?,004998EA,?), ref: 00499B10
                                            • LoadResource.KERNEL32(?,00000000,?,0049A1B2,?,?,00000000,004998EA,?,?,004998EA,?,?,dJ,004965B3), ref: 00499B23
                                            • LockResource.KERNEL32(00000000,?,0049A1B2,?,?,00000000,004998EA,?,?,004998EA,?,?,dJ,004965B3), ref: 00499B30
                                            • FreeResource.KERNEL32(00000000,?,dJ,004965B3), ref: 00499B42
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Resource$FindFreeLoadLock
                                            • String ID:
                                            • API String ID: 1078018258-0
                                            • Opcode ID: 3a0cf0862210317286b67ccb168a98852f4257cb1d1efde4b4a153c91b036992
                                            • Instruction ID: 4dceb09cefd9136a32908159ec1a6e11458e6988946edec7068333866bc89a09
                                            • Opcode Fuzzy Hash: 3a0cf0862210317286b67ccb168a98852f4257cb1d1efde4b4a153c91b036992
                                            • Instruction Fuzzy Hash: 05016D76200214ABD7109F5AEC88EBB7BACFB89725F00053EF909C3201D779E8418BA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00464511 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00464D84: __getptd_noexit.LIBCMT ref: 00464D85
                                            • __lock.LIBCMT ref: 0046454E
                                            • InterlockedDecrement.KERNEL32(?), ref: 0046456B
                                            • _free.LIBCMT ref: 0046457E
                                            • InterlockedIncrement.KERNEL32(0086BE58), ref: 00464596
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                            • String ID:
                                            • API String ID: 2704283638-0
                                            • Opcode ID: 782937fa79cac46c835b847dfa571ed9465c5c9dd96271b5550134f1aa65a5b8
                                            • Instruction ID: bf1fdb13fa441d3b5f7d7b808489ece3e24e0431c18f9873cc060b2ebeaba5c1
                                            • Opcode Fuzzy Hash: 782937fa79cac46c835b847dfa571ed9465c5c9dd96271b5550134f1aa65a5b8
                                            • Instruction Fuzzy Hash: DE01C031901621ABDF21AB96980676E7764BF81728F05011FE911A7381EB3C6941CFCF
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004106D7 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410714
                                            • IsDialogMessageW.USER32(?), ref: 00410728
                                            • TranslateMessage.USER32(?), ref: 00410736
                                            • DispatchMessageW.USER32(?), ref: 00410740
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Message$DialogDispatchPeekTranslate
                                            • String ID:
                                            • API String ID: 1266772231-0
                                            • Opcode ID: 37cf7d44ff71bf57da638d2a31faa7f3f316511d44e19188df922172d013981b
                                            • Instruction ID: ef94ecf8d492ccd34105d437e9f6e7a53292830c9c4a75a06970bb969660babd
                                            • Opcode Fuzzy Hash: 37cf7d44ff71bf57da638d2a31faa7f3f316511d44e19188df922172d013981b
                                            • Instruction Fuzzy Hash: 7B015E71905264AEDF258BA1AC08FE77FECAB0E704F044067E465D21E1D2A8E9C4CB6D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004392D9 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00439345: IsWindow.USER32(?), ref: 0043936D
                                              • Part of subcall function 00439345: GetLastError.KERNEL32(?,004392EC,?), ref: 0043937E
                                            • IsDialogMessageW.USER32(?,?), ref: 004392FF
                                            • TranslateMessage.USER32(?), ref: 0043930D
                                            • DispatchMessageW.USER32(?), ref: 00439317
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00439326
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Message$DialogDispatchErrorLastTranslateWindow
                                            • String ID:
                                            • API String ID: 2045501086-0
                                            • Opcode ID: 452d320890ea895eb21c39f3c21b5f362dd9ceae528e9c8bff2af433555e6cdb
                                            • Instruction ID: a29a9e6365f9f5463b6136a44f19e38ddad78f2a771dc12c71ba474efaa5af2b
                                            • Opcode Fuzzy Hash: 452d320890ea895eb21c39f3c21b5f362dd9ceae528e9c8bff2af433555e6cdb
                                            • Instruction Fuzzy Hash: A10167B2900205AFDB209FB5DC08A6B7BFCDF5D704F004437E921D2150E778E8058A75
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041253F Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00412563
                                            • GetObjectW.GDI32(00000000,0000005C,?), ref: 00412570
                                              • Part of subcall function 004125AD: GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 004125E1
                                              • Part of subcall function 004125AD: TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 004125FC
                                            • CreateFontIndirectW.GDI32(?), ref: 00412587
                                            • SendMessageW.USER32(?,00000030,00000000,00000000), ref: 00412597
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: InfoMessageSend$CharsetCreateFontIndirectLocaleObjectTranslate
                                            • String ID:
                                            • API String ID: 2681337867-0
                                            • Opcode ID: 5bac568def4fb8f6399d480c1c020f0039d80205d477515377b8e8dbfbd3dd76
                                            • Instruction ID: 4b400925af5f4f3dea7770fe6560f858ec8ba7793cf19f7153a0348d9465aa54
                                            • Opcode Fuzzy Hash: 5bac568def4fb8f6399d480c1c020f0039d80205d477515377b8e8dbfbd3dd76
                                            • Instruction Fuzzy Hash: 25014F71A05318ABDF10DFA5DC89F9E7BB9AB19700F004029B605AB281D6B49914CB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00464E0B Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 00464E4F
                                              • Part of subcall function 0046323D: __mtinitlocknum.LIBCMT ref: 0046324F
                                              • Part of subcall function 0046323D: EnterCriticalSection.KERNEL32(00000000,?,00464E54,0000000D), ref: 00463268
                                            • InterlockedIncrement.KERNEL32(?), ref: 00464E5C
                                            • __lock.LIBCMT ref: 00464E70
                                            • ___addlocaleref.LIBCMT ref: 00464E8E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                            • String ID:
                                            • API String ID: 1687444384-0
                                            • Opcode ID: ca9532e855b8e9cfb49d2282fd7e0ce366c0fa5dd99d25c45af14bab4dc4fccd
                                            • Instruction ID: cfaf24bed7775fabcf69b5f8c6870cb7b7f7cb6e127d1a2c1ec12c5ec58681f1
                                            • Opcode Fuzzy Hash: ca9532e855b8e9cfb49d2282fd7e0ce366c0fa5dd99d25c45af14bab4dc4fccd
                                            • Instruction Fuzzy Hash: 15012171500B409FDB20AF66D80575ABBF0BF50329F20890FE5A5972A1DB78A640CF5A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041480A Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00414833
                                            • IsDialogMessageW.USER32(?,?), ref: 00414847
                                            • TranslateMessage.USER32(?), ref: 00414855
                                            • DispatchMessageW.USER32(?), ref: 0041485F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Message$DialogDispatchPeekTranslate
                                            • String ID:
                                            • API String ID: 1266772231-0
                                            • Opcode ID: d9b35cbb2f76d0bbad690ed724c4705ddf6aba1bbd01c1938827c2e7ddfc1215
                                            • Instruction ID: b5c1efe96b76b106ce1e22c38196cde2ee867dc7df8cedafc31724231bce7c88
                                            • Opcode Fuzzy Hash: d9b35cbb2f76d0bbad690ed724c4705ddf6aba1bbd01c1938827c2e7ddfc1215
                                            • Instruction Fuzzy Hash: 8DF06235A04296ABDB60AFB7AC0CDFBBFBCDBC5B01B004067A461D2151E6689446CB78
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004301D4 Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,00000000,00000113,00000113,00000001), ref: 004301EC
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,04270001), ref: 00430202
                                            • TranslateMessage.USER32(?), ref: 00430210
                                            • DispatchMessageW.USER32(?), ref: 0043021A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: Message$Peek$DispatchTranslate
                                            • String ID:
                                            • API String ID: 1795658109-0
                                            • Opcode ID: c9655ed3ab55fc17ed093dd39af45d67eaa3e2fe43e73219ab276254281691f0
                                            • Instruction ID: 00882ce5cda7ca4ff11e02b86652fa535bfc858a5f3d0f213e65b363a0b21e68
                                            • Opcode Fuzzy Hash: c9655ed3ab55fc17ed093dd39af45d67eaa3e2fe43e73219ab276254281691f0
                                            • Instruction Fuzzy Hash: 13F01271A0020E7BDB105BB69C9DD9B7FBCDB89F44B004525B521D2145E668E9068678
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004525F9 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: FreeString_free
                                            • String ID:
                                            • API String ID: 2157979973-0
                                            • Opcode ID: 885f7a036933098c6bd05cd0720d6cd5f0772c77fc0e4d6d597938a08ec789e2
                                            • Instruction ID: 8eaf5657c2ebb0a3b13a4a4b11e247605b84b600caf6c3e8d720e6c2d7b118d4
                                            • Opcode Fuzzy Hash: 885f7a036933098c6bd05cd0720d6cd5f0772c77fc0e4d6d597938a08ec789e2
                                            • Instruction Fuzzy Hash: 34F09076500522EFC7228F56E5C4806FB64FF09752711822BF46883622CB719CA6CFD8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004551C9 Relevance: 6.0, APIs: 4, Instructions: 35stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _wcsstr.LIBCMT ref: 004551D3
                                            • lstrlenW.KERNEL32(?,00000000,?,0045516C,00000000,2.5.4.3,?), ref: 004551E3
                                            • _wcsstr.LIBCMT ref: 004551F5
                                            • lstrlenW.KERNEL32(-00000002,?,0045516C,00000000,2.5.4.3,?), ref: 00455207
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _wcsstrlstrlen
                                            • String ID:
                                            • API String ID: 4267858634-0
                                            • Opcode ID: 3aec2ca963c9b7e1c144ff86f5cb53c6bb9697f2919f41e82765c6a2c07b6413
                                            • Instruction ID: 1c6dd6d82ba22761ad199179ee60fccfcd3ddb863ceebba75b673429a678ec36
                                            • Opcode Fuzzy Hash: 3aec2ca963c9b7e1c144ff86f5cb53c6bb9697f2919f41e82765c6a2c07b6413
                                            • Instruction Fuzzy Hash: AAF02E32506625AB8F116F65DC108AF3F54EF01361710442BFC1597561DB36A9158BDC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00415D19 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00415D20
                                            • GetLastError.KERNEL32(00000004,00416784,?,00000000), ref: 00415D44
                                            • SetLastError.KERNEL32(?), ref: 00415D71
                                            • SetLastError.KERNEL32(00000000), ref: 00415D91
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3
                                            • String ID:
                                            • API String ID: 3502553090-0
                                            • Opcode ID: eee85745f461b2685e9c6e98c369fc658d764571e3073be2b14e754d92e0c381
                                            • Instruction ID: e63c4c50e2579be7de9a440d7405d9f157185e8486bff636422b039b726b374f
                                            • Opcode Fuzzy Hash: eee85745f461b2685e9c6e98c369fc658d764571e3073be2b14e754d92e0c381
                                            • Instruction Fuzzy Hash: B401C2759002108FCB44DF55D985B9ABBA0EB04319F05C8AAAC189F2A6C7B8D954CFA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00452040 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00452047
                                            • GetLastError.KERNEL32(00000004,0045276D,?,00000001,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0045206B
                                            • SetLastError.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00452098
                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004520B8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3
                                            • String ID:
                                            • API String ID: 3502553090-0
                                            • Opcode ID: 3cb0793151528fdbf7fb8d638dbfa040aa64544f51633d55e62f5a859fcba6c1
                                            • Instruction ID: b5f215745daadf949085b08d572f8bfc25a3b09c1719a62bdf3109cbad5f2366
                                            • Opcode Fuzzy Hash: 3cb0793151528fdbf7fb8d638dbfa040aa64544f51633d55e62f5a859fcba6c1
                                            • Instruction Fuzzy Hash: 5301C5759002108FCB04DF55C995B8ABBA4AB04319F05C4AAAC149F367CBB8E914CFA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004124C2 Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32 ref: 004124CB
                                            • GetDlgItem.USER32(0000012D,00000001), ref: 004124E4
                                            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004124F4
                                            • SendMessageW.USER32(00000000,00000402,?,00000000), ref: 00412511
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: MessageSend$ItemWindow
                                            • String ID:
                                            • API String ID: 591194657-0
                                            • Opcode ID: 19d25f7fca834f18e6b0410cbb92cbaff4a1532f9ab004e36beba6a5779aa618
                                            • Instruction ID: 9ccfd2c52fb01912edb6e4708ad4e45fa94897539c7573ce4834a409b11aa6f5
                                            • Opcode Fuzzy Hash: 19d25f7fca834f18e6b0410cbb92cbaff4a1532f9ab004e36beba6a5779aa618
                                            • Instruction Fuzzy Hash: 32F02731200110BBD7101B62BC48EBA3FACEB4AB91F044037F608E10A0C7B8CC50D7AC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401A60 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,004050EA,00000000,00000000,00000001,000000FF,2E932D87,00000000,74DEDFA0,74DEE010), ref: 00401A6F
                                            • SysFreeString.OLEAUT32(?), ref: 00401A8B
                                            • SysFreeString.OLEAUT32(?), ref: 00401A96
                                            • SetLastError.KERNEL32(?), ref: 00401AB4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeLastString
                                            • String ID:
                                            • API String ID: 3822639702-0
                                            • Opcode ID: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
                                            • Instruction ID: e40d49c18025afc5c80985eda0a655243877ccc1a9f4a8e9248b552b5c85207f
                                            • Opcode Fuzzy Hash: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
                                            • Instruction Fuzzy Hash: 48F0F435500512EFD7009F1AE948A40FBB5FF49329B15826AE41893A31CB35F8B4CFC8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401AC0 Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                            • SysFreeString.OLEAUT32(?), ref: 00401AEB
                                            • SysFreeString.OLEAUT32(?), ref: 00401AF6
                                            • SetLastError.KERNEL32(?), ref: 00401B14
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeLastString
                                            • String ID:
                                            • API String ID: 3822639702-0
                                            • Opcode ID: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
                                            • Instruction ID: 7fc7d01df612ee2857e001765975f3cb69b0a7a7fc946f931921def550923789
                                            • Opcode Fuzzy Hash: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
                                            • Instruction Fuzzy Hash: CFF0F435500512EFD7009F1AE948A40FBB5FF49329B15826AE41893A31CB75F8B4DFC8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401B20 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeLastString
                                            • String ID:
                                            • API String ID: 3822639702-0
                                            • Opcode ID: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
                                            • Instruction ID: 7ff14be3607078348ba789317abafe8b5ff7d169440c0dd3e9125ab5b768bd65
                                            • Opcode Fuzzy Hash: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
                                            • Instruction Fuzzy Hash: 5CF0F435400512EFD7009F1AE948A40FBB5FF49329B15826AE41893A31DB31F8B4CFD8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401B80 Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                            • SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                            • SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                            • SetLastError.KERNEL32(?), ref: 00401BD4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorFreeLastString
                                            • String ID:
                                            • API String ID: 3822639702-0
                                            • Opcode ID: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
                                            • Instruction ID: 87582723e2ee77c9659d4f9fbdc80b87d3f6132b9e241a893794d654d51cb242
                                            • Opcode Fuzzy Hash: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
                                            • Instruction Fuzzy Hash: 1AF0F435400512EFD7009F1AE948A40FBB5FF49329B15826AE81893A31DB71F9B4CFC8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0049A110 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(?), ref: 0049A119
                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049A12A
                                            • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0049A131
                                            • ReleaseDC.USER32(?,00000000), ref: 0049A139
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CapsDevice$Release
                                            • String ID:
                                            • API String ID: 1035833867-0
                                            • Opcode ID: 81fe86409a3509f52eef9bca38f0944fefe36bd2c16e41e9ed11b2d4ab1f9fbc
                                            • Instruction ID: cd4101a6f1a76049ecf921f76eabf7e4af3ed02cb3c39424fa35d776e82c472e
                                            • Opcode Fuzzy Hash: 81fe86409a3509f52eef9bca38f0944fefe36bd2c16e41e9ed11b2d4ab1f9fbc
                                            • Instruction Fuzzy Hash: F7E04F3290022C7FEB202BB7AC89D9B7F5CEB492B4B024432FE1CAB251D5719C4189E0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044858D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00448597
                                              • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                                              • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
                                              • Part of subcall function 004090B1: __EH_prolog3_GS.LIBCMT ref: 004090B8
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 00415AF8: __EH_prolog3_GS.LIBCMT ref: 00415AFF
                                              • Part of subcall function 00415AF8: GetLastError.KERNEL32(0000003C,00487419,?,?,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 00415B2A
                                              • Part of subcall function 00415AF8: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415B5B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$CloseHandleModule
                                            • String ID: @/L$@/L
                                            • API String ID: 2716975270-2149722323
                                            • Opcode ID: 0b09668e6effa92392ffcd28e858879b7ef7055976534d535138d1249cef183b
                                            • Instruction ID: 8e69237ed864376c65912f9c3754bb558fe83421bbc0e0d8af205d7dba7a4078
                                            • Opcode Fuzzy Hash: 0b09668e6effa92392ffcd28e858879b7ef7055976534d535138d1249cef183b
                                            • Instruction Fuzzy Hash: 97717C71900258EEDB14EFA5CC51BDDB7B8AF14308F50809EE509B3282DBB85A89CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004440CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 004440D6
                                            • CompareFileTime.KERNEL32(?,00000000,?,?,PSTORES.EXE,00000000,00000000,?,?,0000006C,0044A131,?,?,?), ref: 0044422E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: CompareFileH_prolog3Time
                                            • String ID: PSTORES.EXE
                                            • API String ID: 2703394530-1209905799
                                            • Opcode ID: 29c7b6ff1ac3780e10fac1545eeaa9c8dd8d4ebb63912ea0e3e7ec1ea8e39cae
                                            • Instruction ID: efd3a5696b197fd5aa3610a333a78fe280904bfb249b72705f77cdf15a1aafa2
                                            • Opcode Fuzzy Hash: 29c7b6ff1ac3780e10fac1545eeaa9c8dd8d4ebb63912ea0e3e7ec1ea8e39cae
                                            • Instruction Fuzzy Hash: 6E512072C0025DAAEF11DFE4D881AEEBBB8BF58344F14015BE511B7241EB38AA45CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406170 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID: invalid string position$string too long
                                            • API String ID: 4104443479-4289949731
                                            • Opcode ID: 1b41b78947c8c005a98c42b1ebc94502f8c0780efa345ae93ac7d387fba3585d
                                            • Instruction ID: 40c0a5eb907a7e396cb5b2c860bb526351c5f4fef81689f650615db782ea9671
                                            • Opcode Fuzzy Hash: 1b41b78947c8c005a98c42b1ebc94502f8c0780efa345ae93ac7d387fba3585d
                                            • Instruction Fuzzy Hash: CD31D8333043108BD721AE5CE940F5BF7A5EB91721F110A7FE5469B2C2C7B59860C7A9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID: invalid string position$string too long
                                            • API String ID: 4104443479-4289949731
                                            • Opcode ID: 64848c1ca52122e1e000f17b0e8b8f2014c6846dc759819f29c4771c32755776
                                            • Instruction ID: 109d5573d350601dc0c970750d02d2488746e1b4dc6d2f9e7dccea131a2ba069
                                            • Opcode Fuzzy Hash: 64848c1ca52122e1e000f17b0e8b8f2014c6846dc759819f29c4771c32755776
                                            • Instruction Fuzzy Hash: 0B31CD32304314DBC7249F5CE88082BF3AAFFD17653120A3FE442D7291DB76A86587A9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044E0D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0044E0E0
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3H_prolog3_
                                            • String ID: @/L$@/L
                                            • API String ID: 852442433-2149722323
                                            • Opcode ID: dbeab70c19f865713757f127bce9415e0dca8f7f0ca475789054dd6519fcf864
                                            • Instruction ID: b69bbfbd7b42d283a4daad3c19d690c11e806ee203c84158451cc76e75080c08
                                            • Opcode Fuzzy Hash: dbeab70c19f865713757f127bce9415e0dca8f7f0ca475789054dd6519fcf864
                                            • Instruction Fuzzy Hash: 7A418071900208EFDB14EFA6C855FDE7B78BF14308F5040AEF905A7192DBB85A49CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00448A02 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00448A0C
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0044858D: __EH_prolog3_GS.LIBCMT ref: 00448597
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 00415AF8: __EH_prolog3_GS.LIBCMT ref: 00415AFF
                                              • Part of subcall function 00415AF8: GetLastError.KERNEL32(0000003C,00487419,?,?,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 00415B2A
                                              • Part of subcall function 00415AF8: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415B5B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3_$H_prolog3
                                            • String ID: @/L$@/L
                                            • API String ID: 532146472-2149722323
                                            • Opcode ID: 71c536493018856e7e14dcd0392b667bdd2ebe162bc61d8391a9d19c42fcb4eb
                                            • Instruction ID: c198f020e0f6971eb8d2e7a6f59e3ad4d3f9eca9fb277e50bd290411dd41f504
                                            • Opcode Fuzzy Hash: 71c536493018856e7e14dcd0392b667bdd2ebe162bc61d8391a9d19c42fcb4eb
                                            • Instruction Fuzzy Hash: 78418F7090024CEFDB04EFA5CC51BEEB7B8AF14308F5440AEF505A7191DBB45A49CBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040D72B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040D735
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 0040CCC9: __EH_prolog3_GS.LIBCMT ref: 0040CCD0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last
                                            • String ID: @/L$@/L
                                            • API String ID: 1018228973-2149722323
                                            • Opcode ID: 4dc311509f40bace2c19a8ac8a9df2a7a3c13ad40809a4d3032dc15deb272523
                                            • Instruction ID: f3e96a9b1c5ee94a017cf984c8580acd192ed533c3d2df712af9e4e8c3a6aa76
                                            • Opcode Fuzzy Hash: 4dc311509f40bace2c19a8ac8a9df2a7a3c13ad40809a4d3032dc15deb272523
                                            • Instruction Fuzzy Hash: 61416F71D00218DADB14EBE5C895BEDB7B8AF14308F1440AFE509B72C2DB785A48CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00449F68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00449F6F
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 004438E6: __EH_prolog3.LIBCMT ref: 004438ED
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3Last$H_prolog3_
                                            • String ID: @/L$@/L
                                            • API String ID: 2324316964-2149722323
                                            • Opcode ID: 102b5ee7aec39d97d1b2895ab6ff35e5cd538b3c8826bd51cc2bc10c0532b8c9
                                            • Instruction ID: 9f8a72cd5f7d63d8783f7abdd9ec31e3226587671b933641772cc610fabe3d4d
                                            • Opcode Fuzzy Hash: 102b5ee7aec39d97d1b2895ab6ff35e5cd538b3c8826bd51cc2bc10c0532b8c9
                                            • Instruction Fuzzy Hash: 0441A6B1C00158DBDF00EFA6C9817EEBBB8AF04358F54006EF845A7281DB795A09D7D6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044131C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00441323
                                              • Part of subcall function 004470DB: __EH_prolog3.LIBCMT ref: 004470E2
                                            • GetLastError.KERNEL32 ref: 0044135E
                                              • Part of subcall function 004496BE: __EH_prolog3.LIBCMT ref: 004496C5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3$ErrorH_prolog3_Last
                                            • String ID: @/L
                                            • API String ID: 3513993312-3803013380
                                            • Opcode ID: 7dd59d93c27076c510bfad9e2a6e457ded31bf70e60a3fe51b42d05f854dace7
                                            • Instruction ID: a6822faebea23b31cebb3d8e97a84fd46868757d8b2f4636a6489de74076ca61
                                            • Opcode Fuzzy Hash: 7dd59d93c27076c510bfad9e2a6e457ded31bf70e60a3fe51b42d05f854dace7
                                            • Instruction Fuzzy Hash: EE31E6B5801108AAEB01FFA5C842AEE7768AF15318F04405FFC1567292EB7C5A09C7AA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0045C1D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: __getptd_noexit
                                            • String ID: M
                                            • API String ID: 3074181302-1509087228
                                            • Opcode ID: 693cf8f50c2d2ef4c46e0acadafdf68216ba883b9e85146a0b5cf68e6333c65e
                                            • Instruction ID: 77f910a3bbcbed8837b8a63f03d3c0a7090191525537260bdd11675789150c04
                                            • Opcode Fuzzy Hash: 693cf8f50c2d2ef4c46e0acadafdf68216ba883b9e85146a0b5cf68e6333c65e
                                            • Instruction Fuzzy Hash: 40216131D00705AFCB216FE6888255E37549F5237AF21469BFD21462A3E77C984C876A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044E35B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0044E362
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$H_prolog3H_prolog3_
                                            • String ID: @/L$@/L
                                            • API String ID: 2488494826-2149722323
                                            • Opcode ID: 9054cbabb256079d8aba0203564b87b25309284470d87fbac244731991b743e0
                                            • Instruction ID: ef1481e25266d948b6393c43e92c709b4072b6a1098b695b46d643c63a6a53be
                                            • Opcode Fuzzy Hash: 9054cbabb256079d8aba0203564b87b25309284470d87fbac244731991b743e0
                                            • Instruction Fuzzy Hash: 54319271900208EFCB04EF95C856BDDBB74BF14308F50815EF915A72D1DBB8AA19CB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004545AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last
                                            • String ID: ROOT
                                            • API String ID: 1018228973-543233263
                                            • Opcode ID: 564af1a1619fe349ecf5ce2da780116f0326d412402e566de566ce6dc1a1be14
                                            • Instruction ID: a72e30c33b607e7bd9919abcdf31c524bed39c0f9cea080ab8243733349ca363
                                            • Opcode Fuzzy Hash: 564af1a1619fe349ecf5ce2da780116f0326d412402e566de566ce6dc1a1be14
                                            • Instruction Fuzzy Hash: A531C430E00224ABDB24EB658C55F9DB6749F8670AF1440DFA909A7393DB784F88CF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00431055 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0043106C
                                              • Part of subcall function 00403FB0: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
                                              • Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$DirectorySystem
                                            • String ID: T4L$[System64Folder]
                                            • API String ID: 860285823-4082943317
                                            • Opcode ID: 1ba3f65331bed5be072a06162f17bbc58e248f79e9251b40d56254d15f487bee
                                            • Instruction ID: 55b16e076b15962c49218c018806c6a9882c7b4b7a85711e0ed8c2afdfe64067
                                            • Opcode Fuzzy Hash: 1ba3f65331bed5be072a06162f17bbc58e248f79e9251b40d56254d15f487bee
                                            • Instruction Fuzzy Hash: 05311A71910128DADF65EB61CD99BDDB778AB14308F4001EAA109B21E1DF782FC8CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00430E6F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00430E7B
                                              • Part of subcall function 00403FB0: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
                                              • Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$DirectoryWindows
                                            • String ID: T4L$[WindowsFolder]
                                            • API String ID: 1506654308-1112927461
                                            • Opcode ID: d653501083c682cb5f133983cb950390cc15faabdc82f48431fc670538260353
                                            • Instruction ID: 89b35e97953c36c0c500aaf3bfe67ea3c299e85a7021995bbacd034d1468cab1
                                            • Opcode Fuzzy Hash: d653501083c682cb5f133983cb950390cc15faabdc82f48431fc670538260353
                                            • Instruction Fuzzy Hash: D5311C71910128DADF65EB61CD99BDDB778AF18304F4001EAA109A21A1DF782FC8CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00430F62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00430F6E
                                              • Part of subcall function 00403FB0: GetLastError.KERNEL32(2E932D87,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
                                              • Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$DirectorySystem
                                            • String ID: T4L$[SystemFolder]
                                            • API String ID: 860285823-3915026093
                                            • Opcode ID: d85bc712955c71c23521c499b533fd27064a0b42d8b4105f579b829e1c78fda2
                                            • Instruction ID: 03b926b1d8abf5e6845447af4a1ad5e08f5469e5b1756e0fac373cf0d5041f61
                                            • Opcode Fuzzy Hash: d85bc712955c71c23521c499b533fd27064a0b42d8b4105f579b829e1c78fda2
                                            • Instruction Fuzzy Hash: 1B313D71900159DADF65EB51CD99BDDB378AB14304F4002EEA109A21E1DF782FC8CF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419797 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_
                                            • String ID: 0x%04lx.ini$@/L
                                            • API String ID: 2427045233-110886449
                                            • Opcode ID: 3871efbdb603b29ee88f3fbb5cb8359bb8cb663b86de198b21e60d6e5f705e1b
                                            • Instruction ID: 493ed48cb11b0250d8142db40f5bd4adf23257ef61bfc5648db907530d0ebf84
                                            • Opcode Fuzzy Hash: 3871efbdb603b29ee88f3fbb5cb8359bb8cb663b86de198b21e60d6e5f705e1b
                                            • Instruction Fuzzy Hash: 91219E71910104DFCB04FBA5C856AEDBBB8AF14304F04405EF906A7292DB78AE49CBE5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044575F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00445769
                                              • Part of subcall function 0044BDFA: __EH_prolog3.LIBCMT ref: 0044BE01
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0044DA4D: __EH_prolog3_GS.LIBCMT ref: 0044DA57
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3H_prolog3_Last
                                            • String ID: @/L$@/L
                                            • API String ID: 211087501-2149722323
                                            • Opcode ID: b8c77ce182d6cc29ba24e5f27f9ff45acb0da7607e22c6178203f7bf8dd4dac2
                                            • Instruction ID: 8d5e652a65a50ad8ac5bece7f761bf68b3ca9c2509dd4a4a4be9517cf999955c
                                            • Opcode Fuzzy Hash: b8c77ce182d6cc29ba24e5f27f9ff45acb0da7607e22c6178203f7bf8dd4dac2
                                            • Instruction Fuzzy Hash: 3E219370801218EAEB00FF66C8567DDBB78AF15348F1000DEE80D67292DB785B4ACBE5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0044CC27 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0044CC2E
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$H_prolog3H_prolog3_
                                            • String ID: @/L$@/L
                                            • API String ID: 2488494826-2149722323
                                            • Opcode ID: f0be02ddb76c11b83574ec98e968de0fcb5f602a1bcd858a98109af14f4cd34e
                                            • Instruction ID: ce2954d176dfd5a42872c9ebec34d82cf022e2d7bfc5e458ef6bc6c89f734795
                                            • Opcode Fuzzy Hash: f0be02ddb76c11b83574ec98e968de0fcb5f602a1bcd858a98109af14f4cd34e
                                            • Instruction Fuzzy Hash: 44217C71900208DFDB00EF94C886F9D7BB4BF04318F54805EF904AB292DBB5AE0ACB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004460D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004460DE
                                              • Part of subcall function 0041525D: __EH_prolog3_GS.LIBCMT ref: 00415264
                                            • OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000003B), ref: 00446146
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_$OpenProcess
                                            • String ID: @/L
                                            • API String ID: 613148867-3803013380
                                            • Opcode ID: 68a88d2573b2353626c2ade29cfee501c6e1f6870f56243d47a1fca2a61b0dff
                                            • Instruction ID: 6809ac3c39ce62b057447d065c9653654fb4517ad2bd6b8c19d1012d270cbf6f
                                            • Opcode Fuzzy Hash: 68a88d2573b2353626c2ade29cfee501c6e1f6870f56243d47a1fca2a61b0dff
                                            • Instruction Fuzzy Hash: DD117CB1D00218DADB10EBE2CC56EDEBB78EF45304F50001FE911AB1D2DBB86A06CA59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004266DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_
                                            • String ID: P/L$T4L
                                            • API String ID: 2427045233-1441100843
                                            • Opcode ID: 87057e83cf87df46517fde2c43e6b5b0270849f5c5455f35a03d1bd60b0c8c0a
                                            • Instruction ID: 99304e9055aefa7189c6e55fa4fe9fd6751d5f7ff057b6dc98898bdbee2aa1aa
                                            • Opcode Fuzzy Hash: 87057e83cf87df46517fde2c43e6b5b0270849f5c5455f35a03d1bd60b0c8c0a
                                            • Instruction Fuzzy Hash: 4F118B71A00125DBDB14FF61EA415FEB779BF90308F91401FE815A7181DB787A05CB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00410833 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041083D
                                              • Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
                                              • Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F
                                              • Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last
                                            • String ID: P/L$T4L
                                            • API String ID: 1018228973-1441100843
                                            • Opcode ID: 1f2b01d8d094cda858db44b3f0613bd6e44da77160557bbbc2a9e009e3dc0354
                                            • Instruction ID: 963d95273410679da268312169dcb892db7bd5f4b88bf4ef2fcf12df25607736
                                            • Opcode Fuzzy Hash: 1f2b01d8d094cda858db44b3f0613bd6e44da77160557bbbc2a9e009e3dc0354
                                            • Instruction Fuzzy Hash: A0115171D00218DFCF14EFA5C895ADD77B8AF05308F1440AEE545A7292DB789A4CCB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00459607 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0045960E
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                              • Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
                                              • Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
                                              • Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3
                                              • Part of subcall function 0044C09C: __EH_prolog3_GS.LIBCMT ref: 0044C0A6
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeH_prolog3_String$H_prolog3
                                            • String ID: @/L$@/L
                                            • API String ID: 386487564-2149722323
                                            • Opcode ID: de927d55df9c9bbd6caaa5fbcb243e070a259e260455f2f4f338f6f1ac550c23
                                            • Instruction ID: d2098a5b4ba5c155357ea3c8ccd13fe06b891eb86d38cb2fc70f06973266867b
                                            • Opcode Fuzzy Hash: de927d55df9c9bbd6caaa5fbcb243e070a259e260455f2f4f338f6f1ac550c23
                                            • Instruction Fuzzy Hash: 3F114F71500218DBCB11EFA1C952BEE77B8AF14359F50406FF905A7182DFB89A0EC7A9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E3E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 0040E3EE
                                              • Part of subcall function 00413CE7: __EH_prolog3_GS.LIBCMT ref: 00413CEE
                                              • Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
                                              • Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F
                                              • Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
                                              • Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$H_prolog3H_prolog3_
                                            • String ID: @/L$T4L
                                            • API String ID: 852442433-842787045
                                            • Opcode ID: 189de923b5731c57b67700263a07bbfb5ec848b38d539debeb01787c76b193a8
                                            • Instruction ID: aa833aaa5e159750d8e343903cd048e7ec7178dce6d6d96115b1263ee4b86a9a
                                            • Opcode Fuzzy Hash: 189de923b5731c57b67700263a07bbfb5ec848b38d539debeb01787c76b193a8
                                            • Instruction Fuzzy Hash: F62137B5600246AFC749DF79C480A89FBA8BF1C304F10826FE51DC7202DBB46615CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004267A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 004267AE
                                              • Part of subcall function 004053A0: GetLastError.KERNEL32(2E932D87,?,?,?,?,004AC278,000000FF), ref: 004053E2
                                              • Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$H_prolog3_
                                            • String ID: P/L$T4L
                                            • API String ID: 2549205776-1441100843
                                            • Opcode ID: 5d71adc4a69efa1c4e7f1c7a72b91f46334501242766fc6e634b6ed9963733bf
                                            • Instruction ID: 99f1321e1eb8a844e503e0274bc59d6c221d7a79c315cb59c7afcdddbe6a1c2e
                                            • Opcode Fuzzy Hash: 5d71adc4a69efa1c4e7f1c7a72b91f46334501242766fc6e634b6ed9963733bf
                                            • Instruction Fuzzy Hash: E8014C76D01224DACB14EEA5CD06B9D767CEF80314F55411FF814AB2C2DBB45F098B58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E66A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_
                                            • String ID: P/L$T4L
                                            • API String ID: 2427045233-1441100843
                                            • Opcode ID: 671a34622b4cc8dc29eb0f103c3bb7e49eef69770c2f160eb7e1f24a4d18657e
                                            • Instruction ID: ab0f8c1c0b55e7c4a036ef254d1e4539c3e857128e00ce9911648e7891446c31
                                            • Opcode Fuzzy Hash: 671a34622b4cc8dc29eb0f103c3bb7e49eef69770c2f160eb7e1f24a4d18657e
                                            • Instruction Fuzzy Hash: 6F115E70814159DEDF11EBA1CC45BED7BB8BB10308F54442FE501731D2CBB96A4ACBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00424095 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00423C2C: __EH_prolog3.LIBCMT ref: 00423C33
                                              • Part of subcall function 00423C2C: SysStringLen.OLEAUT32(?), ref: 00423C64
                                            • SysStringLen.OLEAUT32(?), ref: 004240AF
                                              • Part of subcall function 00417173: GetLastError.KERNEL32 ref: 0041718A
                                              • Part of subcall function 00417173: SysFreeString.OLEAUT32(?), ref: 00417197
                                              • Part of subcall function 00417173: SetLastError.KERNEL32(?), ref: 004171B1
                                              • Part of subcall function 00417173: GetLastError.KERNEL32 ref: 004171C0
                                              • Part of subcall function 00417173: SysFreeString.OLEAUT32(?), ref: 004171DD
                                              • Part of subcall function 00417173: SetLastError.KERNEL32(?), ref: 004171ED
                                              • Part of subcall function 00425270: SysStringLen.OLEAUT32(00000000), ref: 00425280
                                            • SysStringLen.OLEAUT32(?), ref: 004240EA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: String$ErrorLast$Free$H_prolog3
                                            • String ID: .
                                            • API String ID: 4143273375-248832578
                                            • Opcode ID: 78a252f80f559568b17f0b1fbccfa005552cfa31a7088b8e877c1b98359391f2
                                            • Instruction ID: 81ab4b0a7bffd0d075c4cd32ae9a8de5e4199f8fb8b483f49167c83de80620a0
                                            • Opcode Fuzzy Hash: 78a252f80f559568b17f0b1fbccfa005552cfa31a7088b8e877c1b98359391f2
                                            • Instruction Fuzzy Hash: 1D01A235614224BBCF10EB64EC45FDD7B68EB05328F108617B621A22D1CAB89A84CB58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040912E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 00409135
                                            • SetLastError.KERNEL32(00000001,00000000,0043A706,?,?,00000001), ref: 004091A8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorH_prolog3_Last
                                            • String ID: @/L
                                            • API String ID: 1018228973-3803013380
                                            • Opcode ID: f3ba4dabe57ca79f92caaee907b91a709a4a96ca60966b8a7d5d385bf99e15bd
                                            • Instruction ID: 291f87a9b9d090ea03861c90a7dd1aae1d6288a807f080f12fe15fb5645a109e
                                            • Opcode Fuzzy Hash: f3ba4dabe57ca79f92caaee907b91a709a4a96ca60966b8a7d5d385bf99e15bd
                                            • Instruction Fuzzy Hash: EC01D234600204DBD710EF52C940E9E7BB4EF84344F10406FF8016B392DBB9AD06DB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00441DB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 00441DB8
                                            • GetFileAttributesW.KERNEL32(?,00000000,0044233A), ref: 00441DD3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: AttributesFileH_prolog3
                                            • String ID: @/L
                                            • API String ID: 1973727094-3803013380
                                            • Opcode ID: 51966435b83bce32f860fa5c570072a29eeac01150e07c72a69c3c8b4b2d275d
                                            • Instruction ID: c77139917c78a6c914c31a06a4d91c7786a85743202fde0c9b4111bd2d566082
                                            • Opcode Fuzzy Hash: 51966435b83bce32f860fa5c570072a29eeac01150e07c72a69c3c8b4b2d275d
                                            • Instruction Fuzzy Hash: 130184B5500108ABDB00AF66C55268E3BACAF04358F54406FFC499B261DB79CA45CB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00444363 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 0044436A
                                              • Part of subcall function 00448D7A: __EH_prolog3_GS.LIBCMT ref: 00448D81
                                              • Part of subcall function 00448D7A: RegQueryValueExW.KERNELBASE(?,?,00000000,00000008,00000000,@/L,0000005C,0041AB68,?,-80000001,?,?), ref: 00448DF6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3H_prolog3_QueryValue
                                            • String ID: Software\Microsoft\Internet Explorer$Version
                                            • API String ID: 120832868-2486530099
                                            • Opcode ID: 935af105a3f34fd7b500136501f505a3ca7e55754b12084212923ea7f2258a87
                                            • Instruction ID: a89cf1324f751ed43803e79ba480f0b812e60ae89e9ddf8a08daddec77b2df58
                                            • Opcode Fuzzy Hash: 935af105a3f34fd7b500136501f505a3ca7e55754b12084212923ea7f2258a87
                                            • Instruction Fuzzy Hash: 1501AD75E40208BBFB00EAA5C807BEDBA78DB00B05F50005AF9106A1D2C7B90B0887D6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040E1C1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0040E1C8
                                              • Part of subcall function 004053A0: GetLastError.KERNEL32(2E932D87,?,?,?,?,004AC278,000000FF), ref: 004053E2
                                              • Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E
                                              • Part of subcall function 0040E2CD: __EH_prolog3.LIBCMT ref: 0040E2D4
                                              • Part of subcall function 0040E2CD: GetLastError.KERNEL32(00000004,0040E20C,00000000,00000001,?), ref: 0040E2F6
                                              • Part of subcall function 0040E2CD: SetLastError.KERNEL32(?), ref: 0040E322
                                              • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                                              • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                                              • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeString$H_prolog3H_prolog3_
                                            • String ID: P/L$T4L
                                            • API String ID: 2488494826-1441100843
                                            • Opcode ID: 3093ca6c4966a3abc2c46a8df837fbfac39e1e3f60d78798ed7314813f98a481
                                            • Instruction ID: b992d5ae3fd7f433ae5757d41275618a758aef5e49e6271f058b08e2c547c471
                                            • Opcode Fuzzy Hash: 3093ca6c4966a3abc2c46a8df837fbfac39e1e3f60d78798ed7314813f98a481
                                            • Instruction Fuzzy Hash: 07011E74910208DBDB14EF52CD41BDDB378BF14318F50402EF8017B282CBB86A09CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00440988 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0044098F
                                              • Part of subcall function 004090B1: __EH_prolog3_GS.LIBCMT ref: 004090B8
                                            • RegCreateKeyW.ADVAPI32(80000001,-00000004,00000000), ref: 004409C7
                                            Strings
                                            • SOFTWARE\InstallShield\Cryptography\Trust, xrefs: 004409A5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: H_prolog3_$Create
                                            • String ID: SOFTWARE\InstallShield\Cryptography\Trust
                                            • API String ID: 1416351300-595016613
                                            • Opcode ID: 74c09a9062affea11a1e435f9f85e384c1148eaf05a43ee6cfe7887486a8cd84
                                            • Instruction ID: 3cd6430252965c13d4c24e4f9f2fcb288a12c78750ad77f026ad94d326b7ffd1
                                            • Opcode Fuzzy Hash: 74c09a9062affea11a1e435f9f85e384c1148eaf05a43ee6cfe7887486a8cd84
                                            • Instruction Fuzzy Hash: 21F0F971800108EFEB14EB91C956FAC7774FF1131AF51041AE941671A2DBB8BE0ACB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00474D37 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: NameName::
                                            • String ID: {flat}
                                            • API String ID: 1333004437-2606204563
                                            • Opcode ID: 34fb1a896847df4a8169bb83752d2009f8dce2a6e1ae9db14d07b86995ceaf8d
                                            • Instruction ID: ac390ed55f030b9492ff35e4992d161fba4c56a2d28e640b3beaf338bbc4769d
                                            • Opcode Fuzzy Hash: 34fb1a896847df4a8169bb83752d2009f8dce2a6e1ae9db14d07b86995ceaf8d
                                            • Instruction Fuzzy Hash: 53F0A9702002489FD711CB68E4A5BF53BA49B45715F08C097E6DC0F3A6C778D8908B9E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041A199 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 0041A1A0
                                              • Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
                                              • Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
                                              • Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF
                                              • Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925
                                              • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                                              • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                                              • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FreeH_prolog3_String$H_prolog3
                                            • String ID: @/L$data1.hdr
                                            • API String ID: 386487564-2701889144
                                            • Opcode ID: 5356534c9385acdc3935019c9be7c9b922634323dbc80b946c44293bced6f0ee
                                            • Instruction ID: 44fac2e72bb5965a96635464470d8abd2e796e271420e83698ce917d9ad6b625
                                            • Opcode Fuzzy Hash: 5356534c9385acdc3935019c9be7c9b922634323dbc80b946c44293bced6f0ee
                                            • Instruction Fuzzy Hash: 78F01C71910208DBD710EB91C942FEDB3B8EF54309F50406EF901A7181DFB86A0EDB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004507A3 Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,00450759,?,?,?), ref: 004507A9
                                            • GetLastError.KERNEL32(?,?,00450759,?,?,?), ref: 004507B3
                                            • SetLastError.KERNEL32(00000000,?,?,00450759,?,?,?), ref: 004507F5
                                            • SetLastError.KERNEL32(00000000,?,?,00450759,?,?,?), ref: 004507FF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2441725444.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2441700723.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441790678.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441825034.00000000004D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000509000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_OnLine_Install_Dialog_UI_SSL.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID:
                                            • API String ID: 1452528299-0
                                            • Opcode ID: a21cb247fca51b386554ee18f0614d98c54971491a8e4dfaacd9066de977b60b
                                            • Instruction ID: 9492eaaf6a766964385fe8987e04b40be5ef2b8f0ac12adeb4bc4a161b648c8e
                                            • Opcode Fuzzy Hash: a21cb247fca51b386554ee18f0614d98c54971491a8e4dfaacd9066de977b60b
                                            • Instruction Fuzzy Hash: FAF0903910161597EB242F22C84DB6E7F59AB05316F10442BEC25812A2CB79A899DAAD
                                            Uniqueness

                                            Uniqueness Score: -1.00%