Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI_230524.exe

Overview

General Information

Sample name:PI_230524.exe
Analysis ID:1447911
MD5:030c15387f508bd9bc1f38fffd928eef
SHA1:679ee5f887f33d2c78e4b0ca4471fe9e9d39e7a2
SHA256:1445ff0436a861d28cd25bd638f2e018fb0c8229afee0b6f40d5fcf1a855c2a0
Tags:exe
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • PI_230524.exe (PID: 4240 cmdline: "C:\Users\user\Desktop\PI_230524.exe" MD5: 030C15387F508BD9BC1F38FFFD928EEF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: PI_230524.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: PI_230524.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_004062F0 FindFirstFileA,FindClose,0_2_004062F0
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004057B5
Source: PI_230524.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PI_230524.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PI_230524.exe, 00000000.00000003.1471681218.0000000000A2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Errors
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_00405252 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405252
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403248
Source: PI_230524.exe, 00000000.00000000.1470807486.00000000007CC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesemirelief.exeP vs PI_230524.exe
Source: PI_230524.exeBinary or memory string: OriginalFilenamesemirelief.exeP vs PI_230524.exe
Source: PI_230524.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean3.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403248
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_0040450D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040450D
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
Source: C:\Users\user\Desktop\PI_230524.exeFile created: C:\Users\user\AppData\Local\Temp\nsr7BEF.tmpJump to behavior
Source: PI_230524.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PI_230524.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeFile read: C:\Users\user\Desktop\PI_230524.exeJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: PI_230524.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PI_230524.exeStatic PE information: real checksum: 0x878b3 should be: 0x8fe0e
Source: C:\Users\user\Desktop\PI_230524.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PI_230524.exeAPI coverage: 9.4 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_004062F0 FindFirstFileA,FindClose,0_2_004062F0
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004057B5
Source: C:\Users\user\Desktop\PI_230524.exeAPI call chain: ExitProcess graph end nodegraph_0-2950
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PI_230524.exeCode function: 0_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403248

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping2
File and Directory Discovery		Remote Services1
Clipboard Data		Data ObfuscationExfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory4
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://nsis.sf.net/NSIS_Errors0%Avira URL Cloudsafe
http://nsis.sf.net/NSIS_Errors0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorsPI_230524.exe, 00000000.00000003.1471681218.0000000000A2D000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_ErrorPI_230524.exefalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://nsis.sf.net/NSIS_ErrorErrorPI_230524.exefalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1447911
Start date and time:2024-05-27 12:18:20 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 21s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:PI_230524.exe
Detection:CLEAN
Classification:clean3.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 10
  • Number of non-executed functions: 35
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):6.972388023488223
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:PI_230524.exe
File size:544'752 bytes
MD5:030c15387f508bd9bc1f38fffd928eef
SHA1:679ee5f887f33d2c78e4b0ca4471fe9e9d39e7a2
SHA256:1445ff0436a861d28cd25bd638f2e018fb0c8229afee0b6f40d5fcf1a855c2a0
SHA512:a42a543f3cf68c9e420c498bf0e7cc101ea5828ce51ada90398c357d2fc02651183fe59696d806fb0f3a112fdcf9c10ae0facc52f4cd060ab1a78df48e418e60
SSDEEP:6144:+Y8i9d6ihOq761Mymf40IoBdLlNZ4DYvP+TV5lKiecmMlGvtClbz:8K6+L761MymflCYX+EixjlGC
TLSH:DFC4D0A3F120588FFC602BF04C1D96347674BE4A91B80F3A658177EB727F862A1476E5
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........r.../...............+.......Rich............PE..L......].................b....9.....H2............@

File Icon

Icon Hash:199bb3bf5f4d0d07

Static PE Info

General

Entrypoint:0x403248
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x5DF6D4D5 [Mon Dec 16 00:50:29 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:e9c0657252137ac61c1eeeba4c021000

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
    Subject Chain
      Version:
      Thumbprint MD5:
      Thumbprint SHA-1:
      Thumbprint SHA-256:
      Serial:

      Entrypoint Preview

      Instruction
      sub esp, 00000184h
      push ebx
      push esi
      push edi
      xor ebx, ebx
      push 00008001h
      mov dword ptr [esp+18h], ebx
      mov dword ptr [esp+10h], 0040A198h
      mov dword ptr [esp+20h], ebx
      mov byte ptr [esp+14h], 00000020h
      call dword ptr [004080A0h]
      call dword ptr [0040809Ch]
      and eax, BFFFFFFFh
      cmp ax, 00000006h
      mov dword ptr [007A2F4Ch], eax
      je 00007F53150B2103h
      push ebx
      call 00007F53150B51EBh
      cmp eax, ebx
      je 00007F53150B20F9h
      push 00000C00h
      call eax
      mov esi, 00408298h
      push esi
      call 00007F53150B5167h
      push esi
      call dword ptr [00408098h]
      lea esi, dword ptr [esi+eax+01h]
      cmp byte ptr [esi], bl
      jne 00007F53150B20DDh
      push 0000000Ah
      call 00007F53150B51BFh
      push 00000008h
      call 00007F53150B51B8h
      push 00000006h
      mov dword ptr [007A2F44h], eax
      call 00007F53150B51ACh
      cmp eax, ebx
      je 00007F53150B2101h
      push 0000001Eh
      call eax
      test eax, eax
      je 00007F53150B20F9h
      or byte ptr [007A2F4Fh], 00000040h
      push ebp
      call dword ptr [00408040h]
      push ebx
      call dword ptr [00408284h]
      mov dword ptr [007A3018h], eax
      push ebx
      lea eax, dword ptr [esp+38h]
      push 00000160h
      push eax
      push ebx
      push 0079E508h
      call dword ptr [00408178h]
      push 0040A188h

      Rich Headers

      Programming Language:
      • [EXP] VC++ 6.0 SP5 build 8804

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x84300xa0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b30000x28608.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x845780xa78.data
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x80000x294.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x60d80x6200e59663060e65803bb6474d2af98f8aa9False0.6750637755102041data6.467400856752681IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x80000x123e0x14007969015d02b2f673463f43156b28cdb4False0.428515625data5.032652926909017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xa0000x3990580x4002d383339e780dfc9691f30584bbd0766unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .ndata0x3a40000xf0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x3b30000x286080x28800ede5a8755ab4c8277abbf0838590eb8aFalse0.21144989390432098data3.2566612538812296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0x3b33880x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.1756624866911156
      RT_ICON0x3c3bb00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.2090866092074837
      RT_ICON0x3cd0580x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.2295286506469501
      RT_ICON0x3d24e00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.22461029759093057
      RT_ICON0x3d67080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.27323651452282155
      RT_ICON0x3d8cb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.299718574108818
      RT_ICON0x3d9d580x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.375
      RT_ICON0x3da6e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.44680851063829785
      RT_DIALOG0x3dab480x144dataEnglishUnited States0.5216049382716049
      RT_DIALOG0x3dac900x120dataEnglishUnited States0.5138888888888888
      RT_DIALOG0x3dadb00x11cdataEnglishUnited States0.6056338028169014
      RT_DIALOG0x3daed00xc4dataEnglishUnited States0.5918367346938775
      RT_DIALOG0x3daf980x60dataEnglishUnited States0.7291666666666666
      RT_GROUP_ICON0x3daff80x76dataEnglishUnited States0.7457627118644068
      RT_VERSION0x3db0700x258dataEnglishUnited States0.49833333333333335
      RT_MANIFEST0x3db2c80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

      Imports

      DLLImport
      KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetFileAttributesA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
      USER32.dllGetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
      GDI32.dllSelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
      SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
      ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
      COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:06:19:33
      Start date:27/05/2024
      Path:C:\Users\user\Desktop\PI_230524.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\PI_230524.exe"
      Imagebase:0x400000
      File size:544'752 bytes
      MD5 hash:030C15387F508BD9BC1F38FFFD928EEF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:5.8%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:17.9%
        Total number of Nodes:1258
        Total number of Limit Nodes:15
        execution_graph 3390 401d41 3391 401d54 GetDlgItem 3390->3391 3392 401d47 3390->3392 3394 401d4e 3391->3394 3401 402b0a 3392->3401 3395 401d8f GetClientRect LoadImageA SendMessageA 3394->3395 3404 402b2c 3394->3404 3398 4029b8 3395->3398 3399 401deb 3395->3399 3399->3398 3400 401df3 DeleteObject 3399->3400 3400->3398 3402 40600f 17 API calls 3401->3402 3403 402b1f 3402->3403 3403->3394 3405 402b38 3404->3405 3406 40600f 17 API calls 3405->3406 3407 402b59 3406->3407 3408 402b65 3407->3408 3409 406257 5 API calls 3407->3409 3408->3395 3409->3408 3410 401746 3411 402b2c 17 API calls 3410->3411 3412 40174d 3411->3412 3413 405bb5 2 API calls 3412->3413 3414 401754 3413->3414 3414->3414 3415 4044c6 3416 4044d6 3415->3416 3417 4044fc 3415->3417 3422 40407b 3416->3422 3425 4040e2 3417->3425 3420 4044e3 SetDlgItemTextA 3420->3417 3423 40600f 17 API calls 3422->3423 3424 404086 SetDlgItemTextA 3423->3424 3424->3420 3426 4041a5 3425->3426 3427 4040fa GetWindowLongA 3425->3427 3427->3426 3428 40410f 3427->3428 3428->3426 3429 40413c GetSysColor 3428->3429 3430 40413f 3428->3430 3429->3430 3431 404145 SetTextColor 3430->3431 3432 40414f SetBkMode 3430->3432 3431->3432 3433 404167 GetSysColor 3432->3433 3434 40416d 3432->3434 3433->3434 3435 404174 SetBkColor 3434->3435 3436 40417e 3434->3436 3435->3436 3436->3426 3437 404191 DeleteObject 3436->3437 3438 404198 CreateBrushIndirect 3436->3438 3437->3438 3438->3426 3439 401947 3440 402b2c 17 API calls 3439->3440 3441 40194e lstrlenA 3440->3441 3442 4025e4 3441->3442 2897 403248 SetErrorMode GetVersion 2898 403289 2897->2898 2899 40328f 2897->2899 2900 406385 5 API calls 2898->2900 2990 406317 GetSystemDirectoryA 2899->2990 2900->2899 2902 4032a5 lstrlenA 2902->2899 2903 4032b4 2902->2903 2993 406385 GetModuleHandleA 2903->2993 2906 406385 5 API calls 2907 4032c2 2906->2907 2908 406385 5 API calls 2907->2908 2909 4032ce #17 OleInitialize SHGetFileInfoA 2908->2909 2999 405fed lstrcpynA 2909->2999 2912 40331a GetCommandLineA 3000 405fed lstrcpynA 2912->3000 2914 40332c 3001 4059b0 2914->3001 2917 40342f 2918 403442 GetTempPathA 2917->2918 3005 403217 2918->3005 2920 40345a 2922 4034b4 DeleteFileA 2920->2922 2923 40345e GetWindowsDirectoryA lstrcatA 2920->2923 2921 4059b0 CharNextA 2925 403365 2921->2925 3015 402dc4 GetTickCount GetModuleFileNameA 2922->3015 2926 403217 12 API calls 2923->2926 2925->2917 2925->2921 2927 403431 2925->2927 2929 40347a 2926->2929 3056 405fed lstrcpynA 2927->3056 2929->2922 2932 40347e GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 2929->2932 2930 403562 3045 403730 2930->3045 2933 403217 12 API calls 2932->2933 2936 4034ac 2933->2936 2934 40354e 3074 40380a 2934->3074 2936->2922 2936->2930 2938 4059b0 CharNextA 2941 4034e3 2938->2941 2940 40355e 2940->2930 2951 403529 2941->2951 2952 40358e 2941->2952 2942 403696 2944 403718 2942->2944 2945 40369e GetCurrentProcess OpenProcessToken 2942->2945 2943 403578 3052 405709 2943->3052 2949 403722 2944->2949 2950 403726 ExitProcess 2944->2950 2947 4036e9 2945->2947 2948 4036b9 LookupPrivilegeValueA AdjustTokenPrivileges 2945->2948 2954 406385 5 API calls 2947->2954 2948->2947 2949->2950 3057 405a73 2951->3057 3130 405674 2952->3130 2958 4036f0 2954->2958 2963 403705 ExitWindowsEx 2958->2963 2966 403711 2958->2966 2960 403538 3072 405fed lstrcpynA 2960->3072 2961 4035a4 lstrcatA 2962 4035af lstrcatA lstrcmpiA 2961->2962 2962->2930 2965 4035cb 2962->2965 2963->2944 2963->2966 2968 4035d0 2965->2968 2969 4035d7 2965->2969 3167 40140b 2966->3167 2967 403543 3073 405fed lstrcpynA 2967->3073 3133 4055da CreateDirectoryA 2968->3133 3138 405657 CreateDirectoryA 2969->3138 2975 4035dc SetCurrentDirectoryA 2976 4035f6 2975->2976 2977 4035eb 2975->2977 3142 405fed lstrcpynA 2976->3142 3141 405fed lstrcpynA 2977->3141 2982 403642 CopyFileA 2987 403604 2982->2987 2983 40368a 2985 405dcc 36 API calls 2983->2985 2985->2940 2986 40600f 17 API calls 2986->2987 2987->2983 2987->2986 2989 403676 CloseHandle 2987->2989 3143 40600f 2987->3143 3160 405dcc MoveFileExA 2987->3160 3164 40568c CreateProcessA 2987->3164 2989->2987 2991 406339 wsprintfA LoadLibraryExA 2990->2991 2991->2902 2994 4063a1 2993->2994 2995 4063ab GetProcAddress 2993->2995 2996 406317 3 API calls 2994->2996 2997 4032bb 2995->2997 2998 4063a7 2996->2998 2997->2906 2998->2995 2998->2997 2999->2912 3000->2914 3002 4059b6 3001->3002 3003 403355 CharNextA 3002->3003 3004 4059bc CharNextA 3002->3004 3003->2925 3004->3002 3170 406257 3005->3170 3007 40322d 3007->2920 3008 403223 3008->3007 3179 405985 lstrlenA CharPrevA 3008->3179 3011 405657 2 API calls 3012 40323b 3011->3012 3182 405bb5 3012->3182 3186 405b86 GetFileAttributesA CreateFileA 3015->3186 3017 402e04 3018 402e14 3017->3018 3187 405fed lstrcpynA 3017->3187 3018->2930 3018->2934 3018->2938 3020 402e2a 3188 4059cc lstrlenA 3020->3188 3024 402e3b GetFileSize 3025 402e52 3024->3025 3042 402f35 3024->3042 3025->3018 3030 402fa1 3025->3030 3040 402f0a 3025->3040 3025->3042 3193 4031ea 3025->3193 3026 402d60 6 API calls 3027 402f3e 3026->3027 3027->3018 3029 402f6e GlobalAlloc 3027->3029 3207 403200 SetFilePointer 3027->3207 3208 403200 SetFilePointer 3029->3208 3034 402d60 6 API calls 3030->3034 3033 402f89 3209 402ffb 3033->3209 3037 402fa8 3034->3037 3035 402f57 3038 4031ea ReadFile 3035->3038 3037->3018 3041 402f62 3038->3041 3040->3025 3196 402d60 3040->3196 3041->3018 3041->3029 3042->3026 3043 402f95 3043->3018 3043->3043 3044 402fd2 SetFilePointer 3043->3044 3044->3037 3046 403748 3045->3046 3047 40373a FindCloseChangeNotification 3045->3047 3249 403775 3046->3249 3047->3046 3053 40571e 3052->3053 3054 403586 ExitProcess 3053->3054 3055 405732 MessageBoxIndirectA 3053->3055 3055->3054 3056->2918 3309 405fed lstrcpynA 3057->3309 3059 405a84 3310 405a1e CharNextA CharNextA 3059->3310 3062 403534 3062->2930 3062->2960 3063 406257 5 API calls 3064 405a9a 3063->3064 3064->3062 3069 405aad 3064->3069 3065 405ac5 lstrlenA 3066 405ad0 3065->3066 3065->3069 3068 405985 3 API calls 3066->3068 3067 4062f0 2 API calls 3067->3069 3070 405ad5 GetFileAttributesA 3068->3070 3069->3062 3069->3065 3069->3067 3071 4059cc 2 API calls 3069->3071 3070->3062 3071->3065 3072->2967 3073->2934 3075 406385 5 API calls 3074->3075 3076 40381e 3075->3076 3077 403824 3076->3077 3078 403836 3076->3078 3316 405f4b wsprintfA 3077->3316 3317 405ed4 3078->3317 3081 40387f lstrcatA 3084 403834 3081->3084 3083 405ed4 3 API calls 3083->3081 3322 403acf 3084->3322 3087 405a73 18 API calls 3088 4038b1 3087->3088 3089 40393a 3088->3089 3091 405ed4 3 API calls 3088->3091 3090 405a73 18 API calls 3089->3090 3092 403940 3090->3092 3093 4038dd 3091->3093 3094 403950 LoadImageA 3092->3094 3097 40600f 17 API calls 3092->3097 3093->3089 3101 4038f9 lstrlenA 3093->3101 3105 4059b0 CharNextA 3093->3105 3095 4039f6 3094->3095 3096 403977 RegisterClassA 3094->3096 3100 40140b 2 API calls 3095->3100 3098 403a00 3096->3098 3099 4039ad SystemParametersInfoA CreateWindowExA 3096->3099 3097->3094 3098->2940 3099->3095 3104 4039fc 3100->3104 3102 403907 lstrcmpiA 3101->3102 3103 40392d 3101->3103 3102->3103 3106 403917 GetFileAttributesA 3102->3106 3107 405985 3 API calls 3103->3107 3104->3098 3110 403acf 18 API calls 3104->3110 3108 4038f7 3105->3108 3109 403923 3106->3109 3111 403933 3107->3111 3108->3101 3109->3103 3112 4059cc 2 API calls 3109->3112 3113 403a0d 3110->3113 3330 405fed lstrcpynA 3111->3330 3112->3103 3115 403a19 ShowWindow 3113->3115 3116 403a9c 3113->3116 3118 406317 3 API calls 3115->3118 3331 4051e6 OleInitialize 3116->3331 3120 403a31 3118->3120 3119 403aa2 3121 403aa6 3119->3121 3122 403abe 3119->3122 3123 403a3f GetClassInfoA 3120->3123 3125 406317 3 API calls 3120->3125 3121->3098 3129 40140b 2 API calls 3121->3129 3124 40140b 2 API calls 3122->3124 3126 403a53 GetClassInfoA RegisterClassA 3123->3126 3127 403a69 DialogBoxParamA 3123->3127 3124->3098 3125->3123 3126->3127 3128 40140b 2 API calls 3127->3128 3128->3098 3129->3098 3131 406385 5 API calls 3130->3131 3132 403593 lstrcatA 3131->3132 3132->2961 3132->2962 3134 4035d5 3133->3134 3135 40562b GetLastError 3133->3135 3134->2975 3135->3134 3136 40563a SetFileSecurityA 3135->3136 3136->3134 3137 405650 GetLastError 3136->3137 3137->3134 3139 405667 3138->3139 3140 40566b GetLastError 3138->3140 3139->2975 3140->3139 3141->2976 3142->2987 3147 40601c 3143->3147 3144 40623e 3145 403635 DeleteFileA 3144->3145 3355 405fed lstrcpynA 3144->3355 3145->2982 3145->2987 3147->3144 3148 406218 lstrlenA 3147->3148 3149 40600f 10 API calls 3147->3149 3152 405ed4 3 API calls 3147->3152 3153 406134 GetSystemDirectoryA 3147->3153 3154 406147 GetWindowsDirectoryA 3147->3154 3155 406257 5 API calls 3147->3155 3156 40600f 10 API calls 3147->3156 3157 4061c1 lstrcatA 3147->3157 3158 40617b SHGetSpecialFolderLocation 3147->3158 3353 405f4b wsprintfA 3147->3353 3354 405fed lstrcpynA 3147->3354 3148->3147 3149->3148 3152->3147 3153->3147 3154->3147 3155->3147 3156->3147 3157->3147 3158->3147 3159 406193 SHGetPathFromIDListA CoTaskMemFree 3158->3159 3159->3147 3161 405de0 3160->3161 3162 405ded 3160->3162 3356 405c5c 3161->3356 3162->2987 3165 4056cb 3164->3165 3166 4056bf CloseHandle 3164->3166 3165->2987 3166->3165 3168 401389 2 API calls 3167->3168 3169 401420 3168->3169 3169->2944 3177 406263 3170->3177 3171 4062cb 3172 4062cf CharPrevA 3171->3172 3174 4062ea 3171->3174 3172->3171 3173 4062c0 CharNextA 3173->3171 3173->3177 3174->3008 3175 4059b0 CharNextA 3175->3177 3176 4062ae CharNextA 3176->3177 3177->3171 3177->3173 3177->3175 3177->3176 3178 4062bb CharNextA 3177->3178 3178->3173 3180 403235 3179->3180 3181 40599f lstrcatA 3179->3181 3180->3011 3181->3180 3183 405bc0 GetTickCount GetTempFileNameA 3182->3183 3184 403246 3183->3184 3185 405bed 3183->3185 3184->2920 3185->3183 3185->3184 3186->3017 3187->3020 3189 4059d9 3188->3189 3190 402e30 3189->3190 3191 4059de CharPrevA 3189->3191 3192 405fed lstrcpynA 3190->3192 3191->3189 3191->3190 3192->3024 3229 405bfe ReadFile 3193->3229 3197 402d81 3196->3197 3198 402d69 3196->3198 3199 402d91 GetTickCount 3197->3199 3200 402d89 3197->3200 3201 402d72 DestroyWindow 3198->3201 3202 402d79 3198->3202 3204 402dc2 3199->3204 3205 402d9f CreateDialogParamA ShowWindow 3199->3205 3231 4063c1 3200->3231 3201->3202 3202->3040 3204->3040 3205->3204 3207->3035 3208->3033 3210 403011 3209->3210 3211 40303f 3210->3211 3235 403200 SetFilePointer 3210->3235 3213 4031ea ReadFile 3211->3213 3214 40304a 3213->3214 3215 403183 3214->3215 3216 40305c GetTickCount 3214->3216 3218 40316d 3214->3218 3217 4031c5 3215->3217 3222 403187 3215->3222 3216->3218 3225 403088 3216->3225 3220 4031ea ReadFile 3217->3220 3218->3043 3219 4031ea ReadFile 3219->3225 3220->3218 3221 4031ea ReadFile 3221->3222 3222->3218 3222->3221 3223 405c2d WriteFile 3222->3223 3223->3222 3224 4030de GetTickCount 3224->3225 3225->3218 3225->3219 3225->3224 3226 403103 MulDiv wsprintfA 3225->3226 3247 405c2d WriteFile 3225->3247 3236 405114 3226->3236 3230 4031fd 3229->3230 3230->3025 3232 4063de PeekMessageA 3231->3232 3233 4063d4 DispatchMessageA 3232->3233 3234 402d8f 3232->3234 3233->3232 3234->3040 3235->3211 3237 40512f 3236->3237 3246 4051d2 3236->3246 3238 40514c lstrlenA 3237->3238 3239 40600f 17 API calls 3237->3239 3240 405175 3238->3240 3241 40515a lstrlenA 3238->3241 3239->3238 3243 405188 3240->3243 3244 40517b SetWindowTextA 3240->3244 3242 40516c lstrcatA 3241->3242 3241->3246 3242->3240 3245 40518e SendMessageA SendMessageA SendMessageA 3243->3245 3243->3246 3244->3243 3245->3246 3246->3225 3248 405c4b 3247->3248 3248->3225 3250 403783 3249->3250 3251 40374d 3250->3251 3252 403788 FreeLibrary GlobalFree 3250->3252 3253 4057b5 3251->3253 3252->3251 3252->3252 3254 405a73 18 API calls 3253->3254 3255 4057d5 3254->3255 3256 4057f4 3255->3256 3257 4057dd DeleteFileA 3255->3257 3259 40592c 3256->3259 3293 405fed lstrcpynA 3256->3293 3258 403567 OleUninitialize 3257->3258 3258->2942 3258->2943 3259->3258 3264 405922 3259->3264 3261 40581a 3262 405820 lstrcatA 3261->3262 3263 40582d 3261->3263 3265 405833 3262->3265 3266 4059cc 2 API calls 3263->3266 3264->3259 3303 4062f0 FindFirstFileA 3264->3303 3268 405841 lstrcatA 3265->3268 3269 405838 3265->3269 3266->3265 3271 40584c lstrlenA FindFirstFileA 3268->3271 3269->3268 3269->3271 3271->3264 3277 405870 3271->3277 3272 405985 3 API calls 3273 405950 3272->3273 3275 40576d 5 API calls 3273->3275 3274 4059b0 CharNextA 3274->3277 3276 40595c 3275->3276 3278 405960 3276->3278 3279 405976 3276->3279 3277->3274 3282 405901 FindNextFileA 3277->3282 3288 4057b5 60 API calls 3277->3288 3290 405114 24 API calls 3277->3290 3291 405114 24 API calls 3277->3291 3292 405dcc 36 API calls 3277->3292 3294 405fed lstrcpynA 3277->3294 3295 40576d 3277->3295 3278->3258 3283 405114 24 API calls 3278->3283 3281 405114 24 API calls 3279->3281 3281->3258 3282->3277 3284 405919 FindClose 3282->3284 3285 40596d 3283->3285 3284->3264 3286 405dcc 36 API calls 3285->3286 3289 405974 3286->3289 3288->3277 3289->3258 3290->3282 3291->3277 3292->3277 3293->3261 3294->3277 3306 405b61 GetFileAttributesA 3295->3306 3298 40579a 3298->3277 3299 405790 DeleteFileA 3301 405796 3299->3301 3300 405788 RemoveDirectoryA 3300->3301 3301->3298 3302 4057a6 SetFileAttributesA 3301->3302 3302->3298 3304 405946 3303->3304 3305 406306 FindClose 3303->3305 3304->3258 3304->3272 3305->3304 3307 405779 3306->3307 3308 405b73 SetFileAttributesA 3306->3308 3307->3298 3307->3299 3307->3300 3308->3307 3309->3059 3311 405a39 3310->3311 3313 405a49 3310->3313 3311->3313 3314 405a44 CharNextA 3311->3314 3312 405a69 3312->3062 3312->3063 3313->3312 3315 4059b0 CharNextA 3313->3315 3314->3312 3315->3313 3316->3084 3338 405e73 3317->3338 3320 405f08 RegQueryValueExA RegCloseKey 3321 403861 3320->3321 3321->3081 3321->3083 3323 403ae3 3322->3323 3342 405f4b wsprintfA 3323->3342 3325 403b54 3343 403b88 3325->3343 3327 40388f 3327->3087 3328 403b59 3328->3327 3329 40600f 17 API calls 3328->3329 3329->3328 3330->3089 3346 4040c7 3331->3346 3333 405209 3337 405230 3333->3337 3349 401389 3333->3349 3334 4040c7 SendMessageA 3335 405242 OleUninitialize 3334->3335 3335->3119 3337->3334 3339 405e82 3338->3339 3340 405e86 3339->3340 3341 405e8b RegOpenKeyExA 3339->3341 3340->3320 3340->3321 3341->3340 3342->3325 3344 40600f 17 API calls 3343->3344 3345 403b96 SetWindowTextA 3344->3345 3345->3328 3347 4040d0 SendMessageA 3346->3347 3348 4040df 3346->3348 3347->3348 3348->3333 3350 401390 3349->3350 3351 4013fe 3350->3351 3352 4013cb MulDiv SendMessageA 3350->3352 3351->3333 3352->3350 3353->3147 3354->3147 3355->3145 3357 405c82 3356->3357 3358 405ca8 GetShortPathNameA 3356->3358 3383 405b86 GetFileAttributesA CreateFileA 3357->3383 3360 405dc7 3358->3360 3361 405cbd 3358->3361 3360->3162 3361->3360 3363 405cc5 wsprintfA 3361->3363 3362 405c8c CloseHandle GetShortPathNameA 3362->3360 3364 405ca0 3362->3364 3365 40600f 17 API calls 3363->3365 3364->3358 3364->3360 3366 405ced 3365->3366 3384 405b86 GetFileAttributesA CreateFileA 3366->3384 3368 405cfa 3368->3360 3369 405d09 GetFileSize GlobalAlloc 3368->3369 3370 405dc0 CloseHandle 3369->3370 3371 405d2b 3369->3371 3370->3360 3372 405bfe ReadFile 3371->3372 3373 405d33 3372->3373 3373->3370 3385 405aeb lstrlenA 3373->3385 3376 405d4a lstrcpyA 3379 405d6c 3376->3379 3377 405d5e 3378 405aeb 4 API calls 3377->3378 3378->3379 3380 405da3 SetFilePointer 3379->3380 3381 405c2d WriteFile 3380->3381 3382 405db9 GlobalFree 3381->3382 3382->3370 3383->3362 3384->3368 3386 405b2c lstrlenA 3385->3386 3387 405b34 3386->3387 3388 405b05 lstrcmpiA 3386->3388 3387->3376 3387->3377 3388->3387 3389 405b23 CharNextA 3388->3389 3389->3386 3443 401fc8 3444 402b2c 17 API calls 3443->3444 3445 401fcf 3444->3445 3446 406385 5 API calls 3445->3446 3447 401fde 3446->3447 3448 401ff6 GlobalAlloc 3447->3448 3451 40205e 3447->3451 3449 40200a 3448->3449 3448->3451 3450 406385 5 API calls 3449->3450 3452 402011 3450->3452 3453 406385 5 API calls 3452->3453 3454 40201b 3453->3454 3454->3451 3458 405f4b wsprintfA 3454->3458 3456 402052 3459 405f4b wsprintfA 3456->3459 3458->3456 3459->3451 3460 4025c8 3461 402b2c 17 API calls 3460->3461 3462 4025cf 3461->3462 3465 405b86 GetFileAttributesA CreateFileA 3462->3465 3464 4025db 3465->3464 3466 4037c8 3467 4037d3 3466->3467 3468 4037d7 3467->3468 3469 4037da GlobalAlloc 3467->3469 3469->3468 3473 40254c 3483 402b6c 3473->3483 3476 402b0a 17 API calls 3477 40255f 3476->3477 3478 402586 RegEnumValueA 3477->3478 3479 40257a RegEnumKeyA 3477->3479 3481 402783 3477->3481 3480 40259b RegCloseKey 3478->3480 3479->3480 3480->3481 3484 402b2c 17 API calls 3483->3484 3485 402b83 3484->3485 3486 405e73 RegOpenKeyExA 3485->3486 3487 402556 3486->3487 3487->3476 3488 405252 3489 405274 GetDlgItem GetDlgItem GetDlgItem 3488->3489 3490 4053fd 3488->3490 3533 4040b0 SendMessageA 3489->3533 3492 405405 GetDlgItem CreateThread CloseHandle 3490->3492 3493 40542d 3490->3493 3492->3493 3495 40545b 3493->3495 3497 405443 ShowWindow ShowWindow 3493->3497 3498 40547c 3493->3498 3494 4052e4 3502 4052eb GetClientRect GetSystemMetrics SendMessageA SendMessageA 3494->3502 3496 4054b6 3495->3496 3499 40546b 3495->3499 3500 40548f ShowWindow 3495->3500 3496->3498 3509 4054c3 SendMessageA 3496->3509 3535 4040b0 SendMessageA 3497->3535 3501 4040e2 8 API calls 3498->3501 3536 404054 3499->3536 3505 4054a1 3500->3505 3506 4054af 3500->3506 3514 405488 3501->3514 3507 405359 3502->3507 3508 40533d SendMessageA SendMessageA 3502->3508 3510 405114 24 API calls 3505->3510 3511 404054 SendMessageA 3506->3511 3512 40536c 3507->3512 3513 40535e SendMessageA 3507->3513 3508->3507 3509->3514 3515 4054dc CreatePopupMenu 3509->3515 3510->3506 3511->3496 3516 40407b 18 API calls 3512->3516 3513->3512 3517 40600f 17 API calls 3515->3517 3519 40537c 3516->3519 3518 4054ec AppendMenuA 3517->3518 3520 40550a GetWindowRect 3518->3520 3521 40551d TrackPopupMenu 3518->3521 3522 405385 ShowWindow 3519->3522 3523 4053b9 GetDlgItem SendMessageA 3519->3523 3520->3521 3521->3514 3524 405539 3521->3524 3525 4053a8 3522->3525 3526 40539b ShowWindow 3522->3526 3523->3514 3527 4053e0 SendMessageA SendMessageA 3523->3527 3528 405558 SendMessageA 3524->3528 3534 4040b0 SendMessageA 3525->3534 3526->3525 3527->3514 3528->3528 3529 405575 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3528->3529 3531 405597 SendMessageA 3529->3531 3531->3531 3532 4055b9 GlobalUnlock SetClipboardData CloseClipboard 3531->3532 3532->3514 3533->3494 3534->3523 3535->3495 3537 404061 SendMessageA 3536->3537 3538 40405b 3536->3538 3537->3498 3538->3537 3539 4014d6 3540 402b0a 17 API calls 3539->3540 3541 4014dc Sleep 3540->3541 3543 4029b8 3541->3543 3544 401659 3545 402b2c 17 API calls 3544->3545 3546 40165f 3545->3546 3547 4062f0 2 API calls 3546->3547 3548 401665 3547->3548 3549 401759 3550 402b2c 17 API calls 3549->3550 3551 401760 3550->3551 3552 401786 3551->3552 3553 40177e 3551->3553 3588 405fed lstrcpynA 3552->3588 3587 405fed lstrcpynA 3553->3587 3556 401784 3559 406257 5 API calls 3556->3559 3557 401791 3558 405985 3 API calls 3557->3558 3560 401797 lstrcatA 3558->3560 3585 4017a3 3559->3585 3560->3556 3561 4062f0 2 API calls 3561->3585 3562 405b61 2 API calls 3562->3585 3564 4017ba CompareFileTime 3564->3585 3565 40187e 3567 405114 24 API calls 3565->3567 3566 401855 3570 405114 24 API calls 3566->3570 3577 40186a 3566->3577 3569 401888 3567->3569 3568 405fed lstrcpynA 3568->3585 3571 402ffb 31 API calls 3569->3571 3570->3577 3572 40189b 3571->3572 3573 4018af SetFileTime 3572->3573 3575 4018c1 CloseHandle 3572->3575 3573->3575 3574 40600f 17 API calls 3574->3585 3576 4018d2 3575->3576 3575->3577 3578 4018d7 3576->3578 3579 4018ea 3576->3579 3581 40600f 17 API calls 3578->3581 3580 40600f 17 API calls 3579->3580 3582 4018f2 3580->3582 3584 4018df lstrcatA 3581->3584 3586 405709 MessageBoxIndirectA 3582->3586 3583 405709 MessageBoxIndirectA 3583->3585 3584->3582 3585->3561 3585->3562 3585->3564 3585->3565 3585->3566 3585->3568 3585->3574 3585->3583 3589 405b86 GetFileAttributesA CreateFileA 3585->3589 3586->3577 3587->3556 3588->3557 3589->3585 3590 401959 3591 402b0a 17 API calls 3590->3591 3592 401960 3591->3592 3593 402b0a 17 API calls 3592->3593 3594 40196d 3593->3594 3595 402b2c 17 API calls 3594->3595 3596 401984 lstrlenA 3595->3596 3597 401994 3596->3597 3598 4019d4 3597->3598 3602 405fed lstrcpynA 3597->3602 3600 4019c4 3600->3598 3601 4019c9 lstrlenA 3600->3601 3601->3598 3602->3600 3603 401cda 3604 402b0a 17 API calls 3603->3604 3605 401ce0 IsWindow 3604->3605 3606 401a0e 3605->3606 3607 4024da 3608 402b6c 17 API calls 3607->3608 3609 4024e4 3608->3609 3610 402b2c 17 API calls 3609->3610 3611 4024ed 3610->3611 3612 4024f7 RegQueryValueExA 3611->3612 3617 402783 3611->3617 3613 40251d RegCloseKey 3612->3613 3614 402517 3612->3614 3613->3617 3614->3613 3618 405f4b wsprintfA 3614->3618 3618->3613 3619 402cdd 3620 402cec SetTimer 3619->3620 3622 402d05 3619->3622 3620->3622 3621 402d5a 3622->3621 3623 402d1f MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3622->3623 3623->3621 3624 40485e 3625 40488a 3624->3625 3626 40486e 3624->3626 3628 404890 SHGetPathFromIDListA 3625->3628 3629 4048bd 3625->3629 3635 4056ed GetDlgItemTextA 3626->3635 3631 4048a0 3628->3631 3632 4048a7 SendMessageA 3628->3632 3630 40487b SendMessageA 3630->3625 3633 40140b 2 API calls 3631->3633 3632->3629 3633->3632 3635->3630 3636 401a5e 3637 402b0a 17 API calls 3636->3637 3638 401a67 3637->3638 3639 402b0a 17 API calls 3638->3639 3640 401a0e 3639->3640 3641 401563 3642 401596 ShowWindow 3641->3642 3643 401567 3641->3643 3644 402965 3642->3644 3646 405f4b wsprintfA 3643->3646 3646->3644 3647 401b63 3648 401bb4 3647->3648 3649 401b70 3647->3649 3651 401bb8 3648->3651 3652 401bdd GlobalAlloc 3648->3652 3650 40233b 3649->3650 3656 401b87 3649->3656 3654 40600f 17 API calls 3650->3654 3662 401bf8 3651->3662 3668 405fed lstrcpynA 3651->3668 3653 40600f 17 API calls 3652->3653 3653->3662 3655 402348 3654->3655 3660 405709 MessageBoxIndirectA 3655->3660 3666 405fed lstrcpynA 3656->3666 3659 401bca GlobalFree 3659->3662 3660->3662 3661 401b96 3667 405fed lstrcpynA 3661->3667 3664 401ba5 3669 405fed lstrcpynA 3664->3669 3666->3661 3667->3664 3668->3659 3669->3662 3670 402363 3671 40236b 3670->3671 3676 402371 3670->3676 3672 402b2c 17 API calls 3671->3672 3672->3676 3673 402b2c 17 API calls 3675 402381 3673->3675 3674 40238f 3678 402b2c 17 API calls 3674->3678 3675->3674 3677 402b2c 17 API calls 3675->3677 3676->3673 3676->3675 3677->3674 3679 402398 WritePrivateProfileStringA 3678->3679 3680 402765 3681 402b2c 17 API calls 3680->3681 3682 40276c FindFirstFileA 3681->3682 3683 40278f 3682->3683 3687 40277f 3682->3687 3688 405f4b wsprintfA 3683->3688 3685 402796 3689 405fed lstrcpynA 3685->3689 3688->3685 3689->3687 3690 4041e6 3691 404308 3690->3691 3692 4041fc 3690->3692 3693 404377 3691->3693 3697 404441 3691->3697 3702 40434c GetDlgItem SendMessageA 3691->3702 3695 40407b 18 API calls 3692->3695 3694 404381 GetDlgItem 3693->3694 3693->3697 3696 4043ff 3694->3696 3701 404397 3694->3701 3698 404252 3695->3698 3696->3697 3706 404411 3696->3706 3700 4040e2 8 API calls 3697->3700 3699 40407b 18 API calls 3698->3699 3703 40425f CheckDlgButton 3699->3703 3704 40443c 3700->3704 3701->3696 3705 4043bd SendMessageA LoadCursorA SetCursor 3701->3705 3723 40409d EnableWindow 3702->3723 3721 40409d EnableWindow 3703->3721 3727 40448a 3705->3727 3710 404417 SendMessageA 3706->3710 3711 404428 3706->3711 3710->3711 3711->3704 3715 40442e SendMessageA 3711->3715 3712 404372 3724 404466 3712->3724 3713 40427d GetDlgItem 3722 4040b0 SendMessageA 3713->3722 3715->3704 3718 404293 SendMessageA 3719 4042b1 GetSysColor 3718->3719 3720 4042ba SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3718->3720 3719->3720 3720->3704 3721->3713 3722->3718 3723->3712 3725 404474 3724->3725 3726 404479 SendMessageA 3724->3726 3725->3726 3726->3693 3730 4056cf ShellExecuteExA 3727->3730 3729 4043f0 LoadCursorA SetCursor 3729->3696 3730->3729 3731 4023e8 3732 40241a 3731->3732 3733 4023ef 3731->3733 3735 402b2c 17 API calls 3732->3735 3734 402b6c 17 API calls 3733->3734 3736 4023f6 3734->3736 3737 402421 3735->3737 3739 402b2c 17 API calls 3736->3739 3740 40242e 3736->3740 3742 402bea 3737->3742 3741 402407 RegDeleteValueA RegCloseKey 3739->3741 3741->3740 3743 402bf6 3742->3743 3744 402bfd 3742->3744 3743->3740 3744->3743 3746 402c2e 3744->3746 3747 405e73 RegOpenKeyExA 3746->3747 3748 402c5c 3747->3748 3749 402c82 RegEnumKeyA 3748->3749 3750 402c99 RegCloseKey 3748->3750 3752 402cba RegCloseKey 3748->3752 3753 402c2e 6 API calls 3748->3753 3756 402cad 3748->3756 3749->3748 3749->3750 3751 406385 5 API calls 3750->3751 3754 402ca9 3751->3754 3752->3756 3753->3748 3755 402cca RegDeleteKeyA 3754->3755 3754->3756 3755->3756 3756->3743 3757 40166a 3758 402b2c 17 API calls 3757->3758 3759 401671 3758->3759 3760 402b2c 17 API calls 3759->3760 3761 40167a 3760->3761 3762 402b2c 17 API calls 3761->3762 3763 401683 MoveFileA 3762->3763 3764 401696 3763->3764 3770 40168f 3763->3770 3765 4022a9 3764->3765 3766 4062f0 2 API calls 3764->3766 3768 4016a5 3766->3768 3768->3765 3769 405dcc 36 API calls 3768->3769 3769->3770 3771 401423 3770->3771 3772 405114 24 API calls 3771->3772 3773 401431 3772->3773 3773->3765 3774 40206a 3775 40212a 3774->3775 3776 40207c 3774->3776 3778 401423 24 API calls 3775->3778 3777 402b2c 17 API calls 3776->3777 3779 402083 3777->3779 3785 4022a9 3778->3785 3780 402b2c 17 API calls 3779->3780 3781 40208c 3780->3781 3782 4020a1 LoadLibraryExA 3781->3782 3783 402094 GetModuleHandleA 3781->3783 3782->3775 3784 4020b1 GetProcAddress 3782->3784 3783->3782 3783->3784 3786 4020c0 3784->3786 3787 4020fd 3784->3787 3788 4020d0 3786->3788 3790 401423 24 API calls 3786->3790 3789 405114 24 API calls 3787->3789 3788->3785 3791 40211e FreeLibrary 3788->3791 3789->3788 3790->3788 3791->3785 3792 4025ea 3793 402603 3792->3793 3794 4025ef 3792->3794 3796 402b2c 17 API calls 3793->3796 3795 402b0a 17 API calls 3794->3795 3798 4025f8 3795->3798 3797 40260a lstrlenA 3796->3797 3797->3798 3799 405c2d WriteFile 3798->3799 3800 40262c 3798->3800 3799->3800 3801 4019ed 3802 402b2c 17 API calls 3801->3802 3803 4019f4 3802->3803 3804 402b2c 17 API calls 3803->3804 3805 4019fd 3804->3805 3806 401a04 lstrcmpiA 3805->3806 3807 401a16 lstrcmpA 3805->3807 3808 401a0a 3806->3808 3807->3808 3809 40156f 3810 401586 3809->3810 3811 40157f ShowWindow 3809->3811 3812 401596 ShowWindow 3810->3812 3813 4029b8 3810->3813 3811->3810 3812->3813 3814 4026ef 3815 4026f6 3814->3815 3818 402965 3814->3818 3816 402b0a 17 API calls 3815->3816 3817 4026fd 3816->3817 3819 40270c SetFilePointer 3817->3819 3819->3818 3820 40271c 3819->3820 3822 405f4b wsprintfA 3820->3822 3822->3818 3823 4014f4 SetForegroundWindow 3824 4029b8 3823->3824 3825 4063fa WaitForSingleObject 3826 406414 3825->3826 3827 406426 GetExitCodeProcess 3826->3827 3828 4063c1 2 API calls 3826->3828 3829 40641b WaitForSingleObject 3828->3829 3829->3826 3830 401cfb 3831 402b0a 17 API calls 3830->3831 3832 401d02 3831->3832 3833 402b0a 17 API calls 3832->3833 3834 401d0e GetDlgItem 3833->3834 3835 4025e4 3834->3835 3836 4018fd 3837 401934 3836->3837 3838 402b2c 17 API calls 3837->3838 3839 401939 3838->3839 3840 4057b5 67 API calls 3839->3840 3841 401942 3840->3841 3842 401dff GetDC 3843 402b0a 17 API calls 3842->3843 3844 401e11 GetDeviceCaps MulDiv ReleaseDC 3843->3844 3845 402b0a 17 API calls 3844->3845 3846 401e42 3845->3846 3847 40600f 17 API calls 3846->3847 3848 401e7f CreateFontIndirectA 3847->3848 3849 4025e4 3848->3849 3850 401000 3851 401037 BeginPaint GetClientRect 3850->3851 3852 40100c DefWindowProcA 3850->3852 3854 4010f3 3851->3854 3855 401179 3852->3855 3856 401073 CreateBrushIndirect FillRect DeleteObject 3854->3856 3857 4010fc 3854->3857 3856->3854 3858 401102 CreateFontIndirectA 3857->3858 3859 401167 EndPaint 3857->3859 3858->3859 3860 401112 6 API calls 3858->3860 3859->3855 3860->3859 3861 401900 3862 402b2c 17 API calls 3861->3862 3863 401907 3862->3863 3864 405709 MessageBoxIndirectA 3863->3864 3865 401910 3864->3865 3866 404a80 GetDlgItem GetDlgItem 3867 404ad6 7 API calls 3866->3867 3873 404cfd 3866->3873 3868 404b72 SendMessageA 3867->3868 3869 404b7e DeleteObject 3867->3869 3868->3869 3870 404b89 3869->3870 3872 404bc0 3870->3872 3874 40600f 17 API calls 3870->3874 3871 404ddf 3876 404e8b 3871->3876 3881 404cf0 3871->3881 3886 404e38 SendMessageA 3871->3886 3875 40407b 18 API calls 3872->3875 3873->3871 3898 404d6c 3873->3898 3919 4049ce SendMessageA 3873->3919 3879 404ba2 SendMessageA SendMessageA 3874->3879 3880 404bd4 3875->3880 3877 404e95 SendMessageA 3876->3877 3878 404e9d 3876->3878 3877->3878 3888 404eb6 3878->3888 3889 404eaf ImageList_Destroy 3878->3889 3895 404ec6 3878->3895 3879->3870 3885 40407b 18 API calls 3880->3885 3882 4040e2 8 API calls 3881->3882 3887 405081 3882->3887 3883 404dd1 SendMessageA 3883->3871 3899 404be5 3885->3899 3886->3881 3891 404e4d SendMessageA 3886->3891 3893 404ebf GlobalFree 3888->3893 3888->3895 3889->3888 3890 405035 3890->3881 3896 405047 ShowWindow GetDlgItem ShowWindow 3890->3896 3892 404e60 3891->3892 3903 404e71 SendMessageA 3892->3903 3893->3895 3894 404cbf GetWindowLongA SetWindowLongA 3897 404cd8 3894->3897 3895->3890 3912 404f01 3895->3912 3924 404a4e 3895->3924 3896->3881 3900 404cf5 3897->3900 3901 404cdd ShowWindow 3897->3901 3898->3871 3898->3883 3899->3894 3902 404c37 SendMessageA 3899->3902 3904 404cba 3899->3904 3907 404c75 SendMessageA 3899->3907 3908 404c89 SendMessageA 3899->3908 3918 4040b0 SendMessageA 3900->3918 3917 4040b0 SendMessageA 3901->3917 3902->3899 3903->3876 3904->3894 3904->3897 3907->3899 3908->3899 3910 40500b InvalidateRect 3910->3890 3911 405021 3910->3911 3933 404989 3911->3933 3913 404f2f SendMessageA 3912->3913 3916 404f45 3912->3916 3913->3916 3915 404fb9 SendMessageA SendMessageA 3915->3916 3916->3910 3916->3915 3917->3881 3918->3873 3920 4049f1 GetMessagePos ScreenToClient SendMessageA 3919->3920 3921 404a2d SendMessageA 3919->3921 3922 404a25 3920->3922 3923 404a2a 3920->3923 3921->3922 3922->3898 3923->3921 3936 405fed lstrcpynA 3924->3936 3926 404a61 3937 405f4b wsprintfA 3926->3937 3928 404a6b 3929 40140b 2 API calls 3928->3929 3930 404a74 3929->3930 3938 405fed lstrcpynA 3930->3938 3932 404a7b 3932->3912 3939 4048c4 3933->3939 3935 40499e 3935->3890 3936->3926 3937->3928 3938->3932 3940 4048da 3939->3940 3941 40600f 17 API calls 3940->3941 3942 40493e 3941->3942 3943 40600f 17 API calls 3942->3943 3944 404949 3943->3944 3945 40600f 17 API calls 3944->3945 3946 40495f lstrlenA wsprintfA SetDlgItemTextA 3945->3946 3946->3935 3947 401502 3948 40150a 3947->3948 3950 40151d 3947->3950 3949 402b0a 17 API calls 3948->3949 3949->3950 3951 405088 3952 405098 3951->3952 3953 4050ac 3951->3953 3954 4050f5 3952->3954 3955 40509e 3952->3955 3956 4050b4 IsWindowVisible 3953->3956 3962 4050cb 3953->3962 3957 4050fa CallWindowProcA 3954->3957 3958 4040c7 SendMessageA 3955->3958 3956->3954 3959 4050c1 3956->3959 3960 4050a8 3957->3960 3958->3960 3961 4049ce 5 API calls 3959->3961 3961->3962 3962->3957 3963 404a4e 4 API calls 3962->3963 3963->3954 3964 401c0a 3965 402b0a 17 API calls 3964->3965 3966 401c11 3965->3966 3967 402b0a 17 API calls 3966->3967 3968 401c1e 3967->3968 3969 401c33 3968->3969 3970 402b2c 17 API calls 3968->3970 3971 401c43 3969->3971 3974 402b2c 17 API calls 3969->3974 3970->3969 3972 401c9a 3971->3972 3973 401c4e 3971->3973 3976 402b2c 17 API calls 3972->3976 3975 402b0a 17 API calls 3973->3975 3974->3971 3977 401c53 3975->3977 3978 401c9f 3976->3978 3979 402b0a 17 API calls 3977->3979 3980 402b2c 17 API calls 3978->3980 3981 401c5f 3979->3981 3982 401ca8 FindWindowExA 3980->3982 3983 401c8a SendMessageA 3981->3983 3984 401c6c SendMessageTimeoutA 3981->3984 3985 401cc6 3982->3985 3983->3985 3984->3985 3986 40450d 3987 404539 3986->3987 3988 40454a 3986->3988 4047 4056ed GetDlgItemTextA 3987->4047 3990 404556 GetDlgItem 3988->3990 3995 4045b5 3988->3995 3992 40456a 3990->3992 3991 404544 3994 406257 5 API calls 3991->3994 3997 40457e SetWindowTextA 3992->3997 4002 405a1e 4 API calls 3992->4002 3993 404699 4045 404843 3993->4045 4049 4056ed GetDlgItemTextA 3993->4049 3994->3988 3995->3993 3998 40600f 17 API calls 3995->3998 3995->4045 4000 40407b 18 API calls 3997->4000 4004 404629 SHBrowseForFolderA 3998->4004 3999 4046c9 4005 405a73 18 API calls 3999->4005 4006 40459a 4000->4006 4001 4040e2 8 API calls 4007 404857 4001->4007 4003 404574 4002->4003 4003->3997 4011 405985 3 API calls 4003->4011 4004->3993 4008 404641 CoTaskMemFree 4004->4008 4009 4046cf 4005->4009 4010 40407b 18 API calls 4006->4010 4012 405985 3 API calls 4008->4012 4050 405fed lstrcpynA 4009->4050 4013 4045a8 4010->4013 4011->3997 4014 40464e 4012->4014 4048 4040b0 SendMessageA 4013->4048 4017 404685 SetDlgItemTextA 4014->4017 4022 40600f 17 API calls 4014->4022 4017->3993 4018 4045ae 4020 406385 5 API calls 4018->4020 4019 4046e6 4021 406385 5 API calls 4019->4021 4020->3995 4028 4046ed 4021->4028 4023 40466d lstrcmpiA 4022->4023 4023->4017 4026 40467e lstrcatA 4023->4026 4024 404729 4051 405fed lstrcpynA 4024->4051 4026->4017 4027 404730 4029 405a1e 4 API calls 4027->4029 4028->4024 4032 4059cc 2 API calls 4028->4032 4034 404781 4028->4034 4030 404736 GetDiskFreeSpaceA 4029->4030 4033 40475a MulDiv 4030->4033 4030->4034 4032->4028 4033->4034 4035 4047f2 4034->4035 4037 404989 20 API calls 4034->4037 4036 404815 4035->4036 4038 40140b 2 API calls 4035->4038 4052 40409d EnableWindow 4036->4052 4039 4047df 4037->4039 4038->4036 4041 4047f4 SetDlgItemTextA 4039->4041 4042 4047e4 4039->4042 4041->4035 4044 4048c4 20 API calls 4042->4044 4043 404831 4043->4045 4046 404466 SendMessageA 4043->4046 4044->4035 4045->4001 4046->4045 4047->3991 4048->4018 4049->3999 4050->4019 4051->4027 4052->4043 4053 401e8f 4054 402b0a 17 API calls 4053->4054 4055 401e95 4054->4055 4056 402b0a 17 API calls 4055->4056 4057 401ea1 4056->4057 4058 401eb8 EnableWindow 4057->4058 4059 401ead ShowWindow 4057->4059 4060 4029b8 4058->4060 4059->4060 4061 401490 4062 405114 24 API calls 4061->4062 4063 401497 4062->4063 4064 401f98 4065 402b2c 17 API calls 4064->4065 4066 401f9f 4065->4066 4067 4062f0 2 API calls 4066->4067 4068 401fa5 4067->4068 4070 401fb7 4068->4070 4071 405f4b wsprintfA 4068->4071 4071->4070 4072 40149d 4073 4014ab PostQuitMessage 4072->4073 4074 40234e 4072->4074 4073->4074 4075 40159d 4076 402b2c 17 API calls 4075->4076 4077 4015a4 SetFileAttributesA 4076->4077 4078 4015b6 4077->4078 4079 40289d 4080 4028a0 4079->4080 4081 4028e3 4080->4081 4082 4028cc 4080->4082 4089 402783 4080->4089 4085 4028fd 4081->4085 4086 4028ed 4081->4086 4083 4028e0 4082->4083 4084 4028d1 4082->4084 4083->4089 4093 405f4b wsprintfA 4083->4093 4092 405fed lstrcpynA 4084->4092 4088 40600f 17 API calls 4085->4088 4087 402b0a 17 API calls 4086->4087 4087->4083 4088->4083 4092->4089 4093->4089 4094 401a1e 4095 402b2c 17 API calls 4094->4095 4096 401a27 ExpandEnvironmentStringsA 4095->4096 4097 401a3b 4096->4097 4099 401a4e 4096->4099 4098 401a40 lstrcmpA 4097->4098 4097->4099 4098->4099 4105 40171f 4106 402b2c 17 API calls 4105->4106 4107 401726 SearchPathA 4106->4107 4108 401741 4107->4108 4109 401d20 4110 402b0a 17 API calls 4109->4110 4111 401d2e SetWindowLongA 4110->4111 4112 4029b8 4111->4112 4113 402721 4114 402727 4113->4114 4115 4029b8 4114->4115 4116 40272f FindClose 4114->4116 4116->4115 4117 403ba7 4118 403cfa 4117->4118 4119 403bbf 4117->4119 4121 403d4b 4118->4121 4122 403d0b GetDlgItem GetDlgItem 4118->4122 4119->4118 4120 403bcb 4119->4120 4124 403bd6 SetWindowPos 4120->4124 4125 403be9 4120->4125 4123 403da5 4121->4123 4134 401389 2 API calls 4121->4134 4126 40407b 18 API calls 4122->4126 4128 4040c7 SendMessageA 4123->4128 4135 403cf5 4123->4135 4124->4125 4129 403c06 4125->4129 4130 403bee ShowWindow 4125->4130 4127 403d35 SetClassLongA 4126->4127 4131 40140b 2 API calls 4127->4131 4154 403db7 4128->4154 4132 403c28 4129->4132 4133 403c0e DestroyWindow 4129->4133 4130->4129 4131->4121 4137 403c2d SetWindowLongA 4132->4137 4138 403c3e 4132->4138 4136 404004 4133->4136 4139 403d7d 4134->4139 4136->4135 4145 404035 ShowWindow 4136->4145 4137->4135 4141 403cb5 4138->4141 4142 403c4a GetDlgItem 4138->4142 4139->4123 4143 403d81 SendMessageA 4139->4143 4140 404006 DestroyWindow EndDialog 4140->4136 4148 4040e2 8 API calls 4141->4148 4146 403c7a 4142->4146 4147 403c5d SendMessageA IsWindowEnabled 4142->4147 4143->4135 4144 40140b 2 API calls 4144->4154 4145->4135 4150 403c87 4146->4150 4152 403cce SendMessageA 4146->4152 4153 403c9a 4146->4153 4160 403c7f 4146->4160 4147->4135 4147->4146 4148->4135 4149 40600f 17 API calls 4149->4154 4150->4152 4150->4160 4151 404054 SendMessageA 4151->4141 4152->4141 4155 403ca2 4153->4155 4156 403cb7 4153->4156 4154->4135 4154->4140 4154->4144 4154->4149 4157 40407b 18 API calls 4154->4157 4161 40407b 18 API calls 4154->4161 4177 403f46 DestroyWindow 4154->4177 4159 40140b 2 API calls 4155->4159 4158 40140b 2 API calls 4156->4158 4157->4154 4158->4160 4159->4160 4160->4141 4160->4151 4162 403e32 GetDlgItem 4161->4162 4163 403e47 4162->4163 4164 403e4f ShowWindow EnableWindow 4162->4164 4163->4164 4186 40409d EnableWindow 4164->4186 4166 403e79 EnableWindow 4171 403e8d 4166->4171 4167 403e92 GetSystemMenu EnableMenuItem SendMessageA 4168 403ec2 SendMessageA 4167->4168 4167->4171 4168->4171 4170 403b88 18 API calls 4170->4171 4171->4167 4171->4170 4187 4040b0 SendMessageA 4171->4187 4188 405fed lstrcpynA 4171->4188 4173 403ef1 lstrlenA 4174 40600f 17 API calls 4173->4174 4175 403f02 SetWindowTextA 4174->4175 4176 401389 2 API calls 4175->4176 4176->4154 4177->4136 4178 403f60 CreateDialogParamA 4177->4178 4178->4136 4179 403f93 4178->4179 4180 40407b 18 API calls 4179->4180 4181 403f9e GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4180->4181 4182 401389 2 API calls 4181->4182 4183 403fe4 4182->4183 4183->4135 4184 403fec ShowWindow 4183->4184 4185 4040c7 SendMessageA 4184->4185 4185->4136 4186->4166 4187->4171 4188->4173 4189 4023a7 4190 402b2c 17 API calls 4189->4190 4191 4023b8 4190->4191 4192 402b2c 17 API calls 4191->4192 4193 4023c1 4192->4193 4194 402b2c 17 API calls 4193->4194 4195 4023cb GetPrivateProfileStringA 4194->4195 4196 40292c 4197 402b0a 17 API calls 4196->4197 4198 402932 4197->4198 4199 402967 4198->4199 4200 402783 4198->4200 4202 402944 4198->4202 4199->4200 4201 40600f 17 API calls 4199->4201 4201->4200 4202->4200 4204 405f4b wsprintfA 4202->4204 4204->4200 4205 402631 4206 402b0a 17 API calls 4205->4206 4207 40263b 4206->4207 4208 405bfe ReadFile 4207->4208 4209 4026ab 4207->4209 4210 4026bb 4207->4210 4213 4026a9 4207->4213 4208->4207 4214 405f4b wsprintfA 4209->4214 4212 4026d1 SetFilePointer 4210->4212 4210->4213 4212->4213 4214->4213 4215 4041b1 lstrcpynA lstrlenA 4216 4029b1 InvalidateRect 4217 4029b8 4216->4217 4224 4022b2 4225 402b2c 17 API calls 4224->4225 4226 4022b8 4225->4226 4227 402b2c 17 API calls 4226->4227 4228 4022c1 4227->4228 4229 402b2c 17 API calls 4228->4229 4230 4022ca 4229->4230 4231 4062f0 2 API calls 4230->4231 4232 4022d3 4231->4232 4233 4022e4 lstrlenA lstrlenA 4232->4233 4234 4022d7 4232->4234 4236 405114 24 API calls 4233->4236 4235 405114 24 API calls 4234->4235 4238 4022df 4234->4238 4235->4238 4237 402320 SHFileOperationA 4236->4237 4237->4234 4237->4238 4239 402334 4240 40234e 4239->4240 4241 40233b 4239->4241 4242 40600f 17 API calls 4241->4242 4243 402348 4242->4243 4244 405709 MessageBoxIndirectA 4243->4244 4244->4240 4245 4014b7 4246 4014bd 4245->4246 4247 401389 2 API calls 4246->4247 4248 4014c5 4247->4248 4249 402138 4250 402b2c 17 API calls 4249->4250 4251 40213f 4250->4251 4252 402b2c 17 API calls 4251->4252 4253 402149 4252->4253 4254 402b2c 17 API calls 4253->4254 4255 402153 4254->4255 4256 402b2c 17 API calls 4255->4256 4257 40215d 4256->4257 4258 402b2c 17 API calls 4257->4258 4259 402167 4258->4259 4260 4021a9 CoCreateInstance 4259->4260 4261 402b2c 17 API calls 4259->4261 4262 4021c8 4260->4262 4266 402273 4260->4266 4261->4260 4265 402253 MultiByteToWideChar 4262->4265 4262->4266 4263 401423 24 API calls 4264 4022a9 4263->4264 4265->4266 4266->4263 4266->4264 4267 40273b 4268 402741 4267->4268 4269 402745 FindNextFileA 4268->4269 4272 402757 4268->4272 4270 402796 4269->4270 4269->4272 4273 405fed lstrcpynA 4270->4273 4273->4272 4274 4015bb 4275 402b2c 17 API calls 4274->4275 4276 4015c2 4275->4276 4277 405a1e 4 API calls 4276->4277 4287 4015ca 4277->4287 4278 401624 4280 401652 4278->4280 4281 401629 4278->4281 4279 4059b0 CharNextA 4279->4287 4283 401423 24 API calls 4280->4283 4282 401423 24 API calls 4281->4282 4284 401630 4282->4284 4291 40164a 4283->4291 4293 405fed lstrcpynA 4284->4293 4285 405657 2 API calls 4285->4287 4287->4278 4287->4279 4287->4285 4288 405674 5 API calls 4287->4288 4290 40160c GetFileAttributesA 4287->4290 4292 4055da 4 API calls 4287->4292 4288->4287 4289 40163b SetCurrentDirectoryA 4289->4291 4290->4287 4292->4287 4293->4289 4294 4016bb 4295 402b2c 17 API calls 4294->4295 4296 4016c1 GetFullPathNameA 4295->4296 4297 4016f9 4296->4297 4298 4016d8 4296->4298 4299 4029b8 4297->4299 4300 40170d GetShortPathNameA 4297->4300 4298->4297 4301 4062f0 2 API calls 4298->4301 4300->4299 4302 4016e9 4301->4302 4302->4297 4304 405fed lstrcpynA 4302->4304 4304->4297 4305 40243d 4306 402b2c 17 API calls 4305->4306 4307 40244f 4306->4307 4308 402b2c 17 API calls 4307->4308 4309 402459 4308->4309 4322 402bbc 4309->4322 4312 4029b8 4313 40248e 4315 40249a 4313->4315 4317 402b0a 17 API calls 4313->4317 4314 402b2c 17 API calls 4316 402487 lstrlenA 4314->4316 4318 4024b9 RegSetValueExA 4315->4318 4320 402ffb 31 API calls 4315->4320 4316->4313 4317->4315 4319 4024cf RegCloseKey 4318->4319 4319->4312 4320->4318 4323 402bd7 4322->4323 4326 405ea1 4323->4326 4327 405eb0 4326->4327 4328 402469 4327->4328 4329 405ebb RegCreateKeyExA 4327->4329 4328->4312 4328->4313 4328->4314 4329->4328 4330 401b3f 4331 402b2c 17 API calls 4330->4331 4332 401b46 4331->4332 4333 402b0a 17 API calls 4332->4333 4334 401b4f wsprintfA 4333->4334 4335 4029b8 4334->4335

        Executed Functions

        Function 00403248 Relevance: 82.6, APIs: 32, Strings: 15, Instructions: 366stringcomfileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 403248-403287 SetErrorMode GetVersion 1 403289-403291 call 406385 0->1 2 40329a 0->2 1->2 7 403293 1->7 4 40329f-4032b2 call 406317 lstrlenA 2->4 9 4032b4-4032d0 call 406385 * 3 4->9 7->2 16 4032e1-40333f #17 OleInitialize SHGetFileInfoA call 405fed GetCommandLineA call 405fed 9->16 17 4032d2-4032d8 9->17 24 403341-403346 16->24 25 40334b-403360 call 4059b0 CharNextA 16->25 17->16 21 4032da 17->21 21->16 24->25 28 403425-403429 25->28 29 403365-403368 28->29 30 40342f 28->30 31 403370-403378 29->31 32 40336a-40336e 29->32 33 403442-40345c GetTempPathA call 403217 30->33 34 403380-403383 31->34 35 40337a-40337b 31->35 32->31 32->32 43 4034b4-4034c3 DeleteFileA call 402dc4 33->43 44 40345e-40347c GetWindowsDirectoryA lstrcatA call 403217 33->44 37 403415-403422 call 4059b0 34->37 38 403389-40338d 34->38 35->34 37->28 53 403424 37->53 41 4033a5-4033d2 38->41 42 40338f-403395 38->42 49 4033d4-4033da 41->49 50 4033e5-403413 41->50 47 403397-403399 42->47 48 40339b 42->48 54 4034c8-4034ce 43->54 44->43 61 40347e-4034ae GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 403217 44->61 47->41 47->48 48->41 55 4033e0 49->55 56 4033dc-4033de 49->56 50->37 52 403431-40343d call 405fed 50->52 52->33 53->28 58 403562-403572 call 403730 OleUninitialize 54->58 59 4034d4-4034da 54->59 55->50 56->50 56->55 72 403696-40369c 58->72 73 403578-403588 call 405709 ExitProcess 58->73 63 403552-40355e call 40380a 59->63 64 4034dc-4034e7 call 4059b0 59->64 61->43 61->58 63->58 76 4034e9-403512 64->76 77 40351d-403527 64->77 74 403718-403720 72->74 75 40369e-4036b7 GetCurrentProcess OpenProcessToken 72->75 82 403722 74->82 83 403726-40372a ExitProcess 74->83 79 4036e9-4036f7 call 406385 75->79 80 4036b9-4036e3 LookupPrivilegeValueA AdjustTokenPrivileges 75->80 81 403514-403516 76->81 84 403529-403536 call 405a73 77->84 85 40358e-4035a2 call 405674 lstrcatA 77->85 97 403705-40370f ExitWindowsEx 79->97 98 4036f9-403703 79->98 80->79 81->77 88 403518-40351b 81->88 82->83 84->58 94 403538-40354e call 405fed * 2 84->94 95 4035a4-4035aa lstrcatA 85->95 96 4035af-4035c9 lstrcatA lstrcmpiA 85->96 88->77 88->81 94->63 95->96 96->58 100 4035cb-4035ce 96->100 97->74 101 403711-403713 call 40140b 97->101 98->97 98->101 103 4035d0-4035d5 call 4055da 100->103 104 4035d7 call 405657 100->104 101->74 112 4035dc-4035e9 SetCurrentDirectoryA 103->112 104->112 113 4035f6-40361e call 405fed 112->113 114 4035eb-4035f1 call 405fed 112->114 118 403624-403640 call 40600f DeleteFileA 113->118 114->113 121 403681-403688 118->121 122 403642-403652 CopyFileA 118->122 121->118 124 40368a-403691 call 405dcc 121->124 122->121 123 403654-403674 call 405dcc call 40600f call 40568c 122->123 123->121 133 403676-40367d CloseHandle 123->133 124->58 133->121
        APIs
        • SetErrorMode.KERNELBASE ref: 0040326D
        • GetVersion.KERNEL32 ref: 00403273
        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032A6
        • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032E2
        • OleInitialize.OLE32(00000000), ref: 004032E9
        • SHGetFileInfoA.SHELL32(0079E508,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403305
        • GetCommandLineA.KERNEL32(007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 0040331A
        • CharNextA.USER32(00000000,007A9000,00000020,007A9000,00000000,?,00000006,00000008,0000000A), ref: 00403356
        • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403453
        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403464
        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403470
        • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403484
        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040348C
        • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040349D
        • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004034A5
        • DeleteFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsr7BEF.tmp,?,00000006,00000008,0000000A), ref: 004034B9
          • Part of subcall function 00406385: GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
          • Part of subcall function 00406385: GetProcAddress.KERNEL32(00000000,?), ref: 004063B2
          • Part of subcall function 0040380A: lstrlenA.KERNEL32(007A1EE0,?,?,?,007A1EE0,00000000,007A9400,C:\Users\user\AppData\Local\Temp\nsr7BEF.tmp,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,774D3410), ref: 004038FA
          • Part of subcall function 0040380A: lstrcmpiA.KERNEL32(?,.exe), ref: 0040390D
          • Part of subcall function 0040380A: GetFileAttributesA.KERNEL32(007A1EE0), ref: 00403918
          • Part of subcall function 0040380A: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,007A9400), ref: 00403961
          • Part of subcall function 0040380A: RegisterClassA.USER32(007A26E0), ref: 0040399E
          • Part of subcall function 00403730: FindCloseChangeNotification.KERNELBASE(FFFFFFFF,00403567,?,?,00000006,00000008,0000000A), ref: 0040373B
        • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403567
        • ExitProcess.KERNEL32 ref: 00403588
        • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 004036A5
        • OpenProcessToken.ADVAPI32(00000000), ref: 004036AC
        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004036C4
        • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036E3
        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403707
        • ExitProcess.KERNEL32 ref: 0040372A
          • Part of subcall function 00405709: MessageBoxIndirectA.USER32(0040A218), ref: 00405764
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Process$ExitFile$EnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesChangeCharClassCloseCommandCurrentDeleteDirectoryErrorFindHandleImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextNotificationOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
        • String ID: "$.tmp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsr7BEF.tmp$C:\Users\user\Desktop\PI_230524.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`KNw$~nsu
        • API String ID: 3490464366-2666391173
        • Opcode ID: f737f156c0f066e0fbbf5cd976734ba5127bb16941bff7a59df7ef59bde2d3c1
        • Instruction ID: 4b1384cee9ffc8e7d3909f75f513e580ba658b4e0f6039b9d7a5280b54d142a8
        • Opcode Fuzzy Hash: f737f156c0f066e0fbbf5cd976734ba5127bb16941bff7a59df7ef59bde2d3c1
        • Instruction Fuzzy Hash: B3C1E870104741AAD7216F759D89A2F3FA8AB86306F05453FF581B61E2CB7C8A15CB2E
        Function 00406317 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 134 406317-406337 GetSystemDirectoryA 135 406339 134->135 136 40633b-40633d 134->136 135->136 137 40634d-40634f 136->137 138 40633f-406347 136->138 140 406350-406382 wsprintfA LoadLibraryExA 137->140 138->137 139 406349-40634b 138->139 139->140
        APIs
        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040632E
        • wsprintfA.USER32 ref: 00406367
        • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040637B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: DirectoryLibraryLoadSystemwsprintf
        • String ID: %s%s.dll$UXTHEME$\
        • API String ID: 2200240437-4240819195
        • Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
        • Instruction ID: 3c3b4468b6e1923fcac8586f88cca04ee8b9faba7420f287fa6fd57e775497b1
        • Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
        • Instruction Fuzzy Hash: B2F0FC70500609ABDB14ABA4DD0DFEB765CAB08304F14057AA987E10C1D678E4358B98
        Function 00405BB5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 141 405bb5-405bbf 142 405bc0-405beb GetTickCount GetTempFileNameA 141->142 143 405bfa-405bfc 142->143 144 405bed-405bef 142->144 146 405bf4-405bf7 143->146 144->142 145 405bf1 144->145 145->146
        APIs
        • GetTickCount.KERNEL32 ref: 00405BC9
        • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405BE3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: CountFileNameTempTick
        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
        • API String ID: 1716503409-386316673
        • Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
        • Instruction ID: d190f65444f006a88ba75eae1d2615f44ee573feb2fe82d01cd284afd59f947a
        • Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
        • Instruction Fuzzy Hash: C1F082363042086BDB109F56DD04B9B7BA9DFA1750F10803BFA489A280D6B4E9558758
        Function 00406385 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 147 406385-40639f GetModuleHandleA 148 4063a1-4063a2 call 406317 147->148 149 4063ab-4063b8 GetProcAddress 147->149 152 4063a7-4063a9 148->152 151 4063bc-4063be 149->151 152->149 153 4063ba 152->153 153->151
        APIs
        • GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
        • GetProcAddress.KERNEL32(00000000,?), ref: 004063B2
          • Part of subcall function 00406317: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040632E
          • Part of subcall function 00406317: wsprintfA.USER32 ref: 00406367
          • Part of subcall function 00406317: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040637B
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
        • String ID:
        • API String ID: 2547128583-0
        • Opcode ID: dd9300423111a071ed2c714751f7876f95e5d132df45129638b184150075da19
        • Instruction ID: 1c2fb029b914f91a359858a8292288339c30c15ea481b8388e8a6490942e710a
        • Opcode Fuzzy Hash: dd9300423111a071ed2c714751f7876f95e5d132df45129638b184150075da19
        • Instruction Fuzzy Hash: C3E086326042105BD62156709E0493B62ACDF84700306083EFE47F2240D73CDC31A6A9
        Function 00405B86 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 154 405b86-405bb2 GetFileAttributesA CreateFileA
        APIs
        • GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\PI_230524.exe,80000000,00000003), ref: 00405B8A
        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BAC
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: File$AttributesCreate
        • String ID:
        • API String ID: 415043291-0
        • Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
        • Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
        • Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
        • Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19
        Function 00405657 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 155 405657-405665 CreateDirectoryA 156 405667-405669 155->156 157 40566b GetLastError 155->157 158 405671 156->158 157->158
        APIs
        • CreateDirectoryA.KERNELBASE(?,00000000,0040323B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 0040565D
        • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040566B
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: CreateDirectoryErrorLast
        • String ID:
        • API String ID: 1375471231-0
        • Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
        • Instruction ID: c315ded7713b9b4a851445b4695441f34a70141ed77257200a8001455a195bbd
        • Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
        • Instruction Fuzzy Hash: 33C08C30200501DBD6000B308F08F073A51AB80780F01883E608AE00B0CA318055CD2E
        Function 00405BFE Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 172 405bfe-405c1a ReadFile 173 405c26 172->173 174 405c1c-405c1f 172->174 176 405c28-405c2a 173->176 174->173 175 405c21-405c24 174->175 175->176
        APIs
        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031FD,00000000,00000000,0040304A,000000FF,00000004,00000000,00000000,00000000), ref: 00405C12
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: FileRead
        • String ID:
        • API String ID: 2738559852-0
        • Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
        • Instruction ID: 15bd5d27262360345a0b198e16330f5e3575b7202d491c56c7af192eda573772
        • Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
        • Instruction Fuzzy Hash: C8E0EC3261876AABEF109E55AC00AEB7BACEB05760F004836FD15E3190D631E9619BA4
        Function 00405709 Relevance: 1.5, APIs: 1, Instructions: 21windowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 177 405709-40571c 178 405723-40572a 177->178 179 40571e-405721 177->179 181 405732-405764 MessageBoxIndirectA 178->181 182 40572c 178->182 179->178 180 40576a 179->180 181->180 182->181
        APIs
        • MessageBoxIndirectA.USER32(0040A218), ref: 00405764
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: IndirectMessage
        • String ID:
        • API String ID: 1874166685-0
        • Opcode ID: 62c5b0eb7c63afc99d73ac8db942d0bb6353485fd66c6514a541e2944687cd86
        • Instruction ID: 3dc84172ab1948e17b292d16fa2bdefbde75fb7420590b4168975b9309a56cb2
        • Opcode Fuzzy Hash: 62c5b0eb7c63afc99d73ac8db942d0bb6353485fd66c6514a541e2944687cd86
        • Instruction Fuzzy Hash: E0F0DF75540700DFC354CF68EA48B1A3AE0B38A314F10857EE045A73B0CBBA8995CF0E
        Function 00403730 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 183 403730-403738 184 403748-403759 call 403775 call 4057b5 183->184 185 40373a-403741 FindCloseChangeNotification 183->185 185->184
        APIs
        • FindCloseChangeNotification.KERNELBASE(FFFFFFFF,00403567,?,?,00000006,00000008,0000000A), ref: 0040373B
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: 0f01ab086a8a45582f9983883c33c268901e9aba51cbceae3897448642b4cfaa
        • Instruction ID: f7df85554eedfda0b565b912bd668886130a74f5d308d628cb715b7cb4b626cd
        • Opcode Fuzzy Hash: 0f01ab086a8a45582f9983883c33c268901e9aba51cbceae3897448642b4cfaa
        • Instruction Fuzzy Hash: B6C022B0000300B2C0202F348E8F9043A545B81733B504334B0B4F20F0E73C024A851F
        Function 00403200 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 190 403200-403214 SetFilePointer
        APIs
        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F89,?), ref: 0040320E
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: FilePointer
        • String ID:
        • API String ID: 973152223-0
        • Opcode ID: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
        • Instruction ID: 81fdcbbc46e9ac73494c3809a02cbb86869920566b24394b282a4516d046c7b0
        • Opcode Fuzzy Hash: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
        • Instruction Fuzzy Hash: 32B01231140300BFDA214F00DF09F057B21AB90700F10C034B384780F086711075EB0D

        Non-executed Functions

        Function 00405252 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 315 405252-40526e 316 405274-40533b GetDlgItem * 3 call 4040b0 call 4049a1 GetClientRect GetSystemMetrics SendMessageA * 2 315->316 317 4053fd-405403 315->317 339 405359-40535c 316->339 340 40533d-405357 SendMessageA * 2 316->340 319 405405-405427 GetDlgItem CreateThread CloseHandle 317->319 320 40542d-405439 317->320 319->320 322 40545b-405461 320->322 323 40543b-405441 320->323 324 405463-405469 322->324 325 4054b6-4054b9 322->325 327 405443-405456 ShowWindow * 2 call 4040b0 323->327 328 40547c-405483 call 4040e2 323->328 329 40546b-405477 call 404054 324->329 330 40548f-40549f ShowWindow 324->330 325->328 333 4054bb-4054c1 325->333 327->322 336 405488-40548c 328->336 329->328 337 4054a1-4054aa call 405114 330->337 338 4054af-4054b1 call 404054 330->338 333->328 341 4054c3-4054d6 SendMessageA 333->341 337->338 338->325 344 40536c-405383 call 40407b 339->344 345 40535e-40536a SendMessageA 339->345 340->339 346 4055d3-4055d5 341->346 347 4054dc-405508 CreatePopupMenu call 40600f AppendMenuA 341->347 354 405385-405399 ShowWindow 344->354 355 4053b9-4053da GetDlgItem SendMessageA 344->355 345->344 346->336 352 40550a-40551a GetWindowRect 347->352 353 40551d-405533 TrackPopupMenu 347->353 352->353 353->346 356 405539-405553 353->356 357 4053a8 354->357 358 40539b-4053a6 ShowWindow 354->358 355->346 359 4053e0-4053f8 SendMessageA * 2 355->359 360 405558-405573 SendMessageA 356->360 361 4053ae-4053b4 call 4040b0 357->361 358->361 359->346 360->360 362 405575-405595 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 360->362 361->355 364 405597-4055b7 SendMessageA 362->364 364->364 365 4055b9-4055cd GlobalUnlock SetClipboardData CloseClipboard 364->365 365->346
        APIs
        • GetDlgItem.USER32(?,00000403), ref: 004052B1
        • GetDlgItem.USER32(?,000003EE), ref: 004052C0
        • GetClientRect.USER32(?,?), ref: 004052FD
        • GetSystemMetrics.USER32(00000002), ref: 00405304
        • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405325
        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405336
        • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405349
        • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405357
        • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040536A
        • ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040538C
        • ShowWindow.USER32(?,00000008), ref: 004053A0
        • GetDlgItem.USER32(?,000003EC), ref: 004053C1
        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053D1
        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004053EA
        • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053F6
        • GetDlgItem.USER32(?,000003F8), ref: 004052CF
          • Part of subcall function 004040B0: SendMessageA.USER32(00000028,?,00000001,00403EE0), ref: 004040BE
        • GetDlgItem.USER32(?,000003EC), ref: 00405412
        • CreateThread.KERNEL32(00000000,00000000,Function_000051E6,00000000), ref: 00405420
        • CloseHandle.KERNEL32(00000000), ref: 00405427
        • ShowWindow.USER32(00000000), ref: 0040544A
        • ShowWindow.USER32(?,00000008), ref: 00405451
        • ShowWindow.USER32(00000008), ref: 00405497
        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054CB
        • CreatePopupMenu.USER32 ref: 004054DC
        • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054F1
        • GetWindowRect.USER32(?,000000FF), ref: 00405511
        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040552A
        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405566
        • OpenClipboard.USER32(00000000), ref: 00405576
        • EmptyClipboard.USER32 ref: 0040557C
        • GlobalAlloc.KERNEL32(00000042,?), ref: 00405585
        • GlobalLock.KERNEL32(00000000), ref: 0040558F
        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004055A3
        • GlobalUnlock.KERNEL32(00000000), ref: 004055BC
        • SetClipboardData.USER32(00000001,00000000), ref: 004055C7
        • CloseClipboard.USER32 ref: 004055CD
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
        • String ID:
        • API String ID: 590372296-0
        • Opcode ID: 0cf01cadeabcebf2b135dee13ce5d82c0f79d672f591187209f107e5b1009d3a
        • Instruction ID: e249d6b51738ec221da1a53d9ec42c2df55930041f70e6241115b0d1b6ef0d10
        • Opcode Fuzzy Hash: 0cf01cadeabcebf2b135dee13ce5d82c0f79d672f591187209f107e5b1009d3a
        • Instruction Fuzzy Hash: D0A15AB1900608BFDF119F64DD85EAF7BB9FB48344F10802AFA41B61A1CB794E519F68
        Function 0040450D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003FB), ref: 0040455C
        • SetWindowTextA.USER32(00000000,?), ref: 00404586
        • SHBrowseForFolderA.SHELL32(?,0079E920,?), ref: 00404637
        • CoTaskMemFree.OLE32(00000000), ref: 00404642
        • lstrcmpiA.KERNEL32(007A1EE0,0079F548), ref: 00404674
        • lstrcatA.KERNEL32(?,007A1EE0), ref: 00404680
        • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404692
          • Part of subcall function 004056ED: GetDlgItemTextA.USER32(?,?,00000400,004046C9), ref: 00405700
          • Part of subcall function 00406257: CharNextA.USER32(?,*?|<>/":,00000000,007A9000,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062AF
          • Part of subcall function 00406257: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062BC
          • Part of subcall function 00406257: CharNextA.USER32(?,007A9000,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062C1
          • Part of subcall function 00406257: CharPrevA.USER32(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062D1
        • GetDiskFreeSpaceA.KERNEL32(0079E518,?,?,0000040F,?,0079E518,0079E518,?,00000001,0079E518,?,?,000003FB,?), ref: 00404750
        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040476B
          • Part of subcall function 004048C4: lstrlenA.KERNEL32(0079F548,0079F548,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047DF,000000DF,00000000,00000400,?), ref: 00404962
          • Part of subcall function 004048C4: wsprintfA.USER32 ref: 0040496A
          • Part of subcall function 004048C4: SetDlgItemTextA.USER32(?,0079F548), ref: 0040497D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
        • String ID: A
        • API String ID: 2624150263-3554254475
        • Opcode ID: 2729945231cc1eabc37d96e3fbba1326c20a72cf2850507f8829a344f1910413
        • Instruction ID: c53a8e09cffb511e2e8442f8e0ee4109053d5ca2156788ad792cf5210b9728ca
        • Opcode Fuzzy Hash: 2729945231cc1eabc37d96e3fbba1326c20a72cf2850507f8829a344f1910413
        • Instruction Fuzzy Hash: F4A17FB1900209ABDB11AFA5CD45AAFB7B8EF85314F14843BF601B62D1D77C8A418F69
        Function 004057B5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
        Download Yara Rule
        APIs
        • DeleteFileA.KERNEL32(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057DE
        • lstrcatA.KERNEL32(007A0550,\*.*,007A0550,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405826
        • lstrcatA.KERNEL32(?,0040A014,?,007A0550,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405847
        • lstrlenA.KERNEL32(?,?,0040A014,?,007A0550,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040584D
        • FindFirstFileA.KERNEL32(007A0550,?,?,?,0040A014,?,007A0550,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040585E
        • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040590B
        • FindClose.KERNEL32(00000000), ref: 0040591C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\$\*.*
        • API String ID: 2035342205-3720340875
        • Opcode ID: 1a15b25e8bfe87e1af104103bdf3e99bfca013edf893b05c38c06cdbf565d018
        • Instruction ID: eea8dcc9899e8fe382e67b4d85d328ba4a3fbbae0ab86688a1659871ceec6938
        • Opcode Fuzzy Hash: 1a15b25e8bfe87e1af104103bdf3e99bfca013edf893b05c38c06cdbf565d018
        • Instruction Fuzzy Hash: 4051E171800A08FADF226B618C45FAF7A78DF42728F14807BF841B51D2D73C4992DE69
        Function 00402138 Relevance: 3.1, APIs: 2, Instructions: 139comCOMMON
        Download Yara Rule
        APIs
        • CoCreateInstance.OLE32(00408410,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021BA
        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402269
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: ByteCharCreateInstanceMultiWide
        • String ID:
        • API String ID: 123533781-0
        • Opcode ID: ce8467096b07ca22e23759a4895ee2c1e39a00ffcdf52229bf2ef5a9744d8bac
        • Instruction ID: b20e6ddc0005349e031541e3270fed9150ef90c2934288fc693311ea7f84ec63
        • Opcode Fuzzy Hash: ce8467096b07ca22e23759a4895ee2c1e39a00ffcdf52229bf2ef5a9744d8bac
        • Instruction Fuzzy Hash: 1F511871A00209AFCF00DFE4C988A9D7BB5FF48314F2085AAF515EB2D1DB799941CB54
        Function 004062F0 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileA.KERNEL32(774D3410,007A0D98,007A0950,00405AB6,007A0950,007A0950,00000000,007A0950,007A0950,774D3410,?,C:\Users\user\AppData\Local\Temp\,004057D5,?,774D3410,C:\Users\user\AppData\Local\Temp\), ref: 004062FB
        • FindClose.KERNEL32(00000000), ref: 00406307
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Find$CloseFileFirst
        • String ID:
        • API String ID: 2295610775-0
        • Opcode ID: 6492e11af6876ec85f54452a190d9404ba6d94e49271ee4e7d15c167f534e484
        • Instruction ID: 3919553d01c23f7351ed85dbc682ed8077fcf54d37e588a2b2de2e61cdf0a9ad
        • Opcode Fuzzy Hash: 6492e11af6876ec85f54452a190d9404ba6d94e49271ee4e7d15c167f534e484
        • Instruction Fuzzy Hash: 14D012325451205BC75017786E0C88B7A589F963717214B36F9AAF61E0CB748C238AD8
        Function 00402765 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402774
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: FileFindFirst
        • String ID:
        • API String ID: 1974802433-0
        • Opcode ID: 8a4b04becd242fba5d32797a1901637a58f3b6b856015b6a01afc789646fda0b
        • Instruction ID: 242f43cfa1d4ef5d1935b54718e26804d33959e399511836c9edd6ef5d071c48
        • Opcode Fuzzy Hash: 8a4b04becd242fba5d32797a1901637a58f3b6b856015b6a01afc789646fda0b
        • Instruction Fuzzy Hash: 5AF0A0725441009BD701EBB49A49AEEB768AF26324F6041BBE141F21C1D6B889459B6A
        Function 00404A80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 194 404a80-404ad0 GetDlgItem * 2 195 404ad6-404b70 GlobalAlloc LoadImageA SetWindowLongA ImageList_Create ImageList_AddMasked SendMessageA * 2 194->195 196 404cfd-404d04 194->196 197 404b72-404b7c SendMessageA 195->197 198 404b7e-404b87 DeleteObject 195->198 199 404d06-404d16 196->199 200 404d18 196->200 197->198 202 404b89-404b91 198->202 201 404d1b-404d24 199->201 200->201 203 404d26-404d29 201->203 204 404d2f-404d35 201->204 205 404b93-404b96 202->205 206 404bba-404bbe 202->206 203->204 207 404e13-404e1a 203->207 208 404d44-404d4b 204->208 209 404d37-404d3e 204->209 210 404b98 205->210 211 404b9b-404bb8 call 40600f SendMessageA * 2 205->211 206->202 212 404bc0-404bf0 call 40407b * 2 206->212 217 404e8b-404e93 207->217 218 404e1c-404e22 207->218 213 404dc0-404dc3 208->213 214 404d4d-404d50 208->214 209->207 209->208 210->211 211->206 253 404bf6-404bfc 212->253 254 404cbf-404cd2 GetWindowLongA SetWindowLongA 212->254 213->207 219 404dc5-404dcf 213->219 222 404d52-404d59 214->222 223 404d5b-404d70 call 4049ce 214->223 220 404e95-404e9b SendMessageA 217->220 221 404e9d-404ea4 217->221 226 405073-405085 call 4040e2 218->226 227 404e28-404e32 218->227 229 404dd1-404ddd SendMessageA 219->229 230 404ddf-404de9 219->230 220->221 231 404ea6-404ead 221->231 232 404ed8-404edf 221->232 222->213 222->223 223->213 252 404d72-404d83 223->252 227->226 235 404e38-404e47 SendMessageA 227->235 229->230 230->207 237 404deb-404df5 230->237 238 404eb6-404ebd 231->238 239 404eaf-404eb0 ImageList_Destroy 231->239 242 405035-40503c 232->242 243 404ee5-404ef1 call 4011ef 232->243 235->226 244 404e4d-404e5e SendMessageA 235->244 248 404e06-404e10 237->248 249 404df7-404e04 237->249 250 404ec6-404ed2 238->250 251 404ebf-404ec0 GlobalFree 238->251 239->238 242->226 247 40503e-405045 242->247 264 404f01-404f04 243->264 265 404ef3-404ef6 243->265 245 404e60-404e66 244->245 246 404e68-404e6a 244->246 245->246 257 404e6b-404e84 call 401299 SendMessageA 245->257 246->257 247->226 258 405047-405071 ShowWindow GetDlgItem ShowWindow 247->258 248->207 249->207 250->232 251->250 252->213 260 404d85-404d87 252->260 261 404bff-404c04 253->261 259 404cd8-404cdb 254->259 257->217 258->226 267 404cf5-404cf8 call 4040b0 259->267 268 404cdd-404cf0 ShowWindow call 4040b0 259->268 269 404d89-404d90 260->269 270 404d9a 260->270 262 404ca1-404cb4 261->262 263 404c0a-404c35 261->263 262->261 277 404cba-404cbd 262->277 271 404c71-404c73 263->271 272 404c37-404c6f SendMessageA 263->272 278 404f45-404f69 call 4011ef 264->278 279 404f06-404f1f call 4012e2 call 401299 264->279 274 404ef8 265->274 275 404ef9-404efc call 404a4e 265->275 267->196 268->226 282 404d92-404d94 269->282 283 404d96-404d98 269->283 273 404d9d-404db9 call 40117d 270->273 286 404c75-404c87 SendMessageA 271->286 287 404c89-404c9e SendMessageA 271->287 272->262 273->213 274->275 275->264 277->254 277->259 294 40500b-40501f InvalidateRect 278->294 295 404f6f 278->295 303 404f21-404f27 279->303 304 404f2f-404f3e SendMessageA 279->304 282->273 283->273 286->262 287->262 294->242 299 405021-405030 call 4049a1 call 404989 294->299 297 404f72-404f7d 295->297 300 404ff3-405005 297->300 301 404f7f-404f8e 297->301 299->242 300->294 300->297 305 404f90-404f9d 301->305 306 404fa1-404fa4 301->306 307 404f29 303->307 308 404f2a-404f2d 303->308 304->278 305->306 310 404fa6-404fa9 306->310 311 404fab-404fb4 306->311 307->308 308->303 308->304 313 404fb9-404ff1 SendMessageA * 2 310->313 311->313 314 404fb6 311->314 313->300 314->313
        APIs
        • GetDlgItem.USER32(?,000003F9), ref: 00404A97
        • GetDlgItem.USER32(?,00000408), ref: 00404AA4
        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404AF3
        • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404B0A
        • SetWindowLongA.USER32(?,000000FC,00405088), ref: 00404B24
        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B36
        • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404B4A
        • SendMessageA.USER32(?,00001109,00000002), ref: 00404B60
        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B6C
        • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B7C
        • DeleteObject.GDI32(00000110), ref: 00404B81
        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404BAC
        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BB8
        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C52
        • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404C82
          • Part of subcall function 004040B0: SendMessageA.USER32(00000028,?,00000001,00403EE0), ref: 004040BE
        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C96
        • GetWindowLongA.USER32(?,000000F0), ref: 00404CC4
        • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CD2
        • ShowWindow.USER32(?,00000005), ref: 00404CE2
        • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404DDD
        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E42
        • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E57
        • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E7B
        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E9B
        • ImageList_Destroy.COMCTL32(?), ref: 00404EB0
        • GlobalFree.KERNEL32(?), ref: 00404EC0
        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F39
        • SendMessageA.USER32(?,00001102,?,?), ref: 00404FE2
        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FF1
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00405011
        • ShowWindow.USER32(?,00000000), ref: 0040505F
        • GetDlgItem.USER32(?,000003FE), ref: 0040506A
        • ShowWindow.USER32(00000000), ref: 00405071
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
        • String ID: $M$N
        • API String ID: 2564846305-813528018
        • Opcode ID: 11382514075a367b9a534aa2b94e13823d28ce86ee40b18e943e52e9e4fd8364
        • Instruction ID: a268e52f59abad667f40846b9330857a26eef97fbfd8c04b7b0b2c1eeebe026e
        • Opcode Fuzzy Hash: 11382514075a367b9a534aa2b94e13823d28ce86ee40b18e943e52e9e4fd8364
        • Instruction Fuzzy Hash: 56026DB0900209EFEB109FA8DD45AAE7BB5FB84314F10813AF610B62E1D7789D52DF58
        Function 00403BA7 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 366 403ba7-403bb9 367 403cfa-403d09 366->367 368 403bbf-403bc5 366->368 370 403d58-403d6d 367->370 371 403d0b-403d53 GetDlgItem * 2 call 40407b SetClassLongA call 40140b 367->371 368->367 369 403bcb-403bd4 368->369 374 403bd6-403be3 SetWindowPos 369->374 375 403be9-403bec 369->375 372 403dad-403db2 call 4040c7 370->372 373 403d6f-403d72 370->373 371->370 388 403db7-403dd2 372->388 378 403d74-403d7f call 401389 373->378 379 403da5-403da7 373->379 374->375 381 403c06-403c0c 375->381 382 403bee-403c00 ShowWindow 375->382 378->379 401 403d81-403da0 SendMessageA 378->401 379->372 387 404048 379->387 384 403c28-403c2b 381->384 385 403c0e-403c23 DestroyWindow 381->385 382->381 392 403c2d-403c39 SetWindowLongA 384->392 393 403c3e-403c44 384->393 390 404025-40402b 385->390 391 40404a-404051 387->391 395 403dd4-403dd6 call 40140b 388->395 396 403ddb-403de1 388->396 390->387 403 40402d-404033 390->403 392->391 399 403ce7-403cf5 call 4040e2 393->399 400 403c4a-403c5b GetDlgItem 393->400 395->396 397 404006-40401f DestroyWindow EndDialog 396->397 398 403de7-403df2 396->398 397->390 398->397 405 403df8-403e45 call 40600f call 40407b * 3 GetDlgItem 398->405 399->391 406 403c7a-403c7d 400->406 407 403c5d-403c74 SendMessageA IsWindowEnabled 400->407 401->391 403->387 404 404035-40403e ShowWindow 403->404 404->387 436 403e47-403e4c 405->436 437 403e4f-403e8b ShowWindow EnableWindow call 40409d EnableWindow 405->437 410 403c82-403c85 406->410 411 403c7f-403c80 406->411 407->387 407->406 415 403c93-403c98 410->415 416 403c87-403c8d 410->416 414 403cb0-403cb5 call 404054 411->414 414->399 419 403cce-403ce1 SendMessageA 415->419 421 403c9a-403ca0 415->421 416->419 420 403c8f-403c91 416->420 419->399 420->414 424 403ca2-403ca8 call 40140b 421->424 425 403cb7-403cc0 call 40140b 421->425 432 403cae 424->432 425->399 434 403cc2-403ccc 425->434 432->414 434->432 436->437 440 403e90 437->440 441 403e8d-403e8e 437->441 442 403e92-403ec0 GetSystemMenu EnableMenuItem SendMessageA 440->442 441->442 443 403ec2-403ed3 SendMessageA 442->443 444 403ed5 442->444 445 403edb-403f15 call 4040b0 call 403b88 call 405fed lstrlenA call 40600f SetWindowTextA call 401389 443->445 444->445 445->388 456 403f1b-403f1d 445->456 456->388 457 403f23-403f27 456->457 458 403f46-403f5a DestroyWindow 457->458 459 403f29-403f2f 457->459 458->390 461 403f60-403f8d CreateDialogParamA 458->461 459->387 460 403f35-403f3b 459->460 460->388 462 403f41 460->462 461->390 463 403f93-403fea call 40407b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 461->463 462->387 463->387 468 403fec-404004 ShowWindow call 4040c7 463->468 468->390
        APIs
        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BE3
        • ShowWindow.USER32(?), ref: 00403C00
        • DestroyWindow.USER32 ref: 00403C14
        • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C30
        • GetDlgItem.USER32(?,?), ref: 00403C51
        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C65
        • IsWindowEnabled.USER32(00000000), ref: 00403C6C
        • GetDlgItem.USER32(?,00000001), ref: 00403D1A
        • GetDlgItem.USER32(?,00000002), ref: 00403D24
        • SetClassLongA.USER32(?,000000F2,?), ref: 00403D3E
        • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D8F
        • GetDlgItem.USER32(?,00000003), ref: 00403E35
        • ShowWindow.USER32(00000000,?), ref: 00403E56
        • EnableWindow.USER32(?,?), ref: 00403E68
        • EnableWindow.USER32(?,?), ref: 00403E83
        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E99
        • EnableMenuItem.USER32(00000000), ref: 00403EA0
        • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403EB8
        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403ECB
        • lstrlenA.KERNEL32(0079F548,?,0079F548,00000000), ref: 00403EF5
        • SetWindowTextA.USER32(?,0079F548), ref: 00403F04
        • ShowWindow.USER32(?,0000000A), ref: 00404038
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
        • String ID:
        • API String ID: 184305955-0
        • Opcode ID: e0d780eba1b088fa93d6fd4ed72d6ff884873a26146dcd9c5e819f50ed4c5972
        • Instruction ID: b507ef7cb9582abf258fe264cbdb2372651992ce94f69c67437d7eaacc5d437d
        • Opcode Fuzzy Hash: e0d780eba1b088fa93d6fd4ed72d6ff884873a26146dcd9c5e819f50ed4c5972
        • Instruction Fuzzy Hash: 09C1B0B1500204AFDB216F25EE85E2B7AB9EB8630AF00853EF741B11F1CB3D59529B5D
        Function 0040380A Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215stringregistryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00406385: GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
          • Part of subcall function 00406385: GetProcAddress.KERNEL32(00000000,?), ref: 004063B2
        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr7BEF.tmp,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,774D3410,C:\Users\user\AppData\Local\Temp\,007A9000,00000000), ref: 00403885
        • lstrlenA.KERNEL32(007A1EE0,?,?,?,007A1EE0,00000000,007A9400,C:\Users\user\AppData\Local\Temp\nsr7BEF.tmp,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,774D3410), ref: 004038FA
        • lstrcmpiA.KERNEL32(?,.exe), ref: 0040390D
        • GetFileAttributesA.KERNEL32(007A1EE0), ref: 00403918
        • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,007A9400), ref: 00403961
          • Part of subcall function 00405F4B: wsprintfA.USER32 ref: 00405F58
        • RegisterClassA.USER32(007A26E0), ref: 0040399E
        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004039B6
        • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039EB
        • ShowWindow.USER32(00000005,00000000), ref: 00403A21
        • GetClassInfoA.USER32(00000000,RichEdit20A,007A26E0), ref: 00403A4D
        • GetClassInfoA.USER32(00000000,RichEdit,007A26E0), ref: 00403A5A
        • RegisterClassA.USER32(007A26E0), ref: 00403A63
        • DialogBoxParamA.USER32(?,00000000,00403BA7,00000000), ref: 00403A82
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
        • String ID: .DEFAULT\Control Panel\International$.exe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsr7BEF.tmp$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$&z
        • API String ID: 1975747703-1577551956
        • Opcode ID: 6a61cbbd4cf0e9c1d01e5c8b3980943b7258060f4ff29637f7b3df1c92db6b4f
        • Instruction ID: 79248491ef2bc55f5e0c4717b820805706146ebb855d4f379394f0877404e8f0
        • Opcode Fuzzy Hash: 6a61cbbd4cf0e9c1d01e5c8b3980943b7258060f4ff29637f7b3df1c92db6b4f
        • Instruction Fuzzy Hash: 6C61C6B0240640BED610AF659D45F3B3A6CD785749F10813FF985B62E2DB7D9D028B2D
        Function 004041E6 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 202windowstringCOMMON
        Download Yara Rule
        APIs
        • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404271
        • GetDlgItem.USER32(00000000,000003E8), ref: 00404285
        • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004042A3
        • GetSysColor.USER32(?), ref: 004042B4
        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004042C3
        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004042D2
        • lstrlenA.KERNEL32(?), ref: 004042D5
        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042E4
        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042F9
        • GetDlgItem.USER32(?,0000040A), ref: 0040435B
        • SendMessageA.USER32(00000000), ref: 0040435E
        • GetDlgItem.USER32(?,000003E8), ref: 00404389
        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004043C9
        • LoadCursorA.USER32(00000000,00007F02), ref: 004043D8
        • SetCursor.USER32(00000000), ref: 004043E1
        • LoadCursorA.USER32(00000000,00007F00), ref: 004043F7
        • SetCursor.USER32(00000000), ref: 004043FA
        • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404426
        • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040443A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
        • String ID: N
        • API String ID: 3103080414-1130791706
        • Opcode ID: 614c9b85214c3d5e686e74a77366cc7cd529f3e87e761fa153b01f37f43dbd0e
        • Instruction ID: a3db5b80d5f6c8d56f7a184239f37e003a0a90a84a660de175ffc46cbe068f47
        • Opcode Fuzzy Hash: 614c9b85214c3d5e686e74a77366cc7cd529f3e87e761fa153b01f37f43dbd0e
        • Instruction Fuzzy Hash: D361B5B1A40204BFEF109F60DD45F6A7B69FB84704F10802AFB05BA1D1C7B8A951CF99
        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
        Download Yara Rule
        APIs
        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
        • BeginPaint.USER32(?,?), ref: 00401047
        • GetClientRect.USER32(?,?), ref: 0040105B
        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
        • DeleteObject.GDI32(?), ref: 004010ED
        • CreateFontIndirectA.GDI32(?), ref: 00401105
        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
        • SelectObject.GDI32(00000000,?), ref: 00401140
        • DrawTextA.USER32(00000000,007A2740,000000FF,00000010,00000820), ref: 00401156
        • SelectObject.GDI32(00000000,00000000), ref: 00401160
        • DeleteObject.GDI32(?), ref: 00401165
        • EndPaint.USER32(?,?), ref: 0040116E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
        • String ID: F
        • API String ID: 941294808-1304234792
        • Opcode ID: 05824d38ae5bde523e5173ae22b7a6f865c3ebb6508bc10e30638da455cbe7df
        • Instruction ID: 1ef7ef1d3183d2fe833be2fdc16277d02f602c466de40d92ea6efb336f18bcfe
        • Opcode Fuzzy Hash: 05824d38ae5bde523e5173ae22b7a6f865c3ebb6508bc10e30638da455cbe7df
        • Instruction Fuzzy Hash: 53417C71400249AFCB058FA5DE459BF7BB9FF45314F00802EF9A1AA1A0C778DA55DFA4
        Function 00402DC4 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181memoryCOMMON
        Download Yara Rule
        APIs
        • GetTickCount.KERNEL32 ref: 00402DD5
        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PI_230524.exe,00000400), ref: 00402DF1
          • Part of subcall function 00405B86: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\PI_230524.exe,80000000,00000003), ref: 00405B8A
          • Part of subcall function 00405B86: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BAC
        • GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,007A9C00,007A9C00,C:\Users\user\Desktop\PI_230524.exe,C:\Users\user\Desktop\PI_230524.exe,80000000,00000003), ref: 00402E3D
        • GlobalAlloc.KERNEL32(00000040,00000020), ref: 00402F73
        Strings
        • Error launching installer, xrefs: 00402E14
        • Null, xrefs: 00402EBB
        • soft, xrefs: 00402EB2
        • C:\Users\user\Desktop\PI_230524.exe, xrefs: 00402DDB, 00402DEA, 00402DFE, 00402E1E
        • Inst, xrefs: 00402EA9
        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F9A
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DCB
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\PI_230524.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
        • API String ID: 2803837635-691260160
        • Opcode ID: 9736e98eac310f7701a3f26dbce612acab20a0efd3b563572a6f480415ef6cfa
        • Instruction ID: 59d678f17646e0847602a4e6c91a81595dbc35b8f9b1ca6258d7792959114811
        • Opcode Fuzzy Hash: 9736e98eac310f7701a3f26dbce612acab20a0efd3b563572a6f480415ef6cfa
        • Instruction Fuzzy Hash: 0F510971900216AFDB109F64CE89B9E7BB8EB55355F10403BF904B62C1C7BC9E81AB5D
        Function 00405C5C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405DED,?,?), ref: 00405C8D
        • GetShortPathNameA.KERNEL32(?,007A12D8,00000400), ref: 00405C96
          • Part of subcall function 00405AEB: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AFB
          • Part of subcall function 00405AEB: lstrlenA.KERNEL32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B2D
        • GetShortPathNameA.KERNEL32(?,007A16D8,00000400), ref: 00405CB3
        • wsprintfA.USER32 ref: 00405CD1
        • GetFileSize.KERNEL32(00000000,00000000,007A16D8,C0000000,00000004,007A16D8,?,?,?,?,?), ref: 00405D0C
        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405D1B
        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D53
        • SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,007A0ED8,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405DA9
        • GlobalFree.KERNEL32(00000000), ref: 00405DBA
        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405DC1
          • Part of subcall function 00405B86: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\PI_230524.exe,80000000,00000003), ref: 00405B8A
          • Part of subcall function 00405B86: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BAC
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
        • String ID: %s=%s$[Rename]
        • API String ID: 2171350718-1727408572
        • Opcode ID: d25c713501a9bf653a1fcacbbfc2014aaa95160241b761f08358092e952fb18f
        • Instruction ID: 4ef5f1c50d251b73862b961a89edc9b2cc60572935cd21a4370a6936b8511f12
        • Opcode Fuzzy Hash: d25c713501a9bf653a1fcacbbfc2014aaa95160241b761f08358092e952fb18f
        • Instruction Fuzzy Hash: 5231F231201B15ABD2206B659D4DF6B3A6CDF86754F14053FFA01F62D2EA3CE8058EAD
        Function 0040600F Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199stringCOMMON
        Download Yara Rule
        APIs
        • GetSystemDirectoryA.KERNEL32(007A1EE0,00000400), ref: 0040613A
        • GetWindowsDirectoryA.KERNEL32(007A1EE0,00000400,?,0079ED28,00000000,0040514C,0079ED28,00000000), ref: 0040614D
        • SHGetSpecialFolderLocation.SHELL32(0040514C,774D23A0,?,0079ED28,00000000,0040514C,0079ED28,00000000), ref: 00406189
        • SHGetPathFromIDListA.SHELL32(774D23A0,007A1EE0), ref: 00406197
        • CoTaskMemFree.OLE32(774D23A0), ref: 004061A3
        • lstrcatA.KERNEL32(007A1EE0,\Microsoft\Internet Explorer\Quick Launch), ref: 004061C7
        • lstrlenA.KERNEL32(007A1EE0,?,0079ED28,00000000,0040514C,0079ED28,00000000,00000000,?,774D23A0), ref: 00406219
        Strings
        • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406109
        • \Microsoft\Internet Explorer\Quick Launch, xrefs: 004061C1
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
        • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
        • API String ID: 717251189-730719616
        • Opcode ID: 355b90f3f401d120c3d4b6cf139cfaaf503aaee0dfbae073ec691654466f74a4
        • Instruction ID: d98bd44868bde6ace230f91b8fcf6596fc401970515ead307cdfb18f28ae641c
        • Opcode Fuzzy Hash: 355b90f3f401d120c3d4b6cf139cfaaf503aaee0dfbae073ec691654466f74a4
        • Instruction Fuzzy Hash: EE61F471904111AEDF11AF68CC84B7E3BA49B56314F16817FE903BA2D2C73C49A2CB4E
        Function 00405114 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(0079ED28,00000000,?,774D23A0,?,?,?,?,?,?,?,?,?,00403133,00000000,?), ref: 0040514D
        • lstrlenA.KERNEL32(00403133,0079ED28,00000000,?,774D23A0,?,?,?,?,?,?,?,?,?,00403133,00000000), ref: 0040515D
        • lstrcatA.KERNEL32(0079ED28,00403133,00403133,0079ED28,00000000,?,774D23A0), ref: 00405170
        • SetWindowTextA.USER32(0079ED28,0079ED28), ref: 00405182
        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
        • SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: MessageSend$lstrlen$TextWindowlstrcat
        • String ID: (y
        • API String ID: 2531174081-255812342
        • Opcode ID: 95f89131369c21242812949e714cdf1864596966d358f4f3b94d925066a10f3f
        • Instruction ID: bffe320471bb4ed621b5b80758aa42b14eae6e2fc0b22327473978c148379bdd
        • Opcode Fuzzy Hash: 95f89131369c21242812949e714cdf1864596966d358f4f3b94d925066a10f3f
        • Instruction Fuzzy Hash: 06219D71D00518BBDF119FA9CD80ADEBFB9EF05358F10807AF904B6291C6388E418FA8
        Function 004040E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
        Download Yara Rule
        APIs
        • GetWindowLongA.USER32(?,000000EB), ref: 004040FF
        • GetSysColor.USER32(00000000), ref: 0040413D
        • SetTextColor.GDI32(?,00000000), ref: 00404149
        • SetBkMode.GDI32(?,?), ref: 00404155
        • GetSysColor.USER32(?), ref: 00404168
        • SetBkColor.GDI32(?,?), ref: 00404178
        • DeleteObject.GDI32(?), ref: 00404192
        • CreateBrushIndirect.GDI32(?), ref: 0040419C
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
        • String ID:
        • API String ID: 2320649405-0
        • Opcode ID: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
        • Instruction ID: 7e7a0635a9a9ad053635d0a61e184563e53fd5caf941e55c08cb8fd0a55be6c0
        • Opcode Fuzzy Hash: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
        • Instruction Fuzzy Hash: 312195715007049BD7309F68DD0CB5BBBF4AF91710B048A2EEA96A62E4C738D894CB54
        Function 00406257 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
        Download Yara Rule
        APIs
        • CharNextA.USER32(?,*?|<>/":,00000000,007A9000,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062AF
        • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062BC
        • CharNextA.USER32(?,007A9000,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062C1
        • CharPrevA.USER32(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062D1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Char$Next$Prev
        • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
        • API String ID: 589700163-2950451457
        • Opcode ID: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
        • Instruction ID: c458f316ef597d28f2da60d7b579c442bef5f501f0b3efb69703b1c7b5c33328
        • Opcode Fuzzy Hash: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
        • Instruction Fuzzy Hash: 2211E25180479129FB3226280C44FB77F984B9B770F1901BFD4C6722C2C67C5CA6826D
        Function 004049CE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049E9
        • GetMessagePos.USER32 ref: 004049F1
        • ScreenToClient.USER32(?,?), ref: 00404A0B
        • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A1D
        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A43
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Message$Send$ClientScreen
        • String ID: f
        • API String ID: 41195575-1993550816
        • Opcode ID: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
        • Instruction ID: eb4189dc51e804bfd071b7650a20f4023a9ce92a25ebde304762d3f5d63b5794
        • Opcode Fuzzy Hash: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
        • Instruction Fuzzy Hash: A7019271E40218BADB00DB94DD81FFEBBBCAF55711F10012BBA00B61C0C7B455018F94
        Function 00402CDD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
        Download Yara Rule
        APIs
        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
        • MulDiv.KERNEL32(00084574,00000064,?), ref: 00402D23
        • wsprintfA.USER32 ref: 00402D33
        • SetWindowTextA.USER32(?,?), ref: 00402D43
        • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D55
        Strings
        • verifying installer: %d%%, xrefs: 00402D2D
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Text$ItemTimerWindowwsprintf
        • String ID: verifying installer: %d%%
        • API String ID: 1451636040-82062127
        • Opcode ID: d2fd7c2642e66b568f2ec6ad1d9ac2acf8620bf8fd7d34c9c6364c2149bd0d5f
        • Instruction ID: 93681796157c975abd13c8aaf7f83402805495348c169d35143c581ed88c076c
        • Opcode Fuzzy Hash: d2fd7c2642e66b568f2ec6ad1d9ac2acf8620bf8fd7d34c9c6364c2149bd0d5f
        • Instruction Fuzzy Hash: 3001FF71640209BBEF109F60DE4AFEE3769EB04345F00803AFA16B51D0DBB999568F59
        Function 00402FFB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: CountTick$wsprintf
        • String ID: ... %d%%
        • API String ID: 551687249-2449383134
        • Opcode ID: fef8aa081522ed2de8415660b51b7b4f98d739dbc9ed57078d116e38b9f19439
        • Instruction ID: 7192b2bd781d1e73c4002c8dab31bcfd9076020614228c7b813c8c88a4a42f55
        • Opcode Fuzzy Hash: fef8aa081522ed2de8415660b51b7b4f98d739dbc9ed57078d116e38b9f19439
        • Instruction Fuzzy Hash: 63517931901209ABCB10DF65DA44A9F7BBCEF18766F14413BE810BB2D0C7799B41CBA9
        Function 0040206A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402095
          • Part of subcall function 00405114: lstrlenA.KERNEL32(0079ED28,00000000,?,774D23A0,?,?,?,?,?,?,?,?,?,00403133,00000000,?), ref: 0040514D
          • Part of subcall function 00405114: lstrlenA.KERNEL32(00403133,0079ED28,00000000,?,774D23A0,?,?,?,?,?,?,?,?,?,00403133,00000000), ref: 0040515D
          • Part of subcall function 00405114: lstrcatA.KERNEL32(0079ED28,00403133,00403133,0079ED28,00000000,?,774D23A0), ref: 00405170
          • Part of subcall function 00405114: SetWindowTextA.USER32(0079ED28,0079ED28), ref: 00405182
          • Part of subcall function 00405114: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
          • Part of subcall function 00405114: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
          • Part of subcall function 00405114: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0
        • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020A5
        • GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
        • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040211F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
        • String ID: /z
        • API String ID: 2987980305-1190999251
        • Opcode ID: 76eb37b8e6d31aad23f9fdd74334b5d935c47e479e1adefb058bb3ac25a7cd42
        • Instruction ID: e61536644f3bf68f7d9d9aba667bc4080f9c9cd2ba15b67bd91c869db9746c0c
        • Opcode Fuzzy Hash: 76eb37b8e6d31aad23f9fdd74334b5d935c47e479e1adefb058bb3ac25a7cd42
        • Instruction Fuzzy Hash: 6521C671900214ABCF11BFA4CF89AAE7AB4AF45318F20413BF601B62D1D6FD4982965E
        Function 004055DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
        Download Yara Rule
        APIs
        • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040561D
        • GetLastError.KERNEL32 ref: 00405631
        • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405646
        • GetLastError.KERNEL32 ref: 00405650
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405600
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: ErrorLast$CreateDirectoryFileSecurity
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 3449924974-2145255484
        • Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
        • Instruction ID: 74ab278e8dc0014e3bb1a2534afc1f4e11ab1799ac02ec3fccaeb9b03a53458b
        • Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
        • Instruction Fuzzy Hash: 42011A71C00619EADF009FA1D944BEFBBB8EF14354F00843AD549B6290D77996498FA9
        Function 00401759 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON
        Download Yara Rule
        APIs
        • lstrcatA.KERNEL32(00000000,00000000,0040A3E8,007A9800,00000000,00000000,00000031), ref: 00401798
        • CompareFileTime.KERNEL32(-00000014,?,0040A3E8,0040A3E8,00000000,00000000,0040A3E8,007A9800,00000000,00000000,00000031), ref: 004017C2
          • Part of subcall function 00405FED: lstrcpynA.KERNEL32(?,?,00000400,0040331A,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FFA
          • Part of subcall function 00405114: lstrlenA.KERNEL32(0079ED28,00000000,?,774D23A0,?,?,?,?,?,?,?,?,?,00403133,00000000,?), ref: 0040514D
          • Part of subcall function 00405114: lstrlenA.KERNEL32(00403133,0079ED28,00000000,?,774D23A0,?,?,?,?,?,?,?,?,?,00403133,00000000), ref: 0040515D
          • Part of subcall function 00405114: lstrcatA.KERNEL32(0079ED28,00403133,00403133,0079ED28,00000000,?,774D23A0), ref: 00405170
          • Part of subcall function 00405114: SetWindowTextA.USER32(0079ED28,0079ED28), ref: 00405182
          • Part of subcall function 00405114: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
          • Part of subcall function 00405114: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
          • Part of subcall function 00405114: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
        • String ID:
        • API String ID: 1941528284-0
        • Opcode ID: 360689f11c82bba77c7f80d843b2564d1a58c4de77dc1253bfc3ecda3e8a2caf
        • Instruction ID: 0c6c4ee3c8c955c352dd186891d8ef18ee81d47802e2f4eda18a4991a1bfe0dc
        • Opcode Fuzzy Hash: 360689f11c82bba77c7f80d843b2564d1a58c4de77dc1253bfc3ecda3e8a2caf
        • Instruction Fuzzy Hash: D841B471900515BACB10BBB5CD46D9F36B9DF45328B20823FF522F20E2D67C8A519A6E
        Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?), ref: 00401D58
        • GetClientRect.USER32(?,?), ref: 00401D9F
        • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
        • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
        • DeleteObject.GDI32(00000000), ref: 00401DF4
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
        • String ID:
        • API String ID: 1849352358-0
        • Opcode ID: 13921e806d45149a6dc022ce21c4869d67d4c742d7821b5643b5022a6b36d2ad
        • Instruction ID: 73b34c0ea56e2209ca6b10ab4d69fe2665be34d6bb8fccc5b8c3de89ec824b9e
        • Opcode Fuzzy Hash: 13921e806d45149a6dc022ce21c4869d67d4c742d7821b5643b5022a6b36d2ad
        • Instruction Fuzzy Hash: E8216672D00109AFDB05DF98DE44AEE7BB5FB48300F10407AF945F62A1CB789941CB58
        Function 00401DFF Relevance: 7.5, APIs: 5, Instructions: 43COMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(?), ref: 00401E02
        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
        • ReleaseDC.USER32(?,00000000), ref: 00401E35
        • CreateFontIndirectA.GDI32(0040B7E8), ref: 00401E84
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: CapsCreateDeviceFontIndirectRelease
        • String ID:
        • API String ID: 3808545654-0
        • Opcode ID: 05f1e8dbd8d2bd980b19a9bf60f2e06b7196c972b172c4b5c644a34e8c2871d7
        • Instruction ID: 7256709fe02f9cd86de6692cc41f874bddf10922414536e302f1c0253df40f98
        • Opcode Fuzzy Hash: 05f1e8dbd8d2bd980b19a9bf60f2e06b7196c972b172c4b5c644a34e8c2871d7
        • Instruction Fuzzy Hash: 3901B571900342AFE7019BB1AE49B997FB4EB55304F104439F251BB1E3CBB800059B6D
        Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
        Download Yara Rule
        APIs
        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
        • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: MessageSend$Timeout
        • String ID: !
        • API String ID: 1777923405-2657877971
        • Opcode ID: 56024d7b795917ac40a938a9424bf93a2c17818310143ec6cf2dad3ecb35a3ea
        • Instruction ID: 70c5dabd3ba5e8ff49a6b9f2e1e1e4e729e8b40939c30b800ff2ff7c816f6e1a
        • Opcode Fuzzy Hash: 56024d7b795917ac40a938a9424bf93a2c17818310143ec6cf2dad3ecb35a3ea
        • Instruction Fuzzy Hash: 91216BB1944208BEEF06AFA4DD8AAAD7FB5EB44304F10447EF501B61D1C7B88640DB18
        Function 004048C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(0079F548,0079F548,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047DF,000000DF,00000000,00000400,?), ref: 00404962
        • wsprintfA.USER32 ref: 0040496A
        • SetDlgItemTextA.USER32(?,0079F548), ref: 0040497D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: ItemTextlstrlenwsprintf
        • String ID: %u.%u%s%s
        • API String ID: 3540041739-3551169577
        • Opcode ID: 6d2eeb472e20695eb05127d64b2e12331241c20ef3687a8bfd662f06559d6acd
        • Instruction ID: 7420f511cdb836142555688b3451de143ce73197971a19baf3312835e895797a
        • Opcode Fuzzy Hash: 6d2eeb472e20695eb05127d64b2e12331241c20ef3687a8bfd662f06559d6acd
        • Instruction Fuzzy Hash: 0411DA736441283BEB10657D9C45EAF3298DB86374F260237FA26F31D1E979CC2251E8
        Function 00405A73 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00405FED: lstrcpynA.KERNEL32(?,?,00000400,0040331A,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FFA
          • Part of subcall function 00405A1E: CharNextA.USER32(?,?,007A0950,?,00405A8A,007A0950,007A0950,774D3410,?,C:\Users\user\AppData\Local\Temp\,004057D5,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A2C
          • Part of subcall function 00405A1E: CharNextA.USER32(00000000), ref: 00405A31
          • Part of subcall function 00405A1E: CharNextA.USER32(00000000), ref: 00405A45
        • lstrlenA.KERNEL32(007A0950,00000000,007A0950,007A0950,774D3410,?,C:\Users\user\AppData\Local\Temp\,004057D5,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405AC6
        • GetFileAttributesA.KERNEL32(007A0950,007A0950,007A0950,007A0950,007A0950,007A0950,00000000,007A0950,007A0950,774D3410,?,C:\Users\user\AppData\Local\Temp\,004057D5,?,774D3410,C:\Users\user\AppData\Local\Temp\), ref: 00405AD6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: CharNext$AttributesFilelstrcpynlstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\$Pz
        • API String ID: 3248276644-1715874187
        • Opcode ID: 6e5c033a035c27754d6853607a5acda36fe127f80b162ed81d790e353b870010
        • Instruction ID: 48b42070403af27e20b1f5acdd7358d009e8e21f6fdf4bd1af3726bdd8170272
        • Opcode Fuzzy Hash: 6e5c033a035c27754d6853607a5acda36fe127f80b162ed81d790e353b870010
        • Instruction Fuzzy Hash: 2AF0A421215D6216D622323A1C89A9F1A58CEC7364709073FF866B12D3EA3C89439DAE
        Function 00405985 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403235,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 0040598B
        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403235,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 00405994
        • lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 004059A5
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405985
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: CharPrevlstrcatlstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 2659869361-2145255484
        • Opcode ID: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
        • Instruction ID: 19b991fbecd43d68fcf8fbe3975c191da3a7c8eaa4a3e5077e024cb3b188d11e
        • Opcode Fuzzy Hash: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
        • Instruction Fuzzy Hash: 8DD0A7A21059306AE20266159C09DDB19088F12315B060027F101B2191C63C0D1187FE
        Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
        Download Yara Rule
        APIs
        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Close$Enum
        • String ID:
        • API String ID: 464197530-0
        • Opcode ID: f81053263e66775c86f22c9e7281053eb29660a1472c423ac1bc7bfee237aa75
        • Instruction ID: 0ef75652e5200b2c3979a726b87f5b44e9bd6decc27dd8d038d5566faf8c77c7
        • Opcode Fuzzy Hash: f81053263e66775c86f22c9e7281053eb29660a1472c423ac1bc7bfee237aa75
        • Instruction Fuzzy Hash: CC119A32504109FBEF129F90CF09B9E7B6DEB14380F204032BD45B61E0E7B59E11ABA8
        Function 00402D60 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • DestroyWindow.USER32(?,00000000,00402F3E,00000001), ref: 00402D73
        • GetTickCount.KERNEL32 ref: 00402D91
        • CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DAE
        • ShowWindow.USER32(00000000,00000005), ref: 00402DBC
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Window$CountCreateDestroyDialogParamShowTick
        • String ID:
        • API String ID: 2102729457-0
        • Opcode ID: 937823a9ca513d21e0cf2f2d626aeb3dfaa269d40a84f5f8bcfb97d910e847a5
        • Instruction ID: 59a190b5ca5e41810c33fe67e91fb44ed42669482eb3396a028566c2b75ef85f
        • Opcode Fuzzy Hash: 937823a9ca513d21e0cf2f2d626aeb3dfaa269d40a84f5f8bcfb97d910e847a5
        • Instruction Fuzzy Hash: 8DF05831941620EBC610AB24BE4CA8E7B74BB04B12711897BF449B11F4CB7C4C828B9C
        Function 00405088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
        Download Yara Rule
        APIs
        • IsWindowVisible.USER32(?), ref: 004050B7
        • CallWindowProcA.USER32(?,?,?,?), ref: 00405108
          • Part of subcall function 004040C7: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 004040D9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Window$CallMessageProcSendVisible
        • String ID:
        • API String ID: 3748168415-3916222277
        • Opcode ID: aa27df10419a993b06254c4634be6a0ab58901204a819692472b88ae61f90a6b
        • Instruction ID: b4a086d39c893e0b6e30c02e44c042f184afa5b73794f50f798247e01a256ddd
        • Opcode Fuzzy Hash: aa27df10419a993b06254c4634be6a0ab58901204a819692472b88ae61f90a6b
        • Instruction Fuzzy Hash: 5C018471200609EFDF204F11DD84A6F3665EB84314F208037F605B65D1CB7A8C52AFAD
        Function 0040568C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
        Download Yara Rule
        APIs
        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D50,Error launching installer), ref: 004056B5
        • CloseHandle.KERNEL32(?), ref: 004056C2
        Strings
        • Error launching installer, xrefs: 0040569F
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: CloseCreateHandleProcess
        • String ID: Error launching installer
        • API String ID: 3712363035-66219284
        • Opcode ID: f0a19a88b4191ad482a62bb3ee09ede63fcf5498891b486954be21cba29d19c8
        • Instruction ID: 2140ebbf1eee4cb4891f52a8ff1fd75339fa61df53f1a1a9c1e04f6e33d43294
        • Opcode Fuzzy Hash: f0a19a88b4191ad482a62bb3ee09ede63fcf5498891b486954be21cba29d19c8
        • Instruction Fuzzy Hash: 40E0BFF5610209BFEB009FA4DE05F7B7BBDEB40704F404925BD10F2160D774A8148A78
        Function 00403775 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(?,774D3410,00000000,C:\Users\user\AppData\Local\Temp\,0040374D,00403567,?,?,00000006,00000008,0000000A), ref: 0040378F
        • GlobalFree.KERNEL32(?), ref: 00403796
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403775
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: Free$GlobalLibrary
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 1100898210-2145255484
        • Opcode ID: d916e2e12d8e8e0e05938552f8e86e2cfc1f8e413d7ca81264c0c58d55c0495e
        • Instruction ID: 7399a24566e835d4bf74ae8faf6f599a32d3c581d2ea115a227339331e7fa0df
        • Opcode Fuzzy Hash: d916e2e12d8e8e0e05938552f8e86e2cfc1f8e413d7ca81264c0c58d55c0495e
        • Instruction Fuzzy Hash: 1BE0C273401120ABC6216F15ED0871A777C6F46B27F02C12BF8407B26087781C434FC8
        Function 00405AEB Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AFB
        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B13
        • CharNextA.USER32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B24
        • lstrlenA.KERNEL32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B2D
        Memory Dump Source
        • Source File: 00000000.00000002.1518807457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1518786651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518828256.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.000000000078A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1518857436.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1519070319.00000000007CC000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_230524.jbxd
        Similarity
        • API ID: lstrlen$CharNextlstrcmpi
        • String ID:
        • API String ID: 190613189-0
        • Opcode ID: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
        • Instruction ID: c1544da0d971e4a519e78892e838bc28cfb462c10397de1a7bf1af1224e2ff03
        • Opcode Fuzzy Hash: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
        • Instruction Fuzzy Hash: 9CF06232105418BFC712DFA5DD40D9EBBB8DF56250B2540BAE840F7251D674FE019BA9