Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI_20052024.exe

Overview

General Information

Sample name:PI_20052024.exe
Analysis ID:1447912
MD5:1184a592120050bb97393bf479962ee7
SHA1:e603527c59975f807615e5e578662b9140896fa3
SHA256:b2455ad91129772b38a764f79b25861dd16fe5140871a73f6908676ef54df951
Tags:exe
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • PI_20052024.exe (PID: 1248 cmdline: "C:\Users\user\Desktop\PI_20052024.exe" MD5: 1184A592120050BB97393BF479962EE7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: PI_20052024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: PI_20052024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_00406435 FindFirstFileA,FindClose,0_2_00406435
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405889
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
Source: PI_20052024.exe, 00000000.00000002.1498884560.00000000004A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.ne
Source: PI_20052024.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PI_20052024.exe, 00000000.00000003.1454163323.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, PI_20052024.exe, 00000000.00000002.1498884560.00000000004A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error(
Source: PI_20052024.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_00405326 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405326
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403312
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_004067BE0_2_004067BE
Source: PI_20052024.exe, 00000000.00000000.1453442898.000000000043B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekvldet altsaxofonisters.exeDVarFileInfo$ vs PI_20052024.exe
Source: PI_20052024.exeBinary or memory string: OriginalFilenamekvldet altsaxofonisters.exeDVarFileInfo$ vs PI_20052024.exe
Source: PI_20052024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403312
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_004045D7 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004045D7
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
Source: C:\Users\user\Desktop\PI_20052024.exeFile created: C:\Users\user\AppData\Local\Temp\nsvCAFB.tmpJump to behavior
Source: PI_20052024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PI_20052024.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeFile read: C:\Users\user\Desktop\PI_20052024.exeJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: PI_20052024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PI_20052024.exeStatic PE information: real checksum: 0x9af8f should be: 0x6fdac
Source: C:\Users\user\Desktop\PI_20052024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PI_20052024.exeAPI coverage: 8.2 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_00406435 FindFirstFileA,FindClose,0_2_00406435
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405889
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
Source: PI_20052024.exe, 00000000.00000003.1454163323.00000000004BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\PI_20052024.exeAPI call chain: ExitProcess graph end nodegraph_0-3160
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PI_20052024.exeCode function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403312

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager4
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://nsis.sf.ne0%Avira URL Cloudsafe
http://nsis.sf.net/NSIS_Error(0%Avira URL Cloudsafe
http://nsis.sf.ne0%VirustotalBrowse
http://nsis.sf.net/NSIS_Error(0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorPI_20052024.exefalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://nsis.sf.net/NSIS_ErrorErrorPI_20052024.exefalse
  • URL Reputation: safe
unknown
http://nsis.sf.nePI_20052024.exe, 00000000.00000002.1498884560.00000000004A8000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_Error(PI_20052024.exe, 00000000.00000003.1454163323.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, PI_20052024.exe, 00000000.00000002.1498884560.00000000004A8000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1447912
Start date and time:2024-05-27 12:18:21 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:PI_20052024.exe
Detection:CLEAN
Classification:clean4.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 9
  • Number of non-executed functions: 45
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):6.77450270027035
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:PI_20052024.exe
File size:439'128 bytes
MD5:1184a592120050bb97393bf479962ee7
SHA1:e603527c59975f807615e5e578662b9140896fa3
SHA256:b2455ad91129772b38a764f79b25861dd16fe5140871a73f6908676ef54df951
SHA512:a414027ee708c303f114b46bad800d9430125e73ac2ce75b6e83199258de96c6d5ebaa680aa4afc7d37f08b1de786685de3f1d0f2dda95b3b9378a3304cecfe6
SSDEEP:6144:bqjIG7MM+Z7qyul3ywab6eXPU0KdDBKKVPVRPKy1FqiTExXR+Z:mH7MMIqb9BaBUbdD4aPHb2XR+Z
TLSH:AF94C0827941D832F6152A350EF2EEFDFB76BC9059409B073274762D297BB019E09ACD
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................b...........3............@

File Icon

Icon Hash:0d0617331d492713

Static PE Info

General

Entrypoint:0x403312
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x5F24D6A7 [Sat Aug 1 02:42:47 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:ced282d9b261d1462772017fe2f6972b

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
    Subject Chain
      Version:
      Thumbprint MD5:
      Thumbprint SHA-1:
      Thumbprint SHA-256:
      Serial:

      Entrypoint Preview

      Instruction
      sub esp, 00000184h
      push ebx
      push esi
      push edi
      xor ebx, ebx
      push 00008001h
      mov dword ptr [esp+18h], ebx
      mov dword ptr [esp+10h], 0040A198h
      mov dword ptr [esp+20h], ebx
      mov byte ptr [esp+14h], 00000020h
      call dword ptr [004080B8h]
      call dword ptr [004080BCh]
      and eax, BFFFFFFFh
      cmp ax, 00000006h
      mov dword ptr [0042472Ch], eax
      je 00007F00355B6C43h
      push ebx
      call 00007F00355B9DA6h
      cmp eax, ebx
      je 00007F00355B6C39h
      push 00000C00h
      call eax
      mov esi, 004082A0h
      push esi
      call 00007F00355B9D22h
      push esi
      call dword ptr [004080CCh]
      lea esi, dword ptr [esi+eax+01h]
      cmp byte ptr [esi], bl
      jne 00007F00355B6C1Dh
      push 0000000Bh
      call 00007F00355B9D7Ah
      push 00000009h
      call 00007F00355B9D73h
      push 00000007h
      mov dword ptr [00424724h], eax
      call 00007F00355B9D67h
      cmp eax, ebx
      je 00007F00355B6C41h
      push 0000001Eh
      call eax
      test eax, eax
      je 00007F00355B6C39h
      or byte ptr [0042472Fh], 00000040h
      push ebp
      call dword ptr [00408038h]
      push ebx
      call dword ptr [00408288h]
      mov dword ptr [004247F8h], eax
      push ebx
      lea eax, dword ptr [esp+38h]
      push 00000160h
      push eax
      push ebx
      push 0041FCE8h
      call dword ptr [0040816Ch]
      push 0040A188h

      Rich Headers

      Programming Language:
      • [EXP] VC++ 6.0 SP5 build 8804

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000x2e5d8.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x8d7e00xa20
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x60d50x620083acff9b8bf5b52f9975f8acdcabf744False0.6630660076530612data6.4176717642026535IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x80000x12740x1400b8e42f3d3b81b0e2a4080ab31bc2d1f4False0.4337890625data5.061067348371254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xa0000x1a8380x600599a2f85a30bf72bff5e1c2e854c43eeFalse0.4361979166666667data3.9951628803851107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .ndata0x250000x160000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x3b0000x2e5d80x2e600f94a8f4d68adfb572485b77d5f8b98c5False0.4019962938005391data4.5079430833024645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0x3b4a80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.35749142316337396
      RT_ICON0x4bcd00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.4036945553920538
      RT_ICON0x551780x4c28Device independent bitmap graphic, 128 x 256 x 8, image size 16384EnglishUnited States0.2957529749692245
      RT_ICON0x59da00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.4624468587623996
      RT_ICON0x5dfc80x2ca8Device independent bitmap graphic, 96 x 192 x 8, image size 9216EnglishUnited States0.3624037788663401
      RT_ICON0x60c700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.5025933609958506
      RT_ICON0x632180x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096EnglishUnited States0.48007757404795487
      RT_ICON0x648400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.5675422138836773
      RT_ICON0x658e80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304EnglishUnited States0.5732942430703625
      RT_ICON0x667900x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.6135245901639345
      RT_ICON0x671180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024EnglishUnited States0.6859205776173285
      RT_ICON0x679c00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576EnglishUnited States0.7361751152073732
      RT_ICON0x680880x568Device independent bitmap graphic, 16 x 32 x 8, image size 256EnglishUnited States0.7760115606936416
      RT_ICON0x685f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.6125886524822695
      RT_DIALOG0x68a580x144dataEnglishUnited States0.5216049382716049
      RT_DIALOG0x68ba00x100dataEnglishUnited States0.5234375
      RT_DIALOG0x68ca00x11cdataEnglishUnited States0.6056338028169014
      RT_DIALOG0x68dc00xc4dataEnglishUnited States0.5918367346938775
      RT_DIALOG0x68e880x60dataEnglishUnited States0.7291666666666666
      RT_GROUP_ICON0x68ee80xcadataEnglishUnited States0.5841584158415841
      RT_VERSION0x68fb80x2e0dataEnglishUnited States0.5054347826086957
      RT_MANIFEST0x692980x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

      Imports

      DLLImport
      ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
      SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
      ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
      USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:06:19:36
      Start date:27/05/2024
      Path:C:\Users\user\Desktop\PI_20052024.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\PI_20052024.exe"
      Imagebase:0x400000
      File size:439'128 bytes
      MD5 hash:1184A592120050BB97393BF479962EE7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:5%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:17.6%
        Total number of Nodes:1319
        Total number of Limit Nodes:15
        execution_graph 3611 401d44 3615 402bac 3611->3615 3613 401d52 SetWindowLongA 3614 402a5a 3613->3614 3616 406154 17 API calls 3615->3616 3617 402bc1 3616->3617 3617->3613 3618 401ec5 3619 402bac 17 API calls 3618->3619 3620 401ecb 3619->3620 3621 402bac 17 API calls 3620->3621 3622 401ed7 3621->3622 3623 401ee3 ShowWindow 3622->3623 3624 401eee EnableWindow 3622->3624 3625 402a5a 3623->3625 3624->3625 3626 401746 3631 402bce 3626->3631 3629 405c89 2 API calls 3630 401754 3629->3630 3630->3630 3632 402bda 3631->3632 3633 406154 17 API calls 3632->3633 3634 402bfb 3633->3634 3635 40174d 3634->3635 3636 40639c 5 API calls 3634->3636 3635->3629 3636->3635 3637 401947 3638 402bce 17 API calls 3637->3638 3639 40194e lstrlenA 3638->3639 3640 402620 3639->3640 3648 404b4a GetDlgItem GetDlgItem 3649 404ba0 7 API calls 3648->3649 3654 404dc7 3648->3654 3650 404c48 DeleteObject 3649->3650 3651 404c3c SendMessageA 3649->3651 3652 404c53 3650->3652 3651->3650 3653 404c8a 3652->3653 3655 406154 17 API calls 3652->3655 3700 404145 3653->3700 3662 404ea9 3654->3662 3683 404e36 3654->3683 3705 404a98 SendMessageA 3654->3705 3660 404c6c SendMessageA SendMessageA 3655->3660 3657 404f55 3658 404f67 3657->3658 3659 404f5f SendMessageA 3657->3659 3669 404f80 3658->3669 3670 404f79 ImageList_Destroy 3658->3670 3686 404f90 3658->3686 3659->3658 3660->3652 3661 404c9e 3666 404145 18 API calls 3661->3666 3662->3657 3667 404f02 SendMessageA 3662->3667 3688 404dba 3662->3688 3663 404e9b SendMessageA 3663->3662 3685 404caf 3666->3685 3671 404f17 SendMessageA 3667->3671 3667->3688 3672 404f89 GlobalFree 3669->3672 3669->3686 3670->3669 3674 404f2a 3671->3674 3672->3686 3673 404d89 GetWindowLongA SetWindowLongA 3677 404da2 3673->3677 3687 404f3b SendMessageA 3674->3687 3675 405109 3676 40511b ShowWindow GetDlgItem ShowWindow 3675->3676 3675->3688 3676->3688 3678 404da7 ShowWindow 3677->3678 3679 404dbf 3677->3679 3703 40417a SendMessageA 3678->3703 3704 40417a SendMessageA 3679->3704 3680 404d84 3680->3673 3680->3677 3683->3662 3683->3663 3684 404d01 SendMessageA 3684->3685 3685->3673 3685->3680 3685->3684 3689 404d53 SendMessageA 3685->3689 3690 404d3f SendMessageA 3685->3690 3686->3675 3695 404fcb 3686->3695 3710 404b18 3686->3710 3687->3657 3722 4041ac 3688->3722 3689->3685 3690->3685 3692 4050d5 3693 4050df InvalidateRect 3692->3693 3696 4050eb 3692->3696 3693->3696 3694 404ff9 SendMessageA 3698 40500f 3694->3698 3695->3694 3695->3698 3696->3675 3719 404a53 3696->3719 3697 405083 SendMessageA SendMessageA 3697->3698 3698->3692 3698->3697 3701 406154 17 API calls 3700->3701 3702 404150 SetDlgItemTextA 3701->3702 3702->3661 3703->3688 3704->3654 3706 404af7 SendMessageA 3705->3706 3707 404abb GetMessagePos ScreenToClient SendMessageA 3705->3707 3709 404aef 3706->3709 3708 404af4 3707->3708 3707->3709 3708->3706 3709->3683 3736 4060c1 lstrcpynA 3710->3736 3712 404b2b 3737 40601f wsprintfA 3712->3737 3714 404b35 3715 40140b 2 API calls 3714->3715 3716 404b3e 3715->3716 3738 4060c1 lstrcpynA 3716->3738 3718 404b45 3718->3695 3739 40498e 3719->3739 3721 404a68 3721->3675 3723 40426f 3722->3723 3724 4041c4 GetWindowLongA 3722->3724 3724->3723 3725 4041d9 3724->3725 3725->3723 3726 404206 GetSysColor 3725->3726 3727 404209 3725->3727 3726->3727 3728 404219 SetBkMode 3727->3728 3729 40420f SetTextColor 3727->3729 3730 404231 GetSysColor 3728->3730 3731 404237 3728->3731 3729->3728 3730->3731 3732 404248 3731->3732 3733 40423e SetBkColor 3731->3733 3732->3723 3734 404262 CreateBrushIndirect 3732->3734 3735 40425b DeleteObject 3732->3735 3733->3732 3734->3723 3735->3734 3736->3712 3737->3714 3738->3718 3740 4049a4 3739->3740 3741 406154 17 API calls 3740->3741 3742 404a08 3741->3742 3743 406154 17 API calls 3742->3743 3744 404a13 3743->3744 3745 406154 17 API calls 3744->3745 3746 404a29 lstrlenA wsprintfA SetDlgItemTextA 3745->3746 3746->3721 3750 401fcb 3751 402bce 17 API calls 3750->3751 3752 401fd2 3751->3752 3753 406435 2 API calls 3752->3753 3754 401fd8 3753->3754 3756 401fea 3754->3756 3757 40601f wsprintfA 3754->3757 3757->3756 3758 4014d6 3759 402bac 17 API calls 3758->3759 3760 4014dc Sleep 3759->3760 3762 402a5a 3760->3762 3763 4045d7 3764 404603 3763->3764 3765 404614 3763->3765 3824 4057c1 GetDlgItemTextA 3764->3824 3767 404620 GetDlgItem 3765->3767 3772 40467f 3765->3772 3770 404634 3767->3770 3768 404763 3822 40490d 3768->3822 3826 4057c1 GetDlgItemTextA 3768->3826 3769 40460e 3771 40639c 5 API calls 3769->3771 3774 404648 SetWindowTextA 3770->3774 3775 405af2 4 API calls 3770->3775 3771->3765 3772->3768 3776 406154 17 API calls 3772->3776 3772->3822 3778 404145 18 API calls 3774->3778 3780 40463e 3775->3780 3781 4046f3 SHBrowseForFolderA 3776->3781 3777 404793 3782 405b47 18 API calls 3777->3782 3783 404664 3778->3783 3779 4041ac 8 API calls 3784 404921 3779->3784 3780->3774 3788 405a59 3 API calls 3780->3788 3781->3768 3785 40470b CoTaskMemFree 3781->3785 3786 404799 3782->3786 3787 404145 18 API calls 3783->3787 3789 405a59 3 API calls 3785->3789 3827 4060c1 lstrcpynA 3786->3827 3790 404672 3787->3790 3788->3774 3791 404718 3789->3791 3825 40417a SendMessageA 3790->3825 3794 40474f SetDlgItemTextA 3791->3794 3799 406154 17 API calls 3791->3799 3794->3768 3795 404678 3797 4064ca 5 API calls 3795->3797 3796 4047b0 3798 4064ca 5 API calls 3796->3798 3797->3772 3810 4047b7 3798->3810 3800 404737 lstrcmpiA 3799->3800 3800->3794 3803 404748 lstrcatA 3800->3803 3801 4047f3 3828 4060c1 lstrcpynA 3801->3828 3803->3794 3804 4047fa 3805 405af2 4 API calls 3804->3805 3806 404800 GetDiskFreeSpaceA 3805->3806 3809 404824 MulDiv 3806->3809 3811 40484b 3806->3811 3808 405aa0 2 API calls 3808->3810 3809->3811 3810->3801 3810->3808 3810->3811 3812 4048bc 3811->3812 3814 404a53 20 API calls 3811->3814 3813 4048df 3812->3813 3815 40140b 2 API calls 3812->3815 3829 404167 EnableWindow 3813->3829 3816 4048a9 3814->3816 3815->3813 3818 4048be SetDlgItemTextA 3816->3818 3819 4048ae 3816->3819 3818->3812 3821 40498e 20 API calls 3819->3821 3820 4048fb 3820->3822 3830 404530 3820->3830 3821->3812 3822->3779 3824->3769 3825->3795 3826->3777 3827->3796 3828->3804 3829->3820 3831 404543 SendMessageA 3830->3831 3832 40453e 3830->3832 3831->3822 3832->3831 3833 401759 3834 402bce 17 API calls 3833->3834 3835 401760 3834->3835 3836 401786 3835->3836 3837 40177e 3835->3837 3872 4060c1 lstrcpynA 3836->3872 3871 4060c1 lstrcpynA 3837->3871 3840 401784 3844 40639c 5 API calls 3840->3844 3841 401791 3842 405a59 3 API calls 3841->3842 3843 401797 lstrcatA 3842->3843 3843->3840 3855 4017a3 3844->3855 3845 406435 2 API calls 3845->3855 3846 405c35 2 API calls 3846->3855 3848 4017ba CompareFileTime 3848->3855 3849 40187e 3850 4051e8 24 API calls 3849->3850 3851 401888 3850->3851 3854 4030d8 35 API calls 3851->3854 3852 4051e8 24 API calls 3860 40186a 3852->3860 3853 4060c1 lstrcpynA 3853->3855 3856 40189b 3854->3856 3855->3845 3855->3846 3855->3848 3855->3849 3855->3853 3858 406154 17 API calls 3855->3858 3866 4057dd MessageBoxIndirectA 3855->3866 3869 401855 3855->3869 3873 405c5a GetFileAttributesA CreateFileA 3855->3873 3857 4018af SetFileTime 3856->3857 3859 4018c1 CloseHandle 3856->3859 3857->3859 3858->3855 3859->3860 3861 4018d2 3859->3861 3862 4018d7 3861->3862 3863 4018ea 3861->3863 3864 406154 17 API calls 3862->3864 3865 406154 17 API calls 3863->3865 3867 4018df lstrcatA 3864->3867 3868 4018f2 3865->3868 3866->3855 3867->3868 3870 4057dd MessageBoxIndirectA 3868->3870 3869->3852 3869->3860 3870->3860 3871->3840 3872->3841 3873->3855 3874 401959 3875 402bac 17 API calls 3874->3875 3876 401960 3875->3876 3877 402bac 17 API calls 3876->3877 3878 40196d 3877->3878 3879 402bce 17 API calls 3878->3879 3880 401984 lstrlenA 3879->3880 3881 401994 3880->3881 3885 4019d4 3881->3885 3886 4060c1 lstrcpynA 3881->3886 3883 4019c4 3884 4019c9 lstrlenA 3883->3884 3883->3885 3884->3885 3886->3883 3887 40515c 3888 405180 3887->3888 3889 40516c 3887->3889 3891 405188 IsWindowVisible 3888->3891 3897 40519f 3888->3897 3890 405172 3889->3890 3899 4051c9 3889->3899 3892 404191 SendMessageA 3890->3892 3893 405195 3891->3893 3891->3899 3895 40517c 3892->3895 3896 404a98 5 API calls 3893->3896 3894 4051ce CallWindowProcA 3894->3895 3896->3897 3897->3894 3898 404b18 4 API calls 3897->3898 3898->3899 3899->3894 3900 40275d 3901 402763 3900->3901 3902 402a5a 3901->3902 3903 40276b FindClose 3901->3903 3903->3902 3911 401a5e 3912 402bac 17 API calls 3911->3912 3913 401a67 3912->3913 3914 402bac 17 API calls 3913->3914 3915 401a0e 3914->3915 3916 4029de 3917 4064ca 5 API calls 3916->3917 3918 4029e5 3917->3918 3919 402bce 17 API calls 3918->3919 3920 4029ee 3919->3920 3922 402a2a 3920->3922 3926 406114 3920->3926 3923 4029fc 3923->3922 3930 4060fe 3923->3930 3927 40611f 3926->3927 3928 406142 IIDFromString 3927->3928 3929 40613b 3927->3929 3928->3923 3929->3923 3933 4060e3 WideCharToMultiByte 3930->3933 3932 402a1d CoTaskMemFree 3932->3922 3933->3932 3934 4027df 3935 402bce 17 API calls 3934->3935 3937 4027ed 3935->3937 3936 402803 3939 405c35 2 API calls 3936->3939 3937->3936 3938 402bce 17 API calls 3937->3938 3938->3936 3940 402809 3939->3940 3962 405c5a GetFileAttributesA CreateFileA 3940->3962 3942 402816 3943 402822 GlobalAlloc 3942->3943 3944 4028bf 3942->3944 3945 4028b6 CloseHandle 3943->3945 3946 40283b 3943->3946 3947 4028c7 DeleteFileA 3944->3947 3948 4028da 3944->3948 3945->3944 3963 4032ca SetFilePointer 3946->3963 3947->3948 3950 402841 3951 4032b4 ReadFile 3950->3951 3952 40284a GlobalAlloc 3951->3952 3953 402894 3952->3953 3954 40285a 3952->3954 3956 405d01 WriteFile 3953->3956 3955 4030d8 35 API calls 3954->3955 3961 402867 3955->3961 3957 4028a0 GlobalFree 3956->3957 3958 4030d8 35 API calls 3957->3958 3960 4028b3 3958->3960 3959 40288b GlobalFree 3959->3953 3960->3945 3961->3959 3962->3942 3963->3950 3964 4023e0 3965 402bce 17 API calls 3964->3965 3966 4023f1 3965->3966 3967 402bce 17 API calls 3966->3967 3968 4023fa 3967->3968 3969 402bce 17 API calls 3968->3969 3970 402404 GetPrivateProfileStringA 3969->3970 3971 4028e0 3972 402bac 17 API calls 3971->3972 3973 4028e6 3972->3973 3974 402925 3973->3974 3975 40290e 3973->3975 3983 4027bf 3973->3983 3976 40293f 3974->3976 3977 40292f 3974->3977 3978 402922 3975->3978 3979 402913 3975->3979 3981 406154 17 API calls 3976->3981 3980 402bac 17 API calls 3977->3980 3986 40601f wsprintfA 3978->3986 3985 4060c1 lstrcpynA 3979->3985 3980->3983 3981->3983 3985->3983 3986->3983 3987 401563 3988 4029a5 3987->3988 3991 40601f wsprintfA 3988->3991 3990 4029aa 3991->3990 3992 401b63 3993 402bce 17 API calls 3992->3993 3994 401b6a 3993->3994 3995 402bac 17 API calls 3994->3995 3996 401b73 wsprintfA 3995->3996 3997 402a5a 3996->3997 3998 401d65 3999 401d78 GetDlgItem 3998->3999 4000 401d6b 3998->4000 4002 401d72 3999->4002 4001 402bac 17 API calls 4000->4001 4001->4002 4003 401db9 GetClientRect LoadImageA SendMessageA 4002->4003 4004 402bce 17 API calls 4002->4004 4006 401e1a 4003->4006 4008 401e26 4003->4008 4004->4003 4007 401e1f DeleteObject 4006->4007 4006->4008 4007->4008 4009 40166a 4010 402bce 17 API calls 4009->4010 4011 401671 4010->4011 4012 402bce 17 API calls 4011->4012 4013 40167a 4012->4013 4014 402bce 17 API calls 4013->4014 4015 401683 MoveFileA 4014->4015 4016 401696 4015->4016 4022 40168f 4015->4022 4017 406435 2 API calls 4016->4017 4020 4022e2 4016->4020 4019 4016a5 4017->4019 4019->4020 4021 405ea0 36 API calls 4019->4021 4021->4022 4023 401423 4022->4023 4024 4051e8 24 API calls 4023->4024 4025 401431 4024->4025 4025->4020 4026 40216b 4027 402bce 17 API calls 4026->4027 4028 402172 4027->4028 4029 402bce 17 API calls 4028->4029 4030 40217c 4029->4030 4031 402bce 17 API calls 4030->4031 4032 402186 4031->4032 4033 402bce 17 API calls 4032->4033 4034 402193 4033->4034 4035 402bce 17 API calls 4034->4035 4036 40219d 4035->4036 4037 4021df CoCreateInstance 4036->4037 4038 402bce 17 API calls 4036->4038 4041 4021fe 4037->4041 4043 4022ac 4037->4043 4038->4037 4039 401423 24 API calls 4040 4022e2 4039->4040 4042 40228c MultiByteToWideChar 4041->4042 4041->4043 4042->4043 4043->4039 4043->4040 4044 4022eb 4045 402bce 17 API calls 4044->4045 4046 4022f1 4045->4046 4047 402bce 17 API calls 4046->4047 4048 4022fa 4047->4048 4049 402bce 17 API calls 4048->4049 4050 402303 4049->4050 4051 406435 2 API calls 4050->4051 4052 40230c 4051->4052 4053 402310 4052->4053 4054 40231d lstrlenA lstrlenA 4052->4054 4055 4051e8 24 API calls 4053->4055 4057 402318 4053->4057 4056 4051e8 24 API calls 4054->4056 4055->4057 4058 402359 SHFileOperationA 4056->4058 4058->4053 4058->4057 4059 40236d 4060 402374 4059->4060 4062 402387 4059->4062 4061 406154 17 API calls 4060->4061 4063 402381 4061->4063 4064 4057dd MessageBoxIndirectA 4063->4064 4064->4062 4065 40266d 4066 402bac 17 API calls 4065->4066 4071 402677 4066->4071 4067 4026e5 4068 405cd2 ReadFile 4068->4071 4069 4026e7 4074 40601f wsprintfA 4069->4074 4070 4026f7 4070->4067 4073 40270d SetFilePointer 4070->4073 4071->4067 4071->4068 4071->4069 4071->4070 4073->4067 4074->4067 4075 4019ed 4076 402bce 17 API calls 4075->4076 4077 4019f4 4076->4077 4078 402bce 17 API calls 4077->4078 4079 4019fd 4078->4079 4080 401a04 lstrcmpiA 4079->4080 4081 401a16 lstrcmpA 4079->4081 4082 401a0a 4080->4082 4081->4082 4083 40156f 4084 401586 4083->4084 4085 40157f ShowWindow 4083->4085 4086 401594 ShowWindow 4084->4086 4087 402a5a 4084->4087 4085->4084 4086->4087 4088 403c71 4089 403dc4 4088->4089 4090 403c89 4088->4090 4091 403dd5 GetDlgItem GetDlgItem 4089->4091 4100 403e15 4089->4100 4090->4089 4092 403c95 4090->4092 4093 404145 18 API calls 4091->4093 4095 403ca0 SetWindowPos 4092->4095 4096 403cb3 4092->4096 4099 403dff SetClassLongA 4093->4099 4094 403e6f 4101 404191 SendMessageA 4094->4101 4106 403dbf 4094->4106 4095->4096 4097 403cd0 4096->4097 4098 403cb8 ShowWindow 4096->4098 4102 403cf2 4097->4102 4103 403cd8 DestroyWindow 4097->4103 4098->4097 4104 40140b 2 API calls 4099->4104 4100->4094 4105 401389 2 API calls 4100->4105 4128 403e81 4101->4128 4108 403cf7 SetWindowLongA 4102->4108 4109 403d08 4102->4109 4107 4040ce 4103->4107 4104->4100 4110 403e47 4105->4110 4107->4106 4116 4040ff ShowWindow 4107->4116 4108->4106 4113 403d7f 4109->4113 4114 403d14 GetDlgItem 4109->4114 4110->4094 4115 403e4b SendMessageA 4110->4115 4111 40140b 2 API calls 4111->4128 4112 4040d0 DestroyWindow EndDialog 4112->4107 4119 4041ac 8 API calls 4113->4119 4117 403d44 4114->4117 4118 403d27 SendMessageA IsWindowEnabled 4114->4118 4115->4106 4116->4106 4121 403d51 4117->4121 4124 403d98 SendMessageA 4117->4124 4125 403d64 4117->4125 4131 403d49 4117->4131 4118->4106 4118->4117 4119->4106 4120 406154 17 API calls 4120->4128 4121->4124 4121->4131 4123 404145 18 API calls 4123->4128 4124->4113 4126 403d81 4125->4126 4127 403d6c 4125->4127 4130 40140b 2 API calls 4126->4130 4129 40140b 2 API calls 4127->4129 4128->4106 4128->4111 4128->4112 4128->4120 4128->4123 4132 404145 18 API calls 4128->4132 4148 404010 DestroyWindow 4128->4148 4129->4131 4130->4131 4131->4113 4157 40411e 4131->4157 4133 403efc GetDlgItem 4132->4133 4134 403f11 4133->4134 4135 403f19 ShowWindow EnableWindow 4133->4135 4134->4135 4160 404167 EnableWindow 4135->4160 4137 403f43 EnableWindow 4142 403f57 4137->4142 4138 403f5c GetSystemMenu EnableMenuItem SendMessageA 4139 403f8c SendMessageA 4138->4139 4138->4142 4139->4142 4141 403c52 18 API calls 4141->4142 4142->4138 4142->4141 4161 40417a SendMessageA 4142->4161 4162 4060c1 lstrcpynA 4142->4162 4144 403fbb lstrlenA 4145 406154 17 API calls 4144->4145 4146 403fcc SetWindowTextA 4145->4146 4147 401389 2 API calls 4146->4147 4147->4128 4148->4107 4149 40402a CreateDialogParamA 4148->4149 4149->4107 4150 40405d 4149->4150 4151 404145 18 API calls 4150->4151 4152 404068 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4151->4152 4153 401389 2 API calls 4152->4153 4154 4040ae 4153->4154 4154->4106 4155 4040b6 ShowWindow 4154->4155 4156 404191 SendMessageA 4155->4156 4156->4107 4158 404125 4157->4158 4159 40412b SendMessageA 4157->4159 4158->4159 4159->4113 4160->4137 4161->4142 4162->4144 4170 4014f4 SetForegroundWindow 4171 402a5a 4170->4171 4179 402476 4180 402bce 17 API calls 4179->4180 4181 402488 4180->4181 4182 402bce 17 API calls 4181->4182 4183 402492 4182->4183 4196 402c5e 4183->4196 4186 402a5a 4187 4024c7 4189 4024d3 4187->4189 4192 402bac 17 API calls 4187->4192 4188 402bce 17 API calls 4191 4024c0 lstrlenA 4188->4191 4190 4024f5 RegSetValueExA 4189->4190 4193 4030d8 35 API calls 4189->4193 4194 40250b RegCloseKey 4190->4194 4191->4187 4192->4189 4193->4190 4194->4186 4197 402c79 4196->4197 4200 405f75 4197->4200 4201 405f84 4200->4201 4202 4024a2 4201->4202 4203 405f8f RegCreateKeyExA 4201->4203 4202->4186 4202->4187 4202->4188 4203->4202 4204 402777 4205 40277d 4204->4205 4206 402781 FindNextFileA 4205->4206 4208 402793 4205->4208 4207 4027d2 4206->4207 4206->4208 4210 4060c1 lstrcpynA 4207->4210 4210->4208 4211 401ef9 4212 402bce 17 API calls 4211->4212 4213 401eff 4212->4213 4214 402bce 17 API calls 4213->4214 4215 401f08 4214->4215 4216 402bce 17 API calls 4215->4216 4217 401f11 4216->4217 4218 402bce 17 API calls 4217->4218 4219 401f1a 4218->4219 4220 401423 24 API calls 4219->4220 4221 401f21 4220->4221 4228 4057a3 ShellExecuteExA 4221->4228 4223 401f5c 4225 4027bf 4223->4225 4229 40653f WaitForSingleObject 4223->4229 4226 401f76 CloseHandle 4226->4225 4228->4223 4230 406559 4229->4230 4231 40656b GetExitCodeProcess 4230->4231 4232 406506 2 API calls 4230->4232 4231->4226 4233 406560 WaitForSingleObject 4232->4233 4233->4230 4234 40427b lstrcpynA lstrlenA 4235 401f7b 4236 402bce 17 API calls 4235->4236 4237 401f81 4236->4237 4238 4051e8 24 API calls 4237->4238 4239 401f8b 4238->4239 4240 405760 2 API calls 4239->4240 4241 401f91 4240->4241 4242 401fb2 CloseHandle 4241->4242 4244 40653f 5 API calls 4241->4244 4245 4027bf 4241->4245 4242->4245 4246 401fa6 4244->4246 4246->4242 4248 40601f wsprintfA 4246->4248 4248->4242 4256 401ffb 4257 402bce 17 API calls 4256->4257 4258 402002 4257->4258 4259 4064ca 5 API calls 4258->4259 4260 402011 4259->4260 4261 402029 GlobalAlloc 4260->4261 4266 402091 4260->4266 4262 40203d 4261->4262 4261->4266 4263 4064ca 5 API calls 4262->4263 4264 402044 4263->4264 4265 4064ca 5 API calls 4264->4265 4267 40204e 4265->4267 4267->4266 4271 40601f wsprintfA 4267->4271 4269 402085 4272 40601f wsprintfA 4269->4272 4271->4269 4272->4266 4273 4018fd 4274 401934 4273->4274 4275 402bce 17 API calls 4274->4275 4276 401939 4275->4276 4277 405889 67 API calls 4276->4277 4278 401942 4277->4278 4279 401000 4280 401037 BeginPaint GetClientRect 4279->4280 4281 40100c DefWindowProcA 4279->4281 4283 4010f3 4280->4283 4284 401179 4281->4284 4285 401073 CreateBrushIndirect FillRect DeleteObject 4283->4285 4286 4010fc 4283->4286 4285->4283 4287 401102 CreateFontIndirectA 4286->4287 4288 401167 EndPaint 4286->4288 4287->4288 4289 401112 6 API calls 4287->4289 4288->4284 4289->4288 4290 401900 4291 402bce 17 API calls 4290->4291 4292 401907 4291->4292 4293 4057dd MessageBoxIndirectA 4292->4293 4294 401910 4293->4294 4295 401502 4296 40150a 4295->4296 4298 40151d 4295->4298 4297 402bac 17 API calls 4296->4297 4297->4298 4299 402604 4300 402bce 17 API calls 4299->4300 4301 40260b 4300->4301 4304 405c5a GetFileAttributesA CreateFileA 4301->4304 4303 402617 4304->4303 4305 401b87 4306 401b94 4305->4306 4307 401bd8 4305->4307 4310 401c1c 4306->4310 4313 401bab 4306->4313 4308 401c01 GlobalAlloc 4307->4308 4309 401bdc 4307->4309 4312 406154 17 API calls 4308->4312 4320 402387 4309->4320 4326 4060c1 lstrcpynA 4309->4326 4311 406154 17 API calls 4310->4311 4310->4320 4314 402381 4311->4314 4312->4310 4324 4060c1 lstrcpynA 4313->4324 4319 4057dd MessageBoxIndirectA 4314->4319 4317 401bee GlobalFree 4317->4320 4318 401bba 4325 4060c1 lstrcpynA 4318->4325 4319->4320 4322 401bc9 4327 4060c1 lstrcpynA 4322->4327 4324->4318 4325->4322 4326->4317 4327->4320 4328 402588 4338 402c0e 4328->4338 4331 402bac 17 API calls 4332 40259b 4331->4332 4333 4025c2 RegEnumValueA 4332->4333 4334 4025b6 RegEnumKeyA 4332->4334 4335 4027bf 4332->4335 4336 4025d7 RegCloseKey 4333->4336 4334->4336 4336->4335 4339 402bce 17 API calls 4338->4339 4340 402c25 4339->4340 4341 405f47 RegOpenKeyExA 4340->4341 4342 402592 4341->4342 4342->4331 4350 404590 4351 4045a0 4350->4351 4352 4045c6 4350->4352 4353 404145 18 API calls 4351->4353 4354 4041ac 8 API calls 4352->4354 4355 4045ad SetDlgItemTextA 4353->4355 4356 4045d2 4354->4356 4355->4352 4357 401490 4358 4051e8 24 API calls 4357->4358 4359 401497 4358->4359 3110 403312 SetErrorMode GetVersion 3111 403353 3110->3111 3112 403359 3110->3112 3113 4064ca 5 API calls 3111->3113 3203 40645c GetSystemDirectoryA 3112->3203 3113->3112 3115 40336f lstrlenA 3115->3112 3116 40337e 3115->3116 3206 4064ca GetModuleHandleA 3116->3206 3119 4064ca 5 API calls 3120 40338c 3119->3120 3121 4064ca 5 API calls 3120->3121 3123 403398 #17 OleInitialize SHGetFileInfoA 3121->3123 3212 4060c1 lstrcpynA 3123->3212 3125 4033e4 GetCommandLineA 3213 4060c1 lstrcpynA 3125->3213 3127 4033f6 3214 405a84 3127->3214 3130 4034f9 3131 40350c GetTempPathA 3130->3131 3218 4032e1 3131->3218 3133 403524 3134 403528 GetWindowsDirectoryA lstrcatA 3133->3134 3135 40357e DeleteFileA 3133->3135 3138 4032e1 12 API calls 3134->3138 3228 402ea1 GetTickCount GetModuleFileNameA 3135->3228 3136 405a84 CharNextA 3137 40342f 3136->3137 3137->3130 3137->3136 3141 4034fb 3137->3141 3140 403544 3138->3140 3140->3135 3144 403548 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3140->3144 3269 4060c1 lstrcpynA 3141->3269 3148 4032e1 12 API calls 3144->3148 3145 40362c 3258 4037fa 3145->3258 3146 403618 3287 4038d4 3146->3287 3152 403576 3148->3152 3150 405a84 CharNextA 3154 4035ad 3150->3154 3152->3135 3152->3145 3153 403628 3153->3145 3162 4035f3 3154->3162 3163 403658 3154->3163 3155 403760 3158 4037e2 3155->3158 3159 403768 GetCurrentProcess OpenProcessToken 3155->3159 3156 403642 3265 4057dd 3156->3265 3160 4037f0 ExitProcess 3158->3160 3161 4037ec 3158->3161 3165 4037b3 3159->3165 3166 403783 LookupPrivilegeValueA AdjustTokenPrivileges 3159->3166 3161->3160 3270 405b47 3162->3270 3343 405748 3163->3343 3169 4064ca 5 API calls 3165->3169 3166->3165 3172 4037ba 3169->3172 3176 4037cf ExitWindowsEx 3172->3176 3177 4037db 3172->3177 3173 403602 3285 4060c1 lstrcpynA 3173->3285 3174 403679 lstrcatA lstrcmpiA 3174->3145 3179 403695 3174->3179 3175 40366e lstrcatA 3175->3174 3176->3158 3176->3177 3380 40140b 3177->3380 3182 4036a1 3179->3182 3183 40369a 3179->3183 3181 40360d 3286 4060c1 lstrcpynA 3181->3286 3351 40572b CreateDirectoryA 3182->3351 3346 4056ae CreateDirectoryA 3183->3346 3188 4036a6 SetCurrentDirectoryA 3189 4036c0 3188->3189 3190 4036b5 3188->3190 3355 4060c1 lstrcpynA 3189->3355 3354 4060c1 lstrcpynA 3190->3354 3195 40370c CopyFileA 3200 4036ce 3195->3200 3196 403754 3197 405ea0 36 API calls 3196->3197 3197->3153 3199 406154 17 API calls 3199->3200 3200->3196 3200->3199 3202 403740 CloseHandle 3200->3202 3356 406154 3200->3356 3373 405ea0 MoveFileExA 3200->3373 3377 405760 CreateProcessA 3200->3377 3202->3200 3204 40647e wsprintfA LoadLibraryExA 3203->3204 3204->3115 3207 4064f0 GetProcAddress 3206->3207 3208 4064e6 3206->3208 3211 403385 3207->3211 3209 40645c 3 API calls 3208->3209 3210 4064ec 3209->3210 3210->3207 3210->3211 3211->3119 3212->3125 3213->3127 3215 405a8a 3214->3215 3216 40341f CharNextA 3215->3216 3217 405a90 CharNextA 3215->3217 3216->3137 3217->3215 3383 40639c 3218->3383 3220 4032f7 3220->3133 3221 4032ed 3221->3220 3392 405a59 lstrlenA CharPrevA 3221->3392 3224 40572b 2 API calls 3225 403305 3224->3225 3395 405c89 3225->3395 3399 405c5a GetFileAttributesA CreateFileA 3228->3399 3230 402ee1 3240 402ef1 3230->3240 3400 4060c1 lstrcpynA 3230->3400 3232 402f07 3401 405aa0 lstrlenA 3232->3401 3236 402f18 GetFileSize 3249 402f2f 3236->3249 3254 403012 3236->3254 3237 402e3d 6 API calls 3238 40301b 3237->3238 3238->3240 3241 40304b GlobalAlloc 3238->3241 3420 4032ca SetFilePointer 3238->3420 3240->3145 3240->3146 3240->3150 3421 4032ca SetFilePointer 3241->3421 3242 40307e 3246 402e3d 6 API calls 3242->3246 3245 403066 3422 4030d8 3245->3422 3257 403085 3246->3257 3247 403034 3250 4032b4 ReadFile 3247->3250 3248 402fe7 3248->3249 3409 402e3d 3248->3409 3249->3240 3249->3242 3249->3248 3249->3254 3406 4032b4 3249->3406 3253 40303f 3250->3253 3253->3240 3253->3241 3254->3237 3255 403072 3255->3240 3255->3255 3256 4030af SetFilePointer 3255->3256 3256->3257 3257->3240 3259 403812 3258->3259 3260 403804 FindCloseChangeNotification 3258->3260 3470 40383f 3259->3470 3260->3259 3266 4057f2 3265->3266 3267 403650 ExitProcess 3266->3267 3268 405806 MessageBoxIndirectA 3266->3268 3268->3267 3269->3131 3530 4060c1 lstrcpynA 3270->3530 3272 405b58 3531 405af2 CharNextA CharNextA 3272->3531 3275 4035fe 3275->3145 3275->3173 3276 40639c 5 API calls 3277 405b6e 3276->3277 3277->3275 3282 405b81 3277->3282 3278 405b99 lstrlenA 3279 405ba4 3278->3279 3278->3282 3281 405a59 3 API calls 3279->3281 3280 406435 2 API calls 3280->3282 3283 405ba9 GetFileAttributesA 3281->3283 3282->3275 3282->3278 3282->3280 3284 405aa0 2 API calls 3282->3284 3283->3275 3284->3278 3285->3181 3286->3146 3288 4064ca 5 API calls 3287->3288 3289 4038e8 3288->3289 3290 403900 3289->3290 3291 4038ee 3289->3291 3538 405fa8 3290->3538 3537 40601f wsprintfA 3291->3537 3294 403949 lstrcatA 3297 4038fe 3294->3297 3296 405fa8 3 API calls 3296->3294 3543 403b99 3297->3543 3300 405b47 18 API calls 3302 40397b 3300->3302 3301 403a04 3303 405b47 18 API calls 3301->3303 3302->3301 3304 405fa8 3 API calls 3302->3304 3305 403a0a 3303->3305 3306 4039a7 3304->3306 3307 403a1a LoadImageA 3305->3307 3310 406154 17 API calls 3305->3310 3306->3301 3313 4039c3 lstrlenA 3306->3313 3317 405a84 CharNextA 3306->3317 3308 403ac0 3307->3308 3309 403a41 RegisterClassA 3307->3309 3312 40140b 2 API calls 3308->3312 3311 403a77 SystemParametersInfoA CreateWindowExA 3309->3311 3342 403aca 3309->3342 3310->3307 3311->3308 3316 403ac6 3312->3316 3314 4039d1 lstrcmpiA 3313->3314 3315 4039f7 3313->3315 3314->3315 3319 4039e1 GetFileAttributesA 3314->3319 3320 405a59 3 API calls 3315->3320 3322 403b99 18 API calls 3316->3322 3316->3342 3318 4039c1 3317->3318 3318->3313 3321 4039ed 3319->3321 3323 4039fd 3320->3323 3321->3315 3324 405aa0 2 API calls 3321->3324 3325 403ad7 3322->3325 3551 4060c1 lstrcpynA 3323->3551 3324->3315 3327 403ae3 ShowWindow 3325->3327 3328 403b66 3325->3328 3330 40645c 3 API calls 3327->3330 3552 4052ba OleInitialize 3328->3552 3332 403afb 3330->3332 3331 403b6c 3333 403b70 3331->3333 3334 403b88 3331->3334 3335 403b09 GetClassInfoA 3332->3335 3339 40645c 3 API calls 3332->3339 3341 40140b 2 API calls 3333->3341 3333->3342 3338 40140b 2 API calls 3334->3338 3336 403b33 DialogBoxParamA 3335->3336 3337 403b1d GetClassInfoA RegisterClassA 3335->3337 3340 40140b 2 API calls 3336->3340 3337->3336 3338->3342 3339->3335 3340->3342 3341->3342 3342->3153 3344 4064ca 5 API calls 3343->3344 3345 40365d lstrcatA 3344->3345 3345->3174 3345->3175 3347 40369f 3346->3347 3348 4056ff GetLastError 3346->3348 3347->3188 3348->3347 3349 40570e SetFileSecurityA 3348->3349 3349->3347 3350 405724 GetLastError 3349->3350 3350->3347 3352 40573b 3351->3352 3353 40573f GetLastError 3351->3353 3352->3188 3353->3352 3354->3189 3355->3200 3364 406161 3356->3364 3357 406383 3358 4036ff DeleteFileA 3357->3358 3576 4060c1 lstrcpynA 3357->3576 3358->3195 3358->3200 3360 40635d lstrlenA 3360->3364 3363 406154 10 API calls 3363->3360 3364->3357 3364->3360 3364->3363 3365 406279 GetSystemDirectoryA 3364->3365 3366 405fa8 3 API calls 3364->3366 3367 40628c GetWindowsDirectoryA 3364->3367 3368 40639c 5 API calls 3364->3368 3369 406306 lstrcatA 3364->3369 3370 4062c0 SHGetSpecialFolderLocation 3364->3370 3371 406154 10 API calls 3364->3371 3574 40601f wsprintfA 3364->3574 3575 4060c1 lstrcpynA 3364->3575 3365->3364 3366->3364 3367->3364 3368->3364 3369->3364 3370->3364 3372 4062d8 SHGetPathFromIDListA CoTaskMemFree 3370->3372 3371->3364 3372->3364 3374 405ec1 3373->3374 3375 405eb4 3373->3375 3374->3200 3577 405d30 3375->3577 3378 405793 CloseHandle 3377->3378 3379 40579f 3377->3379 3378->3379 3379->3200 3381 401389 2 API calls 3380->3381 3382 401420 3381->3382 3382->3158 3389 4063a8 3383->3389 3384 406414 CharPrevA 3385 406410 3384->3385 3385->3384 3387 40642f 3385->3387 3386 406405 CharNextA 3386->3385 3386->3389 3387->3221 3388 405a84 CharNextA 3388->3389 3389->3385 3389->3386 3389->3388 3390 4063f3 CharNextA 3389->3390 3391 406400 CharNextA 3389->3391 3390->3389 3391->3386 3393 405a73 lstrcatA 3392->3393 3394 4032ff 3392->3394 3393->3394 3394->3224 3396 405c94 GetTickCount GetTempFileNameA 3395->3396 3397 405cc1 3396->3397 3398 403310 3396->3398 3397->3396 3397->3398 3398->3133 3399->3230 3400->3232 3402 405aad 3401->3402 3403 405ab2 CharPrevA 3402->3403 3404 402f0d 3402->3404 3403->3402 3403->3404 3405 4060c1 lstrcpynA 3404->3405 3405->3236 3443 405cd2 ReadFile 3406->3443 3410 402e46 3409->3410 3411 402e5e 3409->3411 3414 402e56 3410->3414 3415 402e4f DestroyWindow 3410->3415 3412 402e66 3411->3412 3413 402e6e GetTickCount 3411->3413 3445 406506 3412->3445 3417 402e7c CreateDialogParamA ShowWindow 3413->3417 3418 402e9f 3413->3418 3414->3248 3415->3414 3417->3418 3418->3248 3420->3247 3421->3245 3423 4030ee 3422->3423 3424 403119 3423->3424 3449 4032ca SetFilePointer 3423->3449 3426 4032b4 ReadFile 3424->3426 3427 403124 3426->3427 3428 403254 3427->3428 3429 403136 GetTickCount 3427->3429 3431 40323e 3427->3431 3430 403258 3428->3430 3435 403270 3428->3435 3440 403149 3429->3440 3432 4032b4 ReadFile 3430->3432 3431->3255 3432->3431 3433 4032b4 ReadFile 3433->3435 3434 4032b4 ReadFile 3434->3440 3435->3431 3435->3433 3436 405d01 WriteFile 3435->3436 3436->3435 3438 4031af GetTickCount 3438->3440 3439 4031d8 MulDiv wsprintfA 3457 4051e8 3439->3457 3440->3431 3440->3434 3440->3438 3440->3439 3450 40660f 3440->3450 3468 405d01 WriteFile 3440->3468 3444 4032c7 3443->3444 3444->3249 3446 406523 PeekMessageA 3445->3446 3447 402e6c 3446->3447 3448 406519 DispatchMessageA 3446->3448 3447->3248 3448->3446 3449->3424 3451 406634 3450->3451 3452 40663c 3450->3452 3451->3440 3452->3451 3453 4066c3 GlobalFree 3452->3453 3454 4066cc GlobalAlloc 3452->3454 3455 406743 GlobalAlloc 3452->3455 3456 40673a GlobalFree 3452->3456 3453->3454 3454->3451 3454->3452 3455->3451 3455->3452 3456->3455 3458 4052a6 3457->3458 3459 405203 3457->3459 3458->3440 3460 405220 lstrlenA 3459->3460 3461 406154 17 API calls 3459->3461 3462 405249 3460->3462 3463 40522e lstrlenA 3460->3463 3461->3460 3464 40525c 3462->3464 3465 40524f SetWindowTextA 3462->3465 3463->3458 3466 405240 lstrcatA 3463->3466 3464->3458 3467 405262 SendMessageA SendMessageA SendMessageA 3464->3467 3465->3464 3466->3462 3467->3458 3469 405d1f 3468->3469 3469->3440 3471 40384d 3470->3471 3472 403817 3471->3472 3473 403852 FreeLibrary GlobalFree 3471->3473 3474 405889 3472->3474 3473->3472 3473->3473 3475 405b47 18 API calls 3474->3475 3476 4058a9 3475->3476 3477 4058b1 DeleteFileA 3476->3477 3478 4058c8 3476->3478 3479 403631 OleUninitialize 3477->3479 3480 405a00 3478->3480 3514 4060c1 lstrcpynA 3478->3514 3479->3155 3479->3156 3480->3479 3483 4059f6 3480->3483 3482 4058ee 3484 405901 3482->3484 3485 4058f4 lstrcatA 3482->3485 3483->3480 3524 406435 FindFirstFileA 3483->3524 3488 405aa0 2 API calls 3484->3488 3487 405907 3485->3487 3490 405915 lstrcatA 3487->3490 3491 40590c 3487->3491 3488->3487 3492 405920 lstrlenA FindFirstFileA 3490->3492 3491->3490 3491->3492 3492->3483 3510 405944 3492->3510 3493 405a59 3 API calls 3495 405a24 3493->3495 3494 405a84 CharNextA 3494->3510 3496 405841 5 API calls 3495->3496 3497 405a30 3496->3497 3498 405a34 3497->3498 3499 405a4a 3497->3499 3498->3479 3504 4051e8 24 API calls 3498->3504 3500 4051e8 24 API calls 3499->3500 3500->3479 3501 4059d5 FindNextFileA 3503 4059ed FindClose 3501->3503 3501->3510 3503->3483 3505 405a41 3504->3505 3507 405ea0 36 API calls 3505->3507 3508 405a48 3507->3508 3508->3479 3509 405889 60 API calls 3509->3510 3510->3494 3510->3501 3510->3509 3511 4051e8 24 API calls 3510->3511 3512 4051e8 24 API calls 3510->3512 3513 405ea0 36 API calls 3510->3513 3515 4060c1 lstrcpynA 3510->3515 3516 405841 3510->3516 3511->3501 3512->3510 3513->3510 3514->3482 3515->3510 3527 405c35 GetFileAttributesA 3516->3527 3519 40586e 3519->3510 3520 405864 DeleteFileA 3522 40586a 3520->3522 3521 40585c RemoveDirectoryA 3521->3522 3522->3519 3523 40587a SetFileAttributesA 3522->3523 3523->3519 3525 405a1a 3524->3525 3526 40644b FindClose 3524->3526 3525->3479 3525->3493 3526->3525 3528 40584d 3527->3528 3529 405c47 SetFileAttributesA 3527->3529 3528->3519 3528->3520 3528->3521 3529->3528 3530->3272 3532 405b0d 3531->3532 3536 405b1d 3531->3536 3534 405b18 CharNextA 3532->3534 3532->3536 3533 405b3d 3533->3275 3533->3276 3534->3533 3535 405a84 CharNextA 3535->3536 3536->3533 3536->3535 3537->3297 3559 405f47 3538->3559 3541 40392b 3541->3294 3541->3296 3542 405fdc RegQueryValueExA RegCloseKey 3542->3541 3544 403bad 3543->3544 3563 40601f wsprintfA 3544->3563 3546 403c1e 3564 403c52 3546->3564 3548 403959 3548->3300 3549 403c23 3549->3548 3550 406154 17 API calls 3549->3550 3550->3549 3551->3301 3567 404191 3552->3567 3554 405304 3555 404191 SendMessageA 3554->3555 3557 405316 OleUninitialize 3555->3557 3556 4052dd 3556->3554 3570 401389 3556->3570 3557->3331 3560 405f56 3559->3560 3561 405f5a 3560->3561 3562 405f5f RegOpenKeyExA 3560->3562 3561->3541 3561->3542 3562->3561 3563->3546 3565 406154 17 API calls 3564->3565 3566 403c60 SetWindowTextA 3565->3566 3566->3549 3568 4041a9 3567->3568 3569 40419a SendMessageA 3567->3569 3568->3556 3569->3568 3572 401390 3570->3572 3571 4013fe 3571->3556 3572->3571 3573 4013cb MulDiv SendMessageA 3572->3573 3573->3572 3574->3364 3575->3364 3576->3358 3578 405d56 3577->3578 3579 405d7c GetShortPathNameA 3577->3579 3604 405c5a GetFileAttributesA CreateFileA 3578->3604 3581 405d91 3579->3581 3582 405e9b 3579->3582 3581->3582 3584 405d99 wsprintfA 3581->3584 3582->3374 3583 405d60 CloseHandle GetShortPathNameA 3583->3582 3585 405d74 3583->3585 3586 406154 17 API calls 3584->3586 3585->3579 3585->3582 3587 405dc1 3586->3587 3605 405c5a GetFileAttributesA CreateFileA 3587->3605 3589 405dce 3589->3582 3590 405ddd GetFileSize GlobalAlloc 3589->3590 3591 405e94 CloseHandle 3590->3591 3592 405dff 3590->3592 3591->3582 3593 405cd2 ReadFile 3592->3593 3594 405e07 3593->3594 3594->3591 3606 405bbf lstrlenA 3594->3606 3597 405e32 3599 405bbf 4 API calls 3597->3599 3598 405e1e lstrcpyA 3600 405e40 3598->3600 3599->3600 3601 405e77 SetFilePointer 3600->3601 3602 405d01 WriteFile 3601->3602 3603 405e8d GlobalFree 3602->3603 3603->3591 3604->3583 3605->3589 3607 405c00 lstrlenA 3606->3607 3608 405c08 3607->3608 3609 405bd9 lstrcmpiA 3607->3609 3608->3597 3608->3598 3609->3608 3610 405bf7 CharNextA 3609->3610 3610->3607 4360 403892 4361 40389d 4360->4361 4362 4038a1 4361->4362 4363 4038a4 GlobalAlloc 4361->4363 4363->4362 4364 402516 4365 402c0e 17 API calls 4364->4365 4366 402520 4365->4366 4367 402bce 17 API calls 4366->4367 4368 402529 4367->4368 4369 402533 RegQueryValueExA 4368->4369 4373 4027bf 4368->4373 4370 402559 RegCloseKey 4369->4370 4371 402553 4369->4371 4370->4373 4371->4370 4375 40601f wsprintfA 4371->4375 4375->4370 4376 40239c 4377 4023a4 4376->4377 4378 4023aa 4376->4378 4379 402bce 17 API calls 4377->4379 4380 402bce 17 API calls 4378->4380 4381 4023ba 4378->4381 4379->4378 4380->4381 4382 4023c8 4381->4382 4383 402bce 17 API calls 4381->4383 4384 402bce 17 API calls 4382->4384 4383->4382 4385 4023d1 WritePrivateProfileStringA 4384->4385 4386 40149d 4387 402387 4386->4387 4388 4014ab PostQuitMessage 4386->4388 4388->4387 4389 40159d 4390 402bce 17 API calls 4389->4390 4391 4015a4 SetFileAttributesA 4390->4391 4392 4015b6 4391->4392 4393 40209d 4394 40215d 4393->4394 4395 4020af 4393->4395 4397 401423 24 API calls 4394->4397 4396 402bce 17 API calls 4395->4396 4398 4020b6 4396->4398 4403 4022e2 4397->4403 4399 402bce 17 API calls 4398->4399 4400 4020bf 4399->4400 4401 4020d4 LoadLibraryExA 4400->4401 4402 4020c7 GetModuleHandleA 4400->4402 4401->4394 4404 4020e4 GetProcAddress 4401->4404 4402->4401 4402->4404 4405 402130 4404->4405 4406 4020f3 4404->4406 4407 4051e8 24 API calls 4405->4407 4408 402103 4406->4408 4409 401423 24 API calls 4406->4409 4407->4408 4408->4403 4410 402151 FreeLibrary 4408->4410 4409->4408 4410->4403 4411 401a1e 4412 402bce 17 API calls 4411->4412 4413 401a27 ExpandEnvironmentStringsA 4412->4413 4414 401a3b 4413->4414 4416 401a4e 4413->4416 4415 401a40 lstrcmpA 4414->4415 4414->4416 4415->4416 4422 40171f 4423 402bce 17 API calls 4422->4423 4424 401726 SearchPathA 4423->4424 4425 401741 4424->4425 4426 401d1f 4427 402bac 17 API calls 4426->4427 4428 401d26 4427->4428 4429 402bac 17 API calls 4428->4429 4430 401d32 GetDlgItem 4429->4430 4431 402620 4430->4431 4432 402421 4433 402453 4432->4433 4434 402428 4432->4434 4436 402bce 17 API calls 4433->4436 4435 402c0e 17 API calls 4434->4435 4437 40242f 4435->4437 4438 40245a 4436->4438 4440 402bce 17 API calls 4437->4440 4441 402467 4437->4441 4443 402c8c 4438->4443 4442 402440 RegDeleteValueA RegCloseKey 4440->4442 4442->4441 4444 402c98 4443->4444 4445 402c9f 4443->4445 4444->4441 4445->4444 4447 402cd0 4445->4447 4448 405f47 RegOpenKeyExA 4447->4448 4449 402cfe 4448->4449 4450 402d0e RegEnumValueA 4449->4450 4457 402da8 4449->4457 4459 402d31 4449->4459 4451 402d98 RegCloseKey 4450->4451 4450->4459 4451->4457 4452 402d6d RegEnumKeyA 4453 402d76 RegCloseKey 4452->4453 4452->4459 4454 4064ca 5 API calls 4453->4454 4456 402d86 4454->4456 4455 402cd0 6 API calls 4455->4459 4456->4457 4458 402d8a RegDeleteKeyA 4456->4458 4457->4444 4458->4457 4459->4451 4459->4452 4459->4453 4459->4455 4460 4027a1 4461 402bce 17 API calls 4460->4461 4462 4027a8 FindFirstFileA 4461->4462 4463 4027cb 4462->4463 4464 4027bb 4462->4464 4465 4027d2 4463->4465 4468 40601f wsprintfA 4463->4468 4469 4060c1 lstrcpynA 4465->4469 4468->4465 4469->4464 4477 405326 4478 4054d1 4477->4478 4479 405348 GetDlgItem GetDlgItem GetDlgItem 4477->4479 4480 405501 4478->4480 4481 4054d9 GetDlgItem CreateThread CloseHandle 4478->4481 4522 40417a SendMessageA 4479->4522 4483 40552f 4480->4483 4485 405550 4480->4485 4486 405517 ShowWindow ShowWindow 4480->4486 4481->4480 4487 40558a 4483->4487 4490 405563 ShowWindow 4483->4490 4491 40553f 4483->4491 4484 4053b8 4488 4053bf GetClientRect GetSystemMetrics SendMessageA SendMessageA 4484->4488 4492 4041ac 8 API calls 4485->4492 4524 40417a SendMessageA 4486->4524 4487->4485 4495 405597 SendMessageA 4487->4495 4493 405411 SendMessageA SendMessageA 4488->4493 4494 40542d 4488->4494 4497 405583 4490->4497 4498 405575 4490->4498 4496 40411e SendMessageA 4491->4496 4503 40555c 4492->4503 4493->4494 4500 405440 4494->4500 4501 405432 SendMessageA 4494->4501 4502 4055b0 CreatePopupMenu 4495->4502 4495->4503 4496->4485 4499 40411e SendMessageA 4497->4499 4504 4051e8 24 API calls 4498->4504 4499->4487 4506 404145 18 API calls 4500->4506 4501->4500 4505 406154 17 API calls 4502->4505 4504->4497 4507 4055c0 AppendMenuA 4505->4507 4508 405450 4506->4508 4509 4055f1 TrackPopupMenu 4507->4509 4510 4055de GetWindowRect 4507->4510 4511 405459 ShowWindow 4508->4511 4512 40548d GetDlgItem SendMessageA 4508->4512 4509->4503 4513 40560d 4509->4513 4510->4509 4514 40547c 4511->4514 4515 40546f ShowWindow 4511->4515 4512->4503 4516 4054b4 SendMessageA SendMessageA 4512->4516 4517 40562c SendMessageA 4513->4517 4523 40417a SendMessageA 4514->4523 4515->4514 4516->4503 4517->4517 4518 405649 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4517->4518 4520 40566b SendMessageA 4518->4520 4520->4520 4521 40568d GlobalUnlock SetClipboardData CloseClipboard 4520->4521 4521->4503 4522->4484 4523->4512 4524->4483 4525 402626 4526 40262b 4525->4526 4527 40263f 4525->4527 4528 402bac 17 API calls 4526->4528 4529 402bce 17 API calls 4527->4529 4530 402634 4528->4530 4531 402646 lstrlenA 4529->4531 4532 405d01 WriteFile 4530->4532 4533 402668 4530->4533 4531->4530 4532->4533 4534 404928 4535 404954 4534->4535 4536 404938 4534->4536 4537 404987 4535->4537 4538 40495a SHGetPathFromIDListA 4535->4538 4545 4057c1 GetDlgItemTextA 4536->4545 4541 40496a 4538->4541 4544 404971 SendMessageA 4538->4544 4540 404945 SendMessageA 4540->4535 4542 40140b 2 API calls 4541->4542 4542->4544 4544->4537 4545->4540 4546 401c2e 4547 402bac 17 API calls 4546->4547 4548 401c35 4547->4548 4549 402bac 17 API calls 4548->4549 4550 401c42 4549->4550 4551 402bce 17 API calls 4550->4551 4552 401c57 4550->4552 4551->4552 4553 402bce 17 API calls 4552->4553 4557 401c67 4552->4557 4553->4557 4554 401c72 4558 402bac 17 API calls 4554->4558 4555 401cbe 4556 402bce 17 API calls 4555->4556 4559 401cc3 4556->4559 4557->4554 4557->4555 4560 401c77 4558->4560 4561 402bce 17 API calls 4559->4561 4562 402bac 17 API calls 4560->4562 4563 401ccc FindWindowExA 4561->4563 4564 401c83 4562->4564 4567 401cea 4563->4567 4565 401c90 SendMessageTimeoutA 4564->4565 4566 401cae SendMessageA 4564->4566 4565->4567 4566->4567 4568 4042b0 4569 4042c6 4568->4569 4573 4043d2 4568->4573 4571 404145 18 API calls 4569->4571 4570 404441 4572 40444b GetDlgItem 4570->4572 4574 40450b 4570->4574 4575 40431c 4571->4575 4576 404461 4572->4576 4577 4044c9 4572->4577 4573->4570 4573->4574 4580 404416 GetDlgItem SendMessageA 4573->4580 4579 4041ac 8 API calls 4574->4579 4578 404145 18 API calls 4575->4578 4576->4577 4583 404487 SendMessageA LoadCursorA SetCursor 4576->4583 4577->4574 4584 4044db 4577->4584 4581 404329 CheckDlgButton 4578->4581 4582 404506 4579->4582 4601 404167 EnableWindow 4580->4601 4599 404167 EnableWindow 4581->4599 4602 404554 4583->4602 4589 4044e1 SendMessageA 4584->4589 4590 4044f2 4584->4590 4586 40443c 4591 404530 SendMessageA 4586->4591 4589->4590 4590->4582 4594 4044f8 SendMessageA 4590->4594 4591->4570 4592 404347 GetDlgItem 4600 40417a SendMessageA 4592->4600 4594->4582 4596 40435d SendMessageA 4597 404384 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4596->4597 4598 40437b GetSysColor 4596->4598 4597->4582 4598->4597 4599->4592 4600->4596 4601->4586 4605 4057a3 ShellExecuteExA 4602->4605 4604 4044ba LoadCursorA SetCursor 4604->4577 4605->4604 4619 401e35 GetDC 4620 402bac 17 API calls 4619->4620 4621 401e47 GetDeviceCaps MulDiv ReleaseDC 4620->4621 4622 402bac 17 API calls 4621->4622 4623 401e78 4622->4623 4624 406154 17 API calls 4623->4624 4625 401eb5 CreateFontIndirectA 4624->4625 4626 402620 4625->4626 4627 402a35 SendMessageA 4628 402a5a 4627->4628 4629 402a4f InvalidateRect 4627->4629 4629->4628 4630 4014b7 4631 4014bd 4630->4631 4632 401389 2 API calls 4631->4632 4633 4014c5 4632->4633 4634 402dba 4635 402de2 4634->4635 4636 402dc9 SetTimer 4634->4636 4637 402e37 4635->4637 4638 402dfc MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4635->4638 4636->4635 4638->4637 4639 4015bb 4640 402bce 17 API calls 4639->4640 4641 4015c2 4640->4641 4642 405af2 4 API calls 4641->4642 4655 4015ca 4642->4655 4643 401624 4645 401629 4643->4645 4646 401652 4643->4646 4644 405a84 CharNextA 4644->4655 4647 401423 24 API calls 4645->4647 4649 401423 24 API calls 4646->4649 4648 401630 4647->4648 4658 4060c1 lstrcpynA 4648->4658 4654 40164a 4649->4654 4651 40572b 2 API calls 4651->4655 4652 405748 5 API calls 4652->4655 4653 40163b SetCurrentDirectoryA 4653->4654 4655->4643 4655->4644 4655->4651 4655->4652 4656 40160c GetFileAttributesA 4655->4656 4657 4056ae 4 API calls 4655->4657 4656->4655 4657->4655 4658->4653 4659 4016bb 4660 402bce 17 API calls 4659->4660 4661 4016c1 GetFullPathNameA 4660->4661 4662 4016d8 4661->4662 4668 4016f9 4661->4668 4665 406435 2 API calls 4662->4665 4662->4668 4663 402a5a 4664 40170d GetShortPathNameA 4664->4663 4666 4016e9 4665->4666 4666->4668 4669 4060c1 lstrcpynA 4666->4669 4668->4663 4668->4664 4669->4668 4670 4067be 4671 406642 4670->4671 4672 406fad 4671->4672 4673 4066c3 GlobalFree 4671->4673 4674 4066cc GlobalAlloc 4671->4674 4675 406743 GlobalAlloc 4671->4675 4676 40673a GlobalFree 4671->4676 4673->4674 4674->4671 4674->4672 4675->4671 4675->4672 4676->4675

        Executed Functions

        Function 00403312 Relevance: 86.1, APIs: 32, Strings: 17, Instructions: 366stringcomfileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 403312-403351 SetErrorMode GetVersion 1 403353-40335b call 4064ca 0->1 2 403364 0->2 1->2 7 40335d 1->7 4 403369-40337c call 40645c lstrlenA 2->4 9 40337e-40339a call 4064ca * 3 4->9 7->2 16 4033ab-403409 #17 OleInitialize SHGetFileInfoA call 4060c1 GetCommandLineA call 4060c1 9->16 17 40339c-4033a2 9->17 24 403415-40342a call 405a84 CharNextA 16->24 25 40340b-403410 16->25 17->16 21 4033a4 17->21 21->16 28 4034ef-4034f3 24->28 25->24 29 4034f9 28->29 30 40342f-403432 28->30 31 40350c-403526 GetTempPathA call 4032e1 29->31 32 403434-403438 30->32 33 40343a-403442 30->33 42 403528-403546 GetWindowsDirectoryA lstrcatA call 4032e1 31->42 43 40357e-40358d DeleteFileA call 402ea1 31->43 32->32 32->33 34 403444-403445 33->34 35 40344a-40344d 33->35 34->35 37 403453-403457 35->37 38 4034df-4034ec call 405a84 35->38 40 403459-40345f 37->40 41 40346f-40349c 37->41 38->28 57 4034ee 38->57 45 403461-403463 40->45 46 403465 40->46 47 40349e-4034a4 41->47 48 4034af-4034dd 41->48 42->43 59 403548-403578 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4032e1 42->59 56 403592-403598 43->56 45->41 45->46 46->41 52 4034a6-4034a8 47->52 53 4034aa 47->53 48->38 55 4034fb-403507 call 4060c1 48->55 52->48 52->53 53->48 55->31 60 40362c-40363c call 4037fa OleUninitialize 56->60 61 40359e-4035a4 56->61 57->28 59->43 59->60 72 403760-403766 60->72 73 403642-403652 call 4057dd ExitProcess 60->73 62 4035a6-4035b1 call 405a84 61->62 63 40361c-403628 call 4038d4 61->63 74 4035b3-4035dc 62->74 75 4035e7-4035f1 62->75 63->60 77 4037e2-4037ea 72->77 78 403768-403781 GetCurrentProcess OpenProcessToken 72->78 79 4035de-4035e0 74->79 82 4035f3-403600 call 405b47 75->82 83 403658-40366c call 405748 lstrcatA 75->83 80 4037f0-4037f4 ExitProcess 77->80 81 4037ec 77->81 85 4037b3-4037c1 call 4064ca 78->85 86 403783-4037ad LookupPrivilegeValueA AdjustTokenPrivileges 78->86 79->75 87 4035e2-4035e5 79->87 81->80 82->60 94 403602-403618 call 4060c1 * 2 82->94 95 403679-403693 lstrcatA lstrcmpiA 83->95 96 40366e-403674 lstrcatA 83->96 97 4037c3-4037cd 85->97 98 4037cf-4037d9 ExitWindowsEx 85->98 86->85 87->75 87->79 94->63 95->60 101 403695-403698 95->101 96->95 97->98 99 4037db-4037dd call 40140b 97->99 98->77 98->99 99->77 105 4036a1 call 40572b 101->105 106 40369a-40369f call 4056ae 101->106 111 4036a6-4036b3 SetCurrentDirectoryA 105->111 106->111 113 4036c0-4036e8 call 4060c1 111->113 114 4036b5-4036bb call 4060c1 111->114 118 4036ee-40370a call 406154 DeleteFileA 113->118 114->113 121 40374b-403752 118->121 122 40370c-40371c CopyFileA 118->122 121->118 123 403754-40375b call 405ea0 121->123 122->121 124 40371e-40373e call 405ea0 call 406154 call 405760 122->124 123->60 124->121 133 403740-403747 CloseHandle 124->133 133->121
        APIs
        • SetErrorMode.KERNELBASE ref: 00403337
        • GetVersion.KERNEL32 ref: 0040333D
        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403370
        • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033AC
        • OleInitialize.OLE32(00000000), ref: 004033B3
        • SHGetFileInfoA.SHELL32(0041FCE8,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 004033CF
        • GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000007,00000009,0000000B), ref: 004033E4
        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\PI_20052024.exe",00000020,"C:\Users\user\Desktop\PI_20052024.exe",00000000,?,00000007,00000009,0000000B), ref: 00403420
        • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 0040351D
        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 0040352E
        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040353A
        • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040354E
        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403556
        • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403567
        • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040356F
        • DeleteFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsvCAFB.tmp,?,00000007,00000009,0000000B), ref: 00403583
          • Part of subcall function 004064CA: GetModuleHandleA.KERNEL32(?,?,?,00403385,0000000B), ref: 004064DC
          • Part of subcall function 004064CA: GetProcAddress.KERNEL32(00000000,?), ref: 004064F7
          • Part of subcall function 004038D4: lstrlenA.KERNEL32(004236C0,?,?,?,004236C0,00000000,0042A400,C:\Users\user\AppData\Local\Temp\nsvCAFB.tmp,00420D28,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D28,00000000,00000002,756F3410), ref: 004039C4
          • Part of subcall function 004038D4: lstrcmpiA.KERNEL32(?,.exe), ref: 004039D7
          • Part of subcall function 004038D4: GetFileAttributesA.KERNEL32(004236C0), ref: 004039E2
          • Part of subcall function 004038D4: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,0042A400), ref: 00403A2B
          • Part of subcall function 004038D4: RegisterClassA.USER32(00423EC0), ref: 00403A68
          • Part of subcall function 004037FA: FindCloseChangeNotification.KERNELBASE(FFFFFFFF,00403631,?,?,00000007,00000009,0000000B), ref: 00403805
        • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403631
        • ExitProcess.KERNEL32 ref: 00403652
        • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 0040376F
        • OpenProcessToken.ADVAPI32(00000000), ref: 00403776
        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040378E
        • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037AD
        • ExitWindowsEx.USER32(00000002,80040002), ref: 004037D1
        • ExitProcess.KERNEL32 ref: 004037F4
          • Part of subcall function 004057DD: MessageBoxIndirectA.USER32(0040A218), ref: 00405838
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Process$ExitFile$EnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesChangeCharClassCloseCommandCurrentDeleteDirectoryErrorFindHandleImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextNotificationOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
        • String ID: "$"C:\Users\user\Desktop\PI_20052024.exe"$.tmp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsvCAFB.tmp$C:\Users\user\Desktop$C:\Users\user\Desktop\PI_20052024.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kpu$~nsu
        • API String ID: 3490464366-4026475936
        • Opcode ID: f310e33f6c486066557963ca062f20637adb2c2bd7ff8924bd19685712fd966f
        • Instruction ID: fed38e33bd1ad5050a1aac335cdd74565c3a3e786a0889b069c8e2b205acfbdc
        • Opcode Fuzzy Hash: f310e33f6c486066557963ca062f20637adb2c2bd7ff8924bd19685712fd966f
        • Instruction Fuzzy Hash: 7CC108702047406AD721AF759D49A2F3EACEF85306F45443FF581B62D2CB7C8A598B2E
        Function 0040645C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 134 40645c-40647c GetSystemDirectoryA 135 406480-406482 134->135 136 40647e 134->136 137 406492-406494 135->137 138 406484-40648c 135->138 136->135 140 406495-4064c7 wsprintfA LoadLibraryExA 137->140 138->137 139 40648e-406490 138->139 139->140
        APIs
        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406473
        • wsprintfA.USER32 ref: 004064AC
        • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064C0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: DirectoryLibraryLoadSystemwsprintf
        • String ID: %s%s.dll$UXTHEME$\
        • API String ID: 2200240437-4240819195
        • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
        • Instruction ID: 6b99be200e9776e1d1f000c3a85ac26a44316f32ef7d7cf08124b5af377bafc3
        • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
        • Instruction Fuzzy Hash: C2F0FC305502096BDB15DB64DD0DFEB375CEB08304F1400BAA986E10C1EA78E5258B6D
        Function 00405C89 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 141 405c89-405c93 142 405c94-405cbf GetTickCount GetTempFileNameA 141->142 143 405cc1-405cc3 142->143 144 405cce-405cd0 142->144 143->142 145 405cc5 143->145 146 405cc8-405ccb 144->146 145->146
        APIs
        • GetTickCount.KERNEL32 ref: 00405C9D
        • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CB7
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C8C
        • nsa, xrefs: 00405C94
        • "C:\Users\user\Desktop\PI_20052024.exe", xrefs: 00405C89
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: CountFileNameTempTick
        • String ID: "C:\Users\user\Desktop\PI_20052024.exe"$C:\Users\user\AppData\Local\Temp\$nsa
        • API String ID: 1716503409-3711466119
        • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
        • Instruction ID: eb5fe80d68cc8fd1173ec18eddb4fdb1002e2dce10a9d595da193ea2316e06a4
        • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
        • Instruction Fuzzy Hash: BCF08236308308ABEB118F56ED04B9B7FACDF91750F10803BFA44DB280D6B499558798
        Function 004064CA Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 147 4064ca-4064e4 GetModuleHandleA 148 4064f0-4064fd GetProcAddress 147->148 149 4064e6-4064e7 call 40645c 147->149 151 406501-406503 148->151 152 4064ec-4064ee 149->152 152->148 153 4064ff 152->153 153->151
        APIs
        • GetModuleHandleA.KERNEL32(?,?,?,00403385,0000000B), ref: 004064DC
        • GetProcAddress.KERNEL32(00000000,?), ref: 004064F7
          • Part of subcall function 0040645C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406473
          • Part of subcall function 0040645C: wsprintfA.USER32 ref: 004064AC
          • Part of subcall function 0040645C: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064C0
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
        • String ID:
        • API String ID: 2547128583-0
        • Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
        • Instruction ID: b1d6ada99e6651afe610309d4c68ede8e1123b1e5f34d771ce11ce336b0a7369
        • Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
        • Instruction Fuzzy Hash: 1AE086326042116BD21067705E0893B72A89E84700302443EF946F2144DB39EC35A76D
        Function 00405C5A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 154 405c5a-405c86 GetFileAttributesA CreateFileA
        APIs
        • GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\PI_20052024.exe,80000000,00000003), ref: 00405C5E
        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C80
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: File$AttributesCreate
        • String ID:
        • API String ID: 415043291-0
        • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
        • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
        • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
        • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
        Function 0040572B Relevance: 3.0, APIs: 2, Instructions: 9COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 155 40572b-405739 CreateDirectoryA 156 40573b-40573d 155->156 157 40573f GetLastError 155->157 158 405745 156->158 157->158
        APIs
        • CreateDirectoryA.KERNELBASE(?,00000000,00403305,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00405731
        • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 0040573F
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: CreateDirectoryErrorLast
        • String ID:
        • API String ID: 1375471231-0
        • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
        • Instruction ID: fe143fb7e2c59eb3603aebef79fe73c29c1fae3f16fa91b3bf8fea648d0a9a1d
        • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
        • Instruction Fuzzy Hash: 61C04C30604505EFD7515B209E09B177A94AB50781F15443DA146E10A0DF388455ED2D
        Function 00405CD2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 172 405cd2-405cee ReadFile 173 405cf0-405cf3 172->173 174 405cfa 172->174 173->174 175 405cf5-405cf8 173->175 176 405cfc-405cfe 174->176 175->176
        APIs
        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032C7,00000000,00000000,00403124,000000FF,00000004,00000000,00000000,00000000), ref: 00405CE6
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: FileRead
        • String ID:
        • API String ID: 2738559852-0
        • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
        • Instruction ID: 0f3a91911b7368544d0479776f9460b67210371169305fae4b72b28e49471388
        • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
        • Instruction Fuzzy Hash: 56E0EC3221835EEBEF109E559C04EEB7B6CEB05360F044437FD5AE2150D671E861ABA4
        Function 004057DD Relevance: 1.5, APIs: 1, Instructions: 21windowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 177 4057dd-4057f0 178 4057f2-4057f5 177->178 179 4057f7-4057fe 177->179 178->179 180 40583e 178->180 181 405800 179->181 182 405806-405838 MessageBoxIndirectA 179->182 181->182 182->180
        APIs
        • MessageBoxIndirectA.USER32(0040A218), ref: 00405838
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: IndirectMessage
        • String ID:
        • API String ID: 1874166685-0
        • Opcode ID: 0cab00be260b89d7d1c612eddf7da4e0fd649a2712073fb6eb20caf0e7def1e0
        • Instruction ID: 5311cca1f2ba290f7242e971641faf4dc96c1e65d14f3eed96e680751d9d4e07
        • Opcode Fuzzy Hash: 0cab00be260b89d7d1c612eddf7da4e0fd649a2712073fb6eb20caf0e7def1e0
        • Instruction Fuzzy Hash: 12F0F2366003009BC764DF18FA4871637E0E799359F41867EE584A23B4DB7A88A2CF4E
        Function 004037FA Relevance: 1.5, APIs: 1, Instructions: 11COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 183 4037fa-403802 184 403812-403823 call 40383f call 405889 183->184 185 403804-40380b FindCloseChangeNotification 183->185 185->184
        APIs
        • FindCloseChangeNotification.KERNELBASE(FFFFFFFF,00403631,?,?,00000007,00000009,0000000B), ref: 00403805
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: 1f7b26d8e1698b4bcdc364653e9983ac0a1eb5e2198a2e3d9e60c48d07f54e68
        • Instruction ID: 98d9bb83651dfd28c3db404e9d03a9a506ef6e5e58b1f070815515e233c4bbd3
        • Opcode Fuzzy Hash: 1f7b26d8e1698b4bcdc364653e9983ac0a1eb5e2198a2e3d9e60c48d07f54e68
        • Instruction Fuzzy Hash: B2C01231500B0856C1247F749E4F5253A98AB44775BA0C775F0F8F10F1C73C4A69559D

        Non-executed Functions

        Function 00405326 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 193 405326-405342 194 4054d1-4054d7 193->194 195 405348-40540f GetDlgItem * 3 call 40417a call 404a6b GetClientRect GetSystemMetrics SendMessageA * 2 193->195 196 405501-40550d 194->196 197 4054d9-4054fb GetDlgItem CreateThread CloseHandle 194->197 213 405411-40542b SendMessageA * 2 195->213 214 40542d-405430 195->214 199 40552f-405535 196->199 200 40550f-405515 196->200 197->196 205 405537-40553d 199->205 206 40558a-40558d 199->206 203 405550-405557 call 4041ac 200->203 204 405517-40552a ShowWindow * 2 call 40417a 200->204 217 40555c-405560 203->217 204->199 210 405563-405573 ShowWindow 205->210 211 40553f-40554b call 40411e 205->211 206->203 208 40558f-405595 206->208 208->203 215 405597-4055aa SendMessageA 208->215 218 405583-405585 call 40411e 210->218 219 405575-40557e call 4051e8 210->219 211->203 213->214 221 405440-405457 call 404145 214->221 222 405432-40543e SendMessageA 214->222 223 4055b0-4055dc CreatePopupMenu call 406154 AppendMenuA 215->223 224 4056a7-4056a9 215->224 218->206 219->218 232 405459-40546d ShowWindow 221->232 233 40548d-4054ae GetDlgItem SendMessageA 221->233 222->221 230 4055f1-405607 TrackPopupMenu 223->230 231 4055de-4055ee GetWindowRect 223->231 224->217 230->224 234 40560d-405627 230->234 231->230 235 40547c 232->235 236 40546f-40547a ShowWindow 232->236 233->224 237 4054b4-4054cc SendMessageA * 2 233->237 238 40562c-405647 SendMessageA 234->238 239 405482-405488 call 40417a 235->239 236->239 237->224 238->238 240 405649-405669 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 238->240 239->233 242 40566b-40568b SendMessageA 240->242 242->242 243 40568d-4056a1 GlobalUnlock SetClipboardData CloseClipboard 242->243 243->224
        APIs
        • GetDlgItem.USER32(?,00000403), ref: 00405385
        • GetDlgItem.USER32(?,000003EE), ref: 00405394
        • GetClientRect.USER32(?,?), ref: 004053D1
        • GetSystemMetrics.USER32(00000002), ref: 004053D8
        • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004053F9
        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040540A
        • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040541D
        • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040542B
        • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040543E
        • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405460
        • ShowWindow.USER32(?,00000008), ref: 00405474
        • GetDlgItem.USER32(?,000003EC), ref: 00405495
        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054A5
        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054BE
        • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054CA
        • GetDlgItem.USER32(?,000003F8), ref: 004053A3
          • Part of subcall function 0040417A: SendMessageA.USER32(00000028,?,00000001,00403FAA), ref: 00404188
        • GetDlgItem.USER32(?,000003EC), ref: 004054E6
        • CreateThread.KERNEL32(00000000,00000000,Function_000052BA,00000000), ref: 004054F4
        • CloseHandle.KERNEL32(00000000), ref: 004054FB
        • ShowWindow.USER32(00000000), ref: 0040551E
        • ShowWindow.USER32(?,00000008), ref: 00405525
        • ShowWindow.USER32(00000008), ref: 0040556B
        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040559F
        • CreatePopupMenu.USER32 ref: 004055B0
        • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004055C5
        • GetWindowRect.USER32(?,000000FF), ref: 004055E5
        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055FE
        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040563A
        • OpenClipboard.USER32(00000000), ref: 0040564A
        • EmptyClipboard.USER32 ref: 00405650
        • GlobalAlloc.KERNEL32(00000042,?), ref: 00405659
        • GlobalLock.KERNEL32(00000000), ref: 00405663
        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405677
        • GlobalUnlock.KERNEL32(00000000), ref: 00405690
        • SetClipboardData.USER32(00000001,00000000), ref: 0040569B
        • CloseClipboard.USER32 ref: 004056A1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
        • String ID: (B
        • API String ID: 590372296-3831730363
        • Opcode ID: 49997f41eb2f9c722dfb0406d167bbe14a0a63cc83ca584289ce1d984f626ed1
        • Instruction ID: fe21aa704c045a880c187f0605a512594e5ece0db8e286b19571ae5c45aa8885
        • Opcode Fuzzy Hash: 49997f41eb2f9c722dfb0406d167bbe14a0a63cc83ca584289ce1d984f626ed1
        • Instruction Fuzzy Hash: 23A15B71900608BFDB119FA4DE89EAE7B79FB48355F00403AFA41BA1A0C7794E51DF58
        Function 004045D7 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 274stringCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003FB), ref: 00404626
        • SetWindowTextA.USER32(00000000,?), ref: 00404650
        • SHBrowseForFolderA.SHELL32(?,00420100,?), ref: 00404701
        • CoTaskMemFree.OLE32(00000000), ref: 0040470C
        • lstrcmpiA.KERNEL32(004236C0,00420D28), ref: 0040473E
        • lstrcatA.KERNEL32(?,004236C0), ref: 0040474A
        • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040475C
          • Part of subcall function 004057C1: GetDlgItemTextA.USER32(?,?,00000400,00404793), ref: 004057D4
          • Part of subcall function 0040639C: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PI_20052024.exe",756F3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 004063F4
          • Part of subcall function 0040639C: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406401
          • Part of subcall function 0040639C: CharNextA.USER32(?,"C:\Users\user\Desktop\PI_20052024.exe",756F3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00406406
          • Part of subcall function 0040639C: CharPrevA.USER32(?,?,756F3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00406416
        • GetDiskFreeSpaceA.KERNEL32(0041FCF8,?,?,0000040F,?,0041FCF8,0041FCF8,?,00000001,0041FCF8,?,?,000003FB,?), ref: 0040481A
        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404835
          • Part of subcall function 0040498E: lstrlenA.KERNEL32(00420D28,00420D28,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048A9,000000DF,00000000,00000400,?), ref: 00404A2C
          • Part of subcall function 0040498E: wsprintfA.USER32 ref: 00404A34
          • Part of subcall function 0040498E: SetDlgItemTextA.USER32(?,00420D28), ref: 00404A47
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
        • String ID: (B$A
        • API String ID: 2624150263-1188332043
        • Opcode ID: 355fae2fdc5b81749f0646e346823bb3f61dec23bbe7f7c311cc870142e1b552
        • Instruction ID: 23887ea06715a98946f15fa8ab5ee03a9679ba0c83a6df36e4e3dfda0b9dc378
        • Opcode Fuzzy Hash: 355fae2fdc5b81749f0646e346823bb3f61dec23bbe7f7c311cc870142e1b552
        • Instruction Fuzzy Hash: C9A183B1900209ABDB11EFA5CD85AAFB7B8EF85314F10843BF601B72D1D77C89418B69
        Function 00405889 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
        Download Yara Rule
        APIs
        • DeleteFileA.KERNEL32(?,?,756F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B2
        • lstrcatA.KERNEL32(00421D30,\*.*,00421D30,?,?,756F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058FA
        • lstrcatA.KERNEL32(?,0040A014,?,00421D30,?,?,756F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040591B
        • lstrlenA.KERNEL32(?,?,0040A014,?,00421D30,?,?,756F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405921
        • FindFirstFileA.KERNEL32(00421D30,?,?,?,0040A014,?,00421D30,?,?,756F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405932
        • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059DF
        • FindClose.KERNEL32(00000000), ref: 004059F0
        Strings
        • \*.*, xrefs: 004058F4
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405896
        • "C:\Users\user\Desktop\PI_20052024.exe", xrefs: 00405889
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
        • String ID: "C:\Users\user\Desktop\PI_20052024.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
        • API String ID: 2035342205-873889405
        • Opcode ID: 36dc79f5f72bdae1f12502bd591f5556571401b5369f5233b8bf9165604da4d7
        • Instruction ID: 41c2b5987dba1b2e33ef8c3f02a16f7fa1ffbccb66a0b3bb43d54024ecdcecbe
        • Opcode Fuzzy Hash: 36dc79f5f72bdae1f12502bd591f5556571401b5369f5233b8bf9165604da4d7
        • Instruction Fuzzy Hash: 6251D070900A04EACB21AB618C89BBF7B78EF42724F54427BF851B51D1D73C4982DF6A
        Function 004067BE Relevance: 5.4, APIs: 4, Instructions: 382COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 634db48916f7a97cd593a88a8f27a2a6a53995630c6979533469a6cf2a501d9c
        • Instruction ID: b77f02bc2ee5da486f1689b8d44b34109ba54b696cf3d27aba4845a127c97f42
        • Opcode Fuzzy Hash: 634db48916f7a97cd593a88a8f27a2a6a53995630c6979533469a6cf2a501d9c
        • Instruction Fuzzy Hash: CEF17671D00269CBCF28CFA8C8946ADBBB0FF44305F25856ED856BB281D7385A86CF44
        Function 00406435 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileA.KERNEL32(756F3410,00422578,00422130,00405B8A,00422130,00422130,00000000,00422130,00422130,756F3410,?,C:\Users\user\AppData\Local\Temp\,004058A9,?,756F3410,C:\Users\user\AppData\Local\Temp\), ref: 00406440
        • FindClose.KERNEL32(00000000), ref: 0040644C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Find$CloseFileFirst
        • String ID: x%B
        • API String ID: 2295610775-3582070945
        • Opcode ID: f29c590cbb4ae7880d615934e2c411517b6bf54f8089bedae6efd123f54e346e
        • Instruction ID: 161293881315f5638f8ce2083a4c9c3eaa4ca925c072cbf9d6c71a91d4c8f3d6
        • Opcode Fuzzy Hash: f29c590cbb4ae7880d615934e2c411517b6bf54f8089bedae6efd123f54e346e
        • Instruction Fuzzy Hash: FED01231944130ABC3502B386E0C85B7B599F153313A2CB36F56AF12F0CB788C6296AC
        Function 0040216B Relevance: 3.1, APIs: 2, Instructions: 139comCOMMON
        Download Yara Rule
        APIs
        • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: ByteCharCreateInstanceMultiWide
        • String ID:
        • API String ID: 123533781-0
        • Opcode ID: b96e618640ec3733a40c8f990ab161d406538e4b9c2d6c349f938f3337a4d74a
        • Instruction ID: 1d5fc0eda79a0a672284adf98007a832727f4b93af1a8b9a4894ceaf33dc30f5
        • Opcode Fuzzy Hash: b96e618640ec3733a40c8f990ab161d406538e4b9c2d6c349f938f3337a4d74a
        • Instruction Fuzzy Hash: 45510471A00208AFCB00DFE4CA88A9D7BB6EF48314F2041BAF515EB2D1DA799981CB54
        Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: FileFindFirst
        • String ID:
        • API String ID: 1974802433-0
        • Opcode ID: 59237916fb72a4df27da046859b2f328e2f335d4eaafb740a0fb2c5245d815b3
        • Instruction ID: 13e9d4e2be50c596067d6900ef2af7155ed35788a2bbd6a4100e2a10f5e5ac7a
        • Opcode Fuzzy Hash: 59237916fb72a4df27da046859b2f328e2f335d4eaafb740a0fb2c5245d815b3
        • Instruction Fuzzy Hash: 0AF0A771604110DFD710EB649949AEE77A8DF51314F20057BF112B20C2D7B889469B2A
        Function 00404B4A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 244 404b4a-404b9a GetDlgItem * 2 245 404ba0-404c3a GlobalAlloc LoadImageA SetWindowLongA ImageList_Create ImageList_AddMasked SendMessageA * 2 244->245 246 404dc7-404dce 244->246 249 404c48-404c51 DeleteObject 245->249 250 404c3c-404c46 SendMessageA 245->250 247 404dd0-404de0 246->247 248 404de2 246->248 251 404de5-404dee 247->251 248->251 252 404c53-404c5b 249->252 250->249 253 404df0-404df3 251->253 254 404df9-404dff 251->254 255 404c84-404c88 252->255 256 404c5d-404c60 252->256 253->254 258 404edd-404ee4 253->258 259 404e01-404e08 254->259 260 404e0e-404e15 254->260 255->252 257 404c8a-404cba call 404145 * 2 255->257 261 404c62 256->261 262 404c65-404c82 call 406154 SendMessageA * 2 256->262 300 404cc0-404cc6 257->300 301 404d89-404d9c GetWindowLongA SetWindowLongA 257->301 267 404f55-404f5d 258->267 268 404ee6-404eec 258->268 259->258 259->260 263 404e17-404e1a 260->263 264 404e8a-404e8d 260->264 261->262 262->255 272 404e25-404e3a call 404a98 263->272 273 404e1c-404e23 263->273 264->258 269 404e8f-404e99 264->269 270 404f67-404f6e 267->270 271 404f5f-404f65 SendMessageA 267->271 276 404ef2-404efc 268->276 277 405147-405159 call 4041ac 268->277 278 404ea9-404eb3 269->278 279 404e9b-404ea7 SendMessageA 269->279 281 404f70-404f77 270->281 282 404fa2-404fa9 270->282 271->270 272->264 299 404e3c-404e4d 272->299 273->264 273->272 276->277 285 404f02-404f11 SendMessageA 276->285 278->258 286 404eb5-404ebf 278->286 279->278 288 404f80-404f87 281->288 289 404f79-404f7a ImageList_Destroy 281->289 292 405109-405110 282->292 293 404faf-404fbb call 4011ef 282->293 285->277 294 404f17-404f28 SendMessageA 285->294 295 404ed0-404eda 286->295 296 404ec1-404ece 286->296 297 404f90-404f9c 288->297 298 404f89-404f8a GlobalFree 288->298 289->288 292->277 305 405112-405119 292->305 318 404fcb-404fce 293->318 319 404fbd-404fc0 293->319 303 404f32-404f34 294->303 304 404f2a-404f30 294->304 295->258 296->258 297->282 298->297 299->264 308 404e4f-404e51 299->308 309 404cc9-404cce 300->309 307 404da2-404da5 301->307 311 404f35-404f4e call 401299 SendMessageA 303->311 304->303 304->311 305->277 306 40511b-405145 ShowWindow GetDlgItem ShowWindow 305->306 306->277 312 404da7-404dba ShowWindow call 40417a 307->312 313 404dbf-404dc2 call 40417a 307->313 314 404e53-404e5a 308->314 315 404e64 308->315 316 404cd4-404cff 309->316 317 404d6b-404d7e 309->317 311->267 312->277 313->246 326 404e60-404e62 314->326 327 404e5c-404e5e 314->327 328 404e67-404e83 call 40117d 315->328 329 404d01-404d39 SendMessageA 316->329 330 404d3b-404d3d 316->330 317->309 321 404d84-404d87 317->321 322 404fd0-404fe9 call 4012e2 call 401299 318->322 323 40500f-405033 call 4011ef 318->323 331 404fc2 319->331 332 404fc3-404fc6 call 404b18 319->332 321->301 321->307 351 404ff9-405008 SendMessageA 322->351 352 404feb-404ff1 322->352 345 4050d5-4050dd 323->345 346 405039 323->346 326->328 327->328 328->264 329->317 338 404d53-404d68 SendMessageA 330->338 339 404d3f-404d51 SendMessageA 330->339 331->332 332->318 338->317 339->317 348 4050eb-4050f3 345->348 349 4050df-4050e5 InvalidateRect 345->349 350 40503c-405047 346->350 348->292 355 4050f5-405104 call 404a6b call 404a53 348->355 349->348 353 405049-405058 350->353 354 4050bd-4050cf 350->354 351->323 358 404ff3 352->358 359 404ff4-404ff7 352->359 356 40505a-405067 353->356 357 40506b-40506e 353->357 354->345 354->350 355->292 356->357 361 405070-405073 357->361 362 405075-40507e 357->362 358->359 359->351 359->352 364 405083-4050bb SendMessageA * 2 361->364 362->364 365 405080 362->365 364->354 365->364
        APIs
        • GetDlgItem.USER32(?,000003F9), ref: 00404B61
        • GetDlgItem.USER32(?,00000408), ref: 00404B6E
        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404BBD
        • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404BD4
        • SetWindowLongA.USER32(?,000000FC,0040515C), ref: 00404BEE
        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C00
        • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C14
        • SendMessageA.USER32(?,00001109,00000002), ref: 00404C2A
        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C36
        • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C46
        • DeleteObject.GDI32(00000110), ref: 00404C4B
        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C76
        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C82
        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D1C
        • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D4C
          • Part of subcall function 0040417A: SendMessageA.USER32(00000028,?,00000001,00403FAA), ref: 00404188
        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D60
        • GetWindowLongA.USER32(?,000000F0), ref: 00404D8E
        • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404D9C
        • ShowWindow.USER32(?,00000005), ref: 00404DAC
        • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EA7
        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F0C
        • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F21
        • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F45
        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F65
        • ImageList_Destroy.COMCTL32(?), ref: 00404F7A
        • GlobalFree.KERNEL32(?), ref: 00404F8A
        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405003
        • SendMessageA.USER32(?,00001102,?,?), ref: 004050AC
        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050BB
        • InvalidateRect.USER32(?,00000000,00000001), ref: 004050E5
        • ShowWindow.USER32(?,00000000), ref: 00405133
        • GetDlgItem.USER32(?,000003FE), ref: 0040513E
        • ShowWindow.USER32(00000000), ref: 00405145
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
        • String ID: $M$N
        • API String ID: 2564846305-813528018
        • Opcode ID: 47f2d9c36709d7288c2157f5155d2d55d121774a694b688cb793ee6afb5df1ef
        • Instruction ID: 035ac8a7469eee7f523ea9a41678d20bac9593c5f5e0b875cc373c12e4cd4a79
        • Opcode Fuzzy Hash: 47f2d9c36709d7288c2157f5155d2d55d121774a694b688cb793ee6afb5df1ef
        • Instruction Fuzzy Hash: 63025DB0A00209AFDF209F94DD45AAE7BB5FB84354F50813AF610BA2E1D7799D42CF58
        Function 00403C71 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 367 403c71-403c83 368 403dc4-403dd3 367->368 369 403c89-403c8f 367->369 370 403e22-403e37 368->370 371 403dd5-403e1d GetDlgItem * 2 call 404145 SetClassLongA call 40140b 368->371 369->368 372 403c95-403c9e 369->372 374 403e77-403e7c call 404191 370->374 375 403e39-403e3c 370->375 371->370 376 403ca0-403cad SetWindowPos 372->376 377 403cb3-403cb6 372->377 389 403e81-403e9c 374->389 381 403e3e-403e49 call 401389 375->381 382 403e6f-403e71 375->382 376->377 378 403cd0-403cd6 377->378 379 403cb8-403cca ShowWindow 377->379 384 403cf2-403cf5 378->384 385 403cd8-403ced DestroyWindow 378->385 379->378 381->382 404 403e4b-403e6a SendMessageA 381->404 382->374 388 404112 382->388 393 403cf7-403d03 SetWindowLongA 384->393 394 403d08-403d0e 384->394 390 4040ef-4040f5 385->390 392 404114-40411b 388->392 396 403ea5-403eab 389->396 397 403e9e-403ea0 call 40140b 389->397 390->388 399 4040f7-4040fd 390->399 393->392 402 403db1-403dbf call 4041ac 394->402 403 403d14-403d25 GetDlgItem 394->403 400 4040d0-4040e9 DestroyWindow EndDialog 396->400 401 403eb1-403ebc 396->401 397->396 399->388 405 4040ff-404108 ShowWindow 399->405 400->390 401->400 406 403ec2-403f0f call 406154 call 404145 * 3 GetDlgItem 401->406 402->392 407 403d44-403d47 403->407 408 403d27-403d3e SendMessageA IsWindowEnabled 403->408 404->392 405->388 437 403f11-403f16 406->437 438 403f19-403f55 ShowWindow EnableWindow call 404167 EnableWindow 406->438 411 403d49-403d4a 407->411 412 403d4c-403d4f 407->412 408->388 408->407 415 403d7a-403d7f call 40411e 411->415 416 403d51-403d57 412->416 417 403d5d-403d62 412->417 415->402 420 403d98-403dab SendMessageA 416->420 421 403d59-403d5b 416->421 417->420 422 403d64-403d6a 417->422 420->402 421->415 423 403d81-403d8a call 40140b 422->423 424 403d6c-403d72 call 40140b 422->424 423->402 434 403d8c-403d96 423->434 433 403d78 424->433 433->415 434->433 437->438 441 403f57-403f58 438->441 442 403f5a 438->442 443 403f5c-403f8a GetSystemMenu EnableMenuItem SendMessageA 441->443 442->443 444 403f8c-403f9d SendMessageA 443->444 445 403f9f 443->445 446 403fa5-403fdf call 40417a call 403c52 call 4060c1 lstrlenA call 406154 SetWindowTextA call 401389 444->446 445->446 446->389 457 403fe5-403fe7 446->457 457->389 458 403fed-403ff1 457->458 459 404010-404024 DestroyWindow 458->459 460 403ff3-403ff9 458->460 459->390 462 40402a-404057 CreateDialogParamA 459->462 460->388 461 403fff-404005 460->461 461->389 463 40400b 461->463 462->390 464 40405d-4040b4 call 404145 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 462->464 463->388 464->388 469 4040b6-4040ce ShowWindow call 404191 464->469 469->390
        APIs
        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CAD
        • ShowWindow.USER32(?), ref: 00403CCA
        • DestroyWindow.USER32 ref: 00403CDE
        • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403CFA
        • GetDlgItem.USER32(?,?), ref: 00403D1B
        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D2F
        • IsWindowEnabled.USER32(00000000), ref: 00403D36
        • GetDlgItem.USER32(?,00000001), ref: 00403DE4
        • GetDlgItem.USER32(?,00000002), ref: 00403DEE
        • SetClassLongA.USER32(?,000000F2,?), ref: 00403E08
        • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E59
        • GetDlgItem.USER32(?,00000003), ref: 00403EFF
        • ShowWindow.USER32(00000000,?), ref: 00403F20
        • EnableWindow.USER32(?,?), ref: 00403F32
        • EnableWindow.USER32(?,?), ref: 00403F4D
        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F63
        • EnableMenuItem.USER32(00000000), ref: 00403F6A
        • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F82
        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403F95
        • lstrlenA.KERNEL32(00420D28,?,00420D28,00000000), ref: 00403FBF
        • SetWindowTextA.USER32(?,00420D28), ref: 00403FCE
        • ShowWindow.USER32(?,0000000A), ref: 00404102
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
        • String ID: (B
        • API String ID: 184305955-3831730363
        • Opcode ID: 7a58bff379e853cca07bcf65810b410c125cf819e0a5c8acdf48496fe53637fe
        • Instruction ID: b3becc50dc3ae915ab1c9f271a4527fb908fa7fae9a455a684dda11466253fc4
        • Opcode Fuzzy Hash: 7a58bff379e853cca07bcf65810b410c125cf819e0a5c8acdf48496fe53637fe
        • Instruction Fuzzy Hash: 77C11071600204BFDB206F61ED49E2B3AB8FB85706F50053EF651B51F1CB799982AB2D
        Function 004038D4 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 472 4038d4-4038ec call 4064ca 475 403900-403931 call 405fa8 472->475 476 4038ee-4038fe call 40601f 472->476 480 403933-403944 call 405fa8 475->480 481 403949-40394f lstrcatA 475->481 484 403954-40397d call 403b99 call 405b47 476->484 480->481 481->484 490 403983-403988 484->490 491 403a04-403a0c call 405b47 484->491 490->491 492 40398a-4039ae call 405fa8 490->492 497 403a1a-403a3f LoadImageA 491->497 498 403a0e-403a15 call 406154 491->498 492->491 501 4039b0-4039b2 492->501 499 403ac0-403ac8 call 40140b 497->499 500 403a41-403a71 RegisterClassA 497->500 498->497 515 403ad2-403add call 403b99 499->515 516 403aca-403acd 499->516 503 403a77-403abb SystemParametersInfoA CreateWindowExA 500->503 504 403b8f 500->504 506 4039c3-4039cf lstrlenA 501->506 507 4039b4-4039c1 call 405a84 501->507 503->499 508 403b91-403b98 504->508 509 4039d1-4039df lstrcmpiA 506->509 510 4039f7-4039ff call 405a59 call 4060c1 506->510 507->506 509->510 514 4039e1-4039eb GetFileAttributesA 509->514 510->491 518 4039f1-4039f2 call 405aa0 514->518 519 4039ed-4039ef 514->519 525 403ae3-403afd ShowWindow call 40645c 515->525 526 403b66-403b6e call 4052ba 515->526 516->508 518->510 519->510 519->518 533 403b09-403b1b GetClassInfoA 525->533 534 403aff-403b04 call 40645c 525->534 531 403b70-403b76 526->531 532 403b88-403b8a call 40140b 526->532 531->516 537 403b7c-403b83 call 40140b 531->537 532->504 535 403b33-403b64 DialogBoxParamA call 40140b call 403824 533->535 536 403b1d-403b2d GetClassInfoA RegisterClassA 533->536 534->533 535->508 536->535 537->516
        APIs
          • Part of subcall function 004064CA: GetModuleHandleA.KERNEL32(?,?,?,00403385,0000000B), ref: 004064DC
          • Part of subcall function 004064CA: GetProcAddress.KERNEL32(00000000,?), ref: 004064F7
        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsvCAFB.tmp,00420D28,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D28,00000000,00000002,756F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PI_20052024.exe",00000000), ref: 0040394F
        • lstrlenA.KERNEL32(004236C0,?,?,?,004236C0,00000000,0042A400,C:\Users\user\AppData\Local\Temp\nsvCAFB.tmp,00420D28,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D28,00000000,00000002,756F3410), ref: 004039C4
        • lstrcmpiA.KERNEL32(?,.exe), ref: 004039D7
        • GetFileAttributesA.KERNEL32(004236C0), ref: 004039E2
        • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,0042A400), ref: 00403A2B
          • Part of subcall function 0040601F: wsprintfA.USER32 ref: 0040602C
        • RegisterClassA.USER32(00423EC0), ref: 00403A68
        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A80
        • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AB5
        • ShowWindow.USER32(00000005,00000000), ref: 00403AEB
        • GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403B17
        • GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403B24
        • RegisterClassA.USER32(00423EC0), ref: 00403B2D
        • DialogBoxParamA.USER32(?,00000000,00403C71,00000000), ref: 00403B4C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
        • String ID: "C:\Users\user\Desktop\PI_20052024.exe"$(B$.DEFAULT\Control Panel\International$.exe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsvCAFB.tmp$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
        • API String ID: 1975747703-3717226707
        • Opcode ID: ca874c65e5546124d3cd3d782fc2237607ef3cb7aa3e488bb88335414d52c5b7
        • Instruction ID: 8119f10372a92e3ad89c0c28339df669361e1c2b2a074a7ad4fa5a04607ec86b
        • Opcode Fuzzy Hash: ca874c65e5546124d3cd3d782fc2237607ef3cb7aa3e488bb88335414d52c5b7
        • Instruction Fuzzy Hash: CC61B4703402446ED620AF65AD45F3B3AACEB8574AF40053FF991B62E3CB7D5D029A2D
        Function 004042B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
        Download Yara Rule
        APIs
        • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040433B
        • GetDlgItem.USER32(00000000,000003E8), ref: 0040434F
        • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040436D
        • GetSysColor.USER32(?), ref: 0040437E
        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040438D
        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040439C
        • lstrlenA.KERNEL32(?), ref: 0040439F
        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043AE
        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043C3
        • GetDlgItem.USER32(?,0000040A), ref: 00404425
        • SendMessageA.USER32(00000000), ref: 00404428
        • GetDlgItem.USER32(?,000003E8), ref: 00404453
        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404493
        • LoadCursorA.USER32(00000000,00007F02), ref: 004044A2
        • SetCursor.USER32(00000000), ref: 004044AB
        • LoadCursorA.USER32(00000000,00007F00), ref: 004044C1
        • SetCursor.USER32(00000000), ref: 004044C4
        • SendMessageA.USER32(00000111,00000001,00000000), ref: 004044F0
        • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404504
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
        • String ID: N${B@
        • API String ID: 3103080414-3800482554
        • Opcode ID: acb20318001dbc993e8a8a4388a34ea8f8254a099665a8e39094a0f64cc29e55
        • Instruction ID: c600905809f0113b99b24623cb0d1ad186d6442f8c09b0c76a4ffb62e5d10872
        • Opcode Fuzzy Hash: acb20318001dbc993e8a8a4388a34ea8f8254a099665a8e39094a0f64cc29e55
        • Instruction Fuzzy Hash: 5661C7B1A00209BFEB109F60CD45F6A7B69FB84714F10813AFB057A1D1C7B89951CF98
        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
        Download Yara Rule
        APIs
        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
        • BeginPaint.USER32(?,?), ref: 00401047
        • GetClientRect.USER32(?,?), ref: 0040105B
        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
        • DeleteObject.GDI32(?), ref: 004010ED
        • CreateFontIndirectA.GDI32(?), ref: 00401105
        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
        • SelectObject.GDI32(00000000,?), ref: 00401140
        • DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
        • SelectObject.GDI32(00000000,00000000), ref: 00401160
        • DeleteObject.GDI32(?), ref: 00401165
        • EndPaint.USER32(?,?), ref: 0040116E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
        • String ID: F
        • API String ID: 941294808-1304234792
        • Opcode ID: 927d9f4f17401607196459c248a51bb8bdb5d1fd0febad51b1ec1e4e61243643
        • Instruction ID: f39fc87f540bacaa9a77f224585c2e26811c2c777a6195e868dd16c74e67a44d
        • Opcode Fuzzy Hash: 927d9f4f17401607196459c248a51bb8bdb5d1fd0febad51b1ec1e4e61243643
        • Instruction Fuzzy Hash: AA419D71800209AFCF058FA5DE459AF7FB9FF45315F00802AF591AA1A0CB34DA55DFA4
        Function 00402EA1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
        Download Yara Rule
        APIs
        • GetTickCount.KERNEL32 ref: 00402EB2
        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PI_20052024.exe,00000400), ref: 00402ECE
          • Part of subcall function 00405C5A: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\PI_20052024.exe,80000000,00000003), ref: 00405C5E
          • Part of subcall function 00405C5A: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C80
        • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PI_20052024.exe,C:\Users\user\Desktop\PI_20052024.exe,80000000,00000003), ref: 00402F1A
        • GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050
        Strings
        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8
        • C:\Users\user\Desktop\PI_20052024.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
        • Error launching installer, xrefs: 00402EF1
        • Null, xrefs: 00402F98
        • Inst, xrefs: 00402F86
        • C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
        • soft, xrefs: 00402F8F
        • "C:\Users\user\Desktop\PI_20052024.exe", xrefs: 00402EA1
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
        • String ID: "C:\Users\user\Desktop\PI_20052024.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PI_20052024.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
        • API String ID: 2803837635-93559990
        • Opcode ID: 1fdbf8666ac545bea4b4f259f72344d0a52c8dbd42631ed96dcafa73090d8d3a
        • Instruction ID: 301210c85c1c672c97290be40cd2ab013445f980247fce5a821d6afddb5369d2
        • Opcode Fuzzy Hash: 1fdbf8666ac545bea4b4f259f72344d0a52c8dbd42631ed96dcafa73090d8d3a
        • Instruction Fuzzy Hash: 8851C171A01204ABDF20AF65DD85BAE7FB8EB40369F11413BF504B22D5C7789E818B9D
        Function 00405D30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EC1,?,?), ref: 00405D61
        • GetShortPathNameA.KERNEL32(?,00422AB8,00000400), ref: 00405D6A
          • Part of subcall function 00405BBF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E1A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCF
          • Part of subcall function 00405BBF: lstrlenA.KERNEL32(00000000,?,00000000,00405E1A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C01
        • GetShortPathNameA.KERNEL32(?,00422EB8,00000400), ref: 00405D87
        • wsprintfA.USER32 ref: 00405DA5
        • GetFileSize.KERNEL32(00000000,00000000,00422EB8,C0000000,00000004,00422EB8,?,?,?,?,?), ref: 00405DE0
        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405DEF
        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E27
        • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,004226B8,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405E7D
        • GlobalFree.KERNEL32(00000000), ref: 00405E8E
        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405E95
          • Part of subcall function 00405C5A: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\PI_20052024.exe,80000000,00000003), ref: 00405C5E
          • Part of subcall function 00405C5A: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C80
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
        • String ID: %s=%s$[Rename]
        • API String ID: 2171350718-1727408572
        • Opcode ID: 7cd21256d08661d4eefe879962d933e7a9051a9aa49ec23cacfd0fd8735dfe10
        • Instruction ID: e2b4b59c5115c054d9977882ffa936deea793db07019febf4a6c543227337bd7
        • Opcode Fuzzy Hash: 7cd21256d08661d4eefe879962d933e7a9051a9aa49ec23cacfd0fd8735dfe10
        • Instruction Fuzzy Hash: 39312431205B15BBD2207B65AD48F6B3A5CDF45754F14003BFA85F62C2DBBCE9028AAD
        Function 00406154 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199stringCOMMON
        Download Yara Rule
        APIs
        • GetSystemDirectoryA.KERNEL32(004236C0,00000400), ref: 0040627F
        • GetWindowsDirectoryA.KERNEL32(004236C0,00000400,?,00420508,00000000,00405220,00420508,00000000), ref: 00406292
        • SHGetSpecialFolderLocation.SHELL32(00405220,00000000,?,00420508,00000000,00405220,00420508,00000000), ref: 004062CE
        • SHGetPathFromIDListA.SHELL32(00000000,004236C0), ref: 004062DC
        • CoTaskMemFree.OLE32(00000000), ref: 004062E8
        • lstrcatA.KERNEL32(004236C0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040630C
        • lstrlenA.KERNEL32(004236C0,?,00420508,00000000,00405220,00420508,00000000,00000000,00000000,00000000), ref: 0040635E
        Strings
        • Software\Microsoft\Windows\CurrentVersion, xrefs: 0040624E
        • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406306
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
        • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
        • API String ID: 717251189-730719616
        • Opcode ID: 188556e7dd67b187b2ef37ee62a8a6cc26365b5387ae4cc73a5f120017cd6666
        • Instruction ID: 8fbc972aa6bd3719c406fe4e3ec738975147f7369702dd1472e60f0af39698f0
        • Opcode Fuzzy Hash: 188556e7dd67b187b2ef37ee62a8a6cc26365b5387ae4cc73a5f120017cd6666
        • Instruction Fuzzy Hash: 31610671900111AADF20AF65DC84BBE3BA4AB46310F12417FE953B62D1C73C49A2CB9D
        Function 004030D8 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: CountTick$wsprintf
        • String ID: ... %d%%$8A$8A$xA
        • API String ID: 551687249-3243659074
        • Opcode ID: 145cb7f0f1a4d58596aa3ea4fbc553685855696f4e517d36b82761c798af3a57
        • Instruction ID: 5859ff30484dbc6f12110d744d50748fce684291dc682ebadfc23bb097a10b04
        • Opcode Fuzzy Hash: 145cb7f0f1a4d58596aa3ea4fbc553685855696f4e517d36b82761c798af3a57
        • Instruction Fuzzy Hash: BA515E71900219ABCB10AF66D944A9F7BACEF44756F1481BFE810B72D1C738CA41CBAD
        Function 0040639C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
        Download Yara Rule
        APIs
        • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PI_20052024.exe",756F3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 004063F4
        • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406401
        • CharNextA.USER32(?,"C:\Users\user\Desktop\PI_20052024.exe",756F3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00406406
        • CharPrevA.USER32(?,?,756F3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00406416
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 0040639D
        • *?|<>/":, xrefs: 004063E4
        • "C:\Users\user\Desktop\PI_20052024.exe", xrefs: 004063D8
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Char$Next$Prev
        • String ID: "C:\Users\user\Desktop\PI_20052024.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
        • API String ID: 589700163-4273723975
        • Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
        • Instruction ID: d9f0ee3981b821fe41e3526cabf2d3b5ed91aab2121061eeaaee8554b2496e7d
        • Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
        • Instruction Fuzzy Hash: 161108518047A129FB3206384C44B777FD84F97760F1A507BE9C2722C2D67C5CA68BAD
        Function 004041AC Relevance: 12.1, APIs: 8, Instructions: 68COMMON
        Download Yara Rule
        APIs
        • GetWindowLongA.USER32(?,000000EB), ref: 004041C9
        • GetSysColor.USER32(00000000), ref: 00404207
        • SetTextColor.GDI32(?,00000000), ref: 00404213
        • SetBkMode.GDI32(?,?), ref: 0040421F
        • GetSysColor.USER32(?), ref: 00404232
        • SetBkColor.GDI32(?,?), ref: 00404242
        • DeleteObject.GDI32(?), ref: 0040425C
        • CreateBrushIndirect.GDI32(?), ref: 00404266
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
        • String ID:
        • API String ID: 2320649405-0
        • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
        • Instruction ID: aaf6f474a4af46f2497c0aff4df426b114d26e681d2b1e7af029b8f8d9950092
        • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
        • Instruction Fuzzy Hash: 422162B16007049BCB20DF78D908F5BBBF8AF81754B048A6EF992A22E1D734E944CB54
        Function 004051E8 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00420508,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000,?), ref: 00405221
        • lstrlenA.KERNEL32(00403208,00420508,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000), ref: 00405231
        • lstrcatA.KERNEL32(00420508,00403208,00403208,00420508,00000000,00000000,00000000), ref: 00405244
        • SetWindowTextA.USER32(00420508,00420508), ref: 00405256
        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040527C
        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405296
        • SendMessageA.USER32(?,00001013,?,00000000), ref: 004052A4
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: MessageSend$lstrlen$TextWindowlstrcat
        • String ID:
        • API String ID: 2531174081-0
        • Opcode ID: b08f2dfb0154d146624c2a85736964c18aae38e83127c4de365ddcd676addf21
        • Instruction ID: 13bf9d5a188301c634d68c5bb2c809f87baf544d33da629d3068cd84ff66c9cb
        • Opcode Fuzzy Hash: b08f2dfb0154d146624c2a85736964c18aae38e83127c4de365ddcd676addf21
        • Instruction Fuzzy Hash: 7F218C71E00518BBDB119FA5DD81A9EBFB9EF09354F14807AF544B6290C7798A808F98
        Function 00404A98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AB3
        • GetMessagePos.USER32 ref: 00404ABB
        • ScreenToClient.USER32(?,?), ref: 00404AD5
        • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404AE7
        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B0D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Message$Send$ClientScreen
        • String ID: f
        • API String ID: 41195575-1993550816
        • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
        • Instruction ID: c5e689f19116b5cd7588311b3231e42886eb7a503382143ef86565be6c6ceac4
        • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
        • Instruction Fuzzy Hash: 98015E71A40219BADB00DBA4DD85BFFBBBCAF59711F10016BBB40B61D0C7B499458BA8
        Function 00402DBA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
        Download Yara Rule
        APIs
        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
        • MulDiv.KERNEL32(?,00000064,?), ref: 00402E00
        • wsprintfA.USER32 ref: 00402E10
        • SetWindowTextA.USER32(?,?), ref: 00402E20
        • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E32
        Strings
        • verifying installer: %d%%, xrefs: 00402E0A
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Text$ItemTimerWindowwsprintf
        • String ID: verifying installer: %d%%
        • API String ID: 1451636040-82062127
        • Opcode ID: c12f5796f431ffac12d06fef0705727a44af994ad502cf00351caa1c45e3c2e6
        • Instruction ID: 483ea5b0a2f0e0c8b194c47557f81135a9cf1dc15d145a61dc19a9cae62ee66c
        • Opcode Fuzzy Hash: c12f5796f431ffac12d06fef0705727a44af994ad502cf00351caa1c45e3c2e6
        • Instruction Fuzzy Hash: CD014F70640209BBEF10AF60DE09EEE37A9AB04305F008039FA06A51D0DBB499559B59
        Function 004056AE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
        Download Yara Rule
        APIs
        • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056F1
        • GetLastError.KERNEL32 ref: 00405705
        • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040571A
        • GetLastError.KERNEL32 ref: 00405724
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 004056D4
        • C:\Users\user\Desktop, xrefs: 004056AE
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: ErrorLast$CreateDirectoryFileSecurity
        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
        • API String ID: 3449924974-4029896129
        • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
        • Instruction ID: 8fda383858cfa3d81fea8572b973588b51770532f266deb4a47d6cf866d68d21
        • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
        • Instruction Fuzzy Hash: 5E010871C00219EADF009BA0D944BEFBBB4EB04354F00403AD545B6190EB799648DF99
        Function 004027DF Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
        Download Yara Rule
        APIs
        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
        • GlobalFree.KERNEL32(?), ref: 0040288E
        • GlobalFree.KERNEL32(00000000), ref: 004028A1
        • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
        • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Global$AllocFree$CloseDeleteFileHandle
        • String ID:
        • API String ID: 2667972263-0
        • Opcode ID: a7d1c20f5851c824e4d256ca6f8f0821325b31d261d7a450b2cf241459bb73ae
        • Instruction ID: 07af861edfd5d45cc772d4460453d41526fe3ac71611944f2ada717c13252223
        • Opcode Fuzzy Hash: a7d1c20f5851c824e4d256ca6f8f0821325b31d261d7a450b2cf241459bb73ae
        • Instruction Fuzzy Hash: 83218D72800128BBDF217FA5CE48D9E7E79EF09364F10423EF551762D1C67949418FA8
        Function 0040498E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00420D28,00420D28,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048A9,000000DF,00000000,00000400,?), ref: 00404A2C
        • wsprintfA.USER32 ref: 00404A34
        • SetDlgItemTextA.USER32(?,00420D28), ref: 00404A47
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: ItemTextlstrlenwsprintf
        • String ID: %u.%u%s%s$(B
        • API String ID: 3540041739-1796307841
        • Opcode ID: 7464479753e629812bdf3700d903353588bc249d3655e79db3f03f4f51d42954
        • Instruction ID: 1301199a10d6bfa0f795ae51e8cceb2c664c9f74d195b05cdaf9af1bfefcf64c
        • Opcode Fuzzy Hash: 7464479753e629812bdf3700d903353588bc249d3655e79db3f03f4f51d42954
        • Instruction Fuzzy Hash: 7A11B7B36041286BEB0066799C46EAF32D9DB85374F250237FA26F61D1E9788C5281A9
        Function 00401759 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON
        Download Yara Rule
        APIs
        • lstrcatA.KERNEL32(00000000,00000000,0040A408,0042A800,00000000,00000000,00000031), ref: 00401798
        • CompareFileTime.KERNEL32(-00000014,?,0040A408,0040A408,00000000,00000000,0040A408,0042A800,00000000,00000000,00000031), ref: 004017C2
          • Part of subcall function 004060C1: lstrcpynA.KERNEL32(?,?,00000400,004033E4,00423F20,NSIS Error,?,00000007,00000009,0000000B), ref: 004060CE
          • Part of subcall function 004051E8: lstrlenA.KERNEL32(00420508,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000,?), ref: 00405221
          • Part of subcall function 004051E8: lstrlenA.KERNEL32(00403208,00420508,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000), ref: 00405231
          • Part of subcall function 004051E8: lstrcatA.KERNEL32(00420508,00403208,00403208,00420508,00000000,00000000,00000000), ref: 00405244
          • Part of subcall function 004051E8: SetWindowTextA.USER32(00420508,00420508), ref: 00405256
          • Part of subcall function 004051E8: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040527C
          • Part of subcall function 004051E8: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405296
          • Part of subcall function 004051E8: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052A4
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
        • String ID:
        • API String ID: 1941528284-0
        • Opcode ID: 1413912204f72f8cb147cece884a2b3b0500c8f5e8f820d1f5a5e3a000fbe892
        • Instruction ID: ad8319ac8819e3f4f0647767249a41d8ee4e375b3a8deda6b30fbb54af0d7a5d
        • Opcode Fuzzy Hash: 1413912204f72f8cb147cece884a2b3b0500c8f5e8f820d1f5a5e3a000fbe892
        • Instruction Fuzzy Hash: D641B731900515BACF10BFA5CC45DAF3669EF45369B21423BF422B21E1CA7C8A528A6D
        Function 00402CD0 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
        Download Yara Rule
        APIs
        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: CloseEnum$DeleteValue
        • String ID:
        • API String ID: 1354259210-0
        • Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
        • Instruction ID: 479b5507277e1ed98100a043d195c8e3d67278c142fcba22c9f5c581f71d1c0c
        • Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
        • Instruction Fuzzy Hash: DE215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11A0E7B48E94AA68
        Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,?), ref: 00401D7E
        • GetClientRect.USER32(?,?), ref: 00401DCC
        • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
        • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
        • DeleteObject.GDI32(00000000), ref: 00401E20
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
        • String ID:
        • API String ID: 1849352358-0
        • Opcode ID: 92fb06419dcf22d7c561d1c1cd7314035e184999ef60ddcb5701d42bd4b0d5ab
        • Instruction ID: 377f1368a79285744d6b6cf0b5e74a57d9b5ac4df0fb29ad0ac025f91be5ae75
        • Opcode Fuzzy Hash: 92fb06419dcf22d7c561d1c1cd7314035e184999ef60ddcb5701d42bd4b0d5ab
        • Instruction Fuzzy Hash: C8212872A00109AFCF15DFA4DD85AAEBBB5EB88300F24417EF911F62A1CB389941DB54
        Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(?), ref: 00401E38
        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
        • ReleaseDC.USER32(?,00000000), ref: 00401E6B
        • CreateFontIndirectA.GDI32(0040B808), ref: 00401EBA
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: CapsCreateDeviceFontIndirectRelease
        • String ID:
        • API String ID: 3808545654-0
        • Opcode ID: dbc41a527304c6fe7c4bbb0ed52bde6d70f826071420a725491f8bf133d98c2a
        • Instruction ID: 57a26ad33cd6426129b0cba3998c620b955dd558a32440fd51a8b23e498893f8
        • Opcode Fuzzy Hash: dbc41a527304c6fe7c4bbb0ed52bde6d70f826071420a725491f8bf133d98c2a
        • Instruction Fuzzy Hash: 3E019672500240AFE7007BB0AE4A7997FF8D755301F108839F241B62F2C67800458BAC
        Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
        Download Yara Rule
        APIs
        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
        • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: MessageSend$Timeout
        • String ID: !
        • API String ID: 1777923405-2657877971
        • Opcode ID: 7b70566c870daa96221156bf416f9a378a332c342d8049e94ba7da889c6dd66f
        • Instruction ID: 51da54adcba92585663a26c7e1368d4a3271239daaedb1c2ef7502cbfef702b9
        • Opcode Fuzzy Hash: 7b70566c870daa96221156bf416f9a378a332c342d8049e94ba7da889c6dd66f
        • Instruction Fuzzy Hash: 05216071A44208BEEB059FB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28
        Function 00405B47 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004060C1: lstrcpynA.KERNEL32(?,?,00000400,004033E4,00423F20,NSIS Error,?,00000007,00000009,0000000B), ref: 004060CE
          • Part of subcall function 00405AF2: CharNextA.USER32(?,?,00422130,?,00405B5E,00422130,00422130,756F3410,?,C:\Users\user\AppData\Local\Temp\,004058A9,?,756F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B00
          • Part of subcall function 00405AF2: CharNextA.USER32(00000000), ref: 00405B05
          • Part of subcall function 00405AF2: CharNextA.USER32(00000000), ref: 00405B19
        • lstrlenA.KERNEL32(00422130,00000000,00422130,00422130,756F3410,?,C:\Users\user\AppData\Local\Temp\,004058A9,?,756F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B9A
        • GetFileAttributesA.KERNEL32(00422130,00422130,00422130,00422130,00422130,00422130,00000000,00422130,00422130,756F3410,?,C:\Users\user\AppData\Local\Temp\,004058A9,?,756F3410,C:\Users\user\AppData\Local\Temp\), ref: 00405BAA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: CharNext$AttributesFilelstrcpynlstrlen
        • String ID: 0!B$C:\Users\user\AppData\Local\Temp\
        • API String ID: 3248276644-1033416423
        • Opcode ID: 833d5d7d4d88ab044a5975486a6ace5c2f1c8b1622a9b4308b288e25f9abd96d
        • Instruction ID: e51454695f06d4bf62575f1f71cc8d9d2da662beaff56aa2e5751c7b88ff0260
        • Opcode Fuzzy Hash: 833d5d7d4d88ab044a5975486a6ace5c2f1c8b1622a9b4308b288e25f9abd96d
        • Instruction Fuzzy Hash: 47F02835601E6029C622223A0C45BAF3A65CE8232474D013FFC51B52C2DB3CB943DE6E
        Function 00405A59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032FF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00405A5F
        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032FF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00405A68
        • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405A79
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A59
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: CharPrevlstrcatlstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 2659869361-1881609536
        • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
        • Instruction ID: 4e9c794251620aa29aecb4049673505928abe3d31fb5bce1aa7abaa38b2a0d50
        • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
        • Instruction Fuzzy Hash: 2DD0A7A22015347AD20166254C06DDB690C8F02310B050066F200B2191C63C4C1147FD
        Function 0040209D Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8
          • Part of subcall function 004051E8: lstrlenA.KERNEL32(00420508,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000,?), ref: 00405221
          • Part of subcall function 004051E8: lstrlenA.KERNEL32(00403208,00420508,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000), ref: 00405231
          • Part of subcall function 004051E8: lstrcatA.KERNEL32(00420508,00403208,00403208,00420508,00000000,00000000,00000000), ref: 00405244
          • Part of subcall function 004051E8: SetWindowTextA.USER32(00420508,00420508), ref: 00405256
          • Part of subcall function 004051E8: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040527C
          • Part of subcall function 004051E8: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405296
          • Part of subcall function 004051E8: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052A4
        • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
        • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
        • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
        • String ID:
        • API String ID: 2987980305-0
        • Opcode ID: b916a0c3f952494d37ea268d276a431c88bd30287504aa54b74bf77ab4e56999
        • Instruction ID: 1a7932fae63aa7fb20f888994d80958c5ec2ba2518727ce514c528d89b281485
        • Opcode Fuzzy Hash: b916a0c3f952494d37ea268d276a431c88bd30287504aa54b74bf77ab4e56999
        • Instruction Fuzzy Hash: 08210B32A00125EBCF207FA58F49B5F76B0AF50359F21423BF211B61D1CBBC8982965E
        Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • DestroyWindow.USER32(?,00000000,0040301B,00000001), ref: 00402E50
        • GetTickCount.KERNEL32 ref: 00402E6E
        • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
        • ShowWindow.USER32(00000000,00000005), ref: 00402E99
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Window$CountCreateDestroyDialogParamShowTick
        • String ID:
        • API String ID: 2102729457-0
        • Opcode ID: d2a126c8e87298d62dcb77b716532c519560652f5a9048845524fe30780812a8
        • Instruction ID: 90c5076a8d782885986fbf54e6784afd95d1d531b418d8ad00c0f3389847d2fc
        • Opcode Fuzzy Hash: d2a126c8e87298d62dcb77b716532c519560652f5a9048845524fe30780812a8
        • Instruction Fuzzy Hash: E1F05E30A41620EBC621BB60FE0CA8B7BA4FB84B81705493AF049B11E8C77448878BDC
        Function 0040515C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
        Download Yara Rule
        APIs
        • IsWindowVisible.USER32(?), ref: 0040518B
        • CallWindowProcA.USER32(?,?,?,?), ref: 004051DC
          • Part of subcall function 00404191: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004041A3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Window$CallMessageProcSendVisible
        • String ID:
        • API String ID: 3748168415-3916222277
        • Opcode ID: 4e0d83b517ec3755641dbbc7163631964c054c7a669fd012e4d2f406caf64491
        • Instruction ID: 1a2e93e4b5b60595961c78cfe9b1f953e315c10ea79d8335bfdfcc16afa4850a
        • Opcode Fuzzy Hash: 4e0d83b517ec3755641dbbc7163631964c054c7a669fd012e4d2f406caf64491
        • Instruction Fuzzy Hash: 8B015E31A10709ABEB215F51DD85B5B3A7AEB84314F600537F6007A1D1C73A9C929A69
        Function 00405760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
        Download Yara Rule
        APIs
        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422530,Error launching installer), ref: 00405789
        • CloseHandle.KERNEL32(?), ref: 00405796
        Strings
        • Error launching installer, xrefs: 00405773
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: CloseCreateHandleProcess
        • String ID: Error launching installer
        • API String ID: 3712363035-66219284
        • Opcode ID: c3c80266f92bd9d667c92bf3182b136ee7f32a01548fe2ad44771ad24a16863f
        • Instruction ID: 07a2ea870b6c965c9c8bd0de01314bb8301d1462abb1d5e573899e5cf6f1fbe8
        • Opcode Fuzzy Hash: c3c80266f92bd9d667c92bf3182b136ee7f32a01548fe2ad44771ad24a16863f
        • Instruction Fuzzy Hash: EEE04FB0A00309BFEB009B60ED45F7B77ACEB04204F408421BD44F2150E77498148A78
        Function 0040383F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(?,756F3410,00000000,C:\Users\user\AppData\Local\Temp\,00403817,00403631,?,?,00000007,00000009,0000000B), ref: 00403859
        • GlobalFree.KERNEL32(?), ref: 00403860
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 0040383F
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: Free$GlobalLibrary
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 1100898210-1881609536
        • Opcode ID: d577bf8b0ad620a88e67a325e5e326df37630095cafad59fd52e64b4463e9122
        • Instruction ID: 8a9dc77c7c1ee1b135259636166a50b6bf5175fc084ac984c046f8d06e3dc5f9
        • Opcode Fuzzy Hash: d577bf8b0ad620a88e67a325e5e326df37630095cafad59fd52e64b4463e9122
        • Instruction Fuzzy Hash: 1BE0EC3350152057C661AF5AAA0475ABAEC7F48B22F05847AF884BB2618B745C429BDC
        Function 00405AA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PI_20052024.exe,C:\Users\user\Desktop\PI_20052024.exe,80000000,00000003), ref: 00405AA6
        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PI_20052024.exe,C:\Users\user\Desktop\PI_20052024.exe,80000000,00000003), ref: 00405AB4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: CharPrevlstrlen
        • String ID: C:\Users\user\Desktop
        • API String ID: 2709904686-4267323751
        • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
        • Instruction ID: b7fadc1cb965da237d7d6f6ff84102907be402caa55b699d9cfbdae9487d107c
        • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
        • Instruction Fuzzy Hash: 98D0A9B25099B06EF303A2108C01B8F6A88CF13300F0A00A2E580E21A1C37C4C428BFD
        Function 00406BF3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 126d375e0cd8dd3c96d9f56c9c2b4ea3570e5546f357d91bfce8ff404d349699
        • Instruction ID: 2508fafb39113fa530b835c7ee7350b0f579aeff726ee83cf5aef614fa8a9c48
        • Opcode Fuzzy Hash: 126d375e0cd8dd3c96d9f56c9c2b4ea3570e5546f357d91bfce8ff404d349699
        • Instruction Fuzzy Hash: A3A14271E00229CBDB28CFA8C8547ADBBB1FF44305F15816AD856BB281C7786A96DF44
        Function 00406DF4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7d0c270478a2f9a3adf3a01af42e260dfbb4be2f4416bec3860fa0cf1f45473d
        • Instruction ID: f0f32deb93356653934a7f7f8ad788a679267befe7528616fd809e2a8ddaf9c6
        • Opcode Fuzzy Hash: 7d0c270478a2f9a3adf3a01af42e260dfbb4be2f4416bec3860fa0cf1f45473d
        • Instruction Fuzzy Hash: C8913070D00229CBDF28CF98C854BADBBB1FF44305F15816AD856BB281C779AA96DF44
        Function 00406B0A Relevance: 5.2, APIs: 4, Instructions: 205COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 79859cd80aa4a68261cc067353b3b3a3bb11021b997dedf9f01a815f4beecf4f
        • Instruction ID: e43b34c51a548f07c4fb140720fe79cc87a03685924cd857d2d075badb14d917
        • Opcode Fuzzy Hash: 79859cd80aa4a68261cc067353b3b3a3bb11021b997dedf9f01a815f4beecf4f
        • Instruction Fuzzy Hash: 2F815371D04229CBDF24CFA8C8847ADBBB1FB44305F25816AD456BB281C738AA96DF05
        Function 0040660F Relevance: 5.2, APIs: 4, Instructions: 198COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 51f3059c0ab10d0f6eca9bda3b9c7ef9d62a7fb15769fd34cf569834d4f38521
        • Instruction ID: 30cc61a65d8e7361f2687543d4853da4ee9de610700e1b42b944a6768b2f9653
        • Opcode Fuzzy Hash: 51f3059c0ab10d0f6eca9bda3b9c7ef9d62a7fb15769fd34cf569834d4f38521
        • Instruction Fuzzy Hash: D4817771D04229CBDF24CFA9C8447AEBBB0FF44305F21816AD856BB281C7796A86DF45
        Function 00406A5D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ae4b4001fee964b3ec39fcc62e642dbd1d089b63cfe1c3a3d4f330af07c9f72e
        • Instruction ID: 0ea1ed3bc64708edefeb163875b4580728164d017b9a5fabf4c3c9e69b53418c
        • Opcode Fuzzy Hash: ae4b4001fee964b3ec39fcc62e642dbd1d089b63cfe1c3a3d4f330af07c9f72e
        • Instruction Fuzzy Hash: 96712371D00229CBDF24CF98C854BADBBB1FF48305F15816AD856B7281C7395A96DF44
        Function 00406B7B Relevance: 5.2, APIs: 4, Instructions: 170COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 46e38dc9042d38c3d36f7f10ec43a7b3aa55cd06347f931a7d3c587032d94121
        • Instruction ID: f909a51a05dfa9c5f202b5373a38b9e5f11f80519cee44c22f430a43d8e85a48
        • Opcode Fuzzy Hash: 46e38dc9042d38c3d36f7f10ec43a7b3aa55cd06347f931a7d3c587032d94121
        • Instruction Fuzzy Hash: 74713371E00229CBDF28CF98C844BADBBB1FF44305F15816AD856BB281C7796A96DF44
        Function 00406AC7 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0acf286bb029991ed8d3626521cf090d2a7bfbfd73cbce5b83777d77729d6ca6
        • Instruction ID: 8ba59c5cd0d20fcb356abc66f065f0fd9b5ab0142fa9d7a08340707df7706276
        • Opcode Fuzzy Hash: 0acf286bb029991ed8d3626521cf090d2a7bfbfd73cbce5b83777d77729d6ca6
        • Instruction Fuzzy Hash: 2A715571D00229CBDF28CF98C844BADBBB1FF44305F15816AD856B7281C779AA96DF44
        Function 00405BBF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E1A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCF
        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BE7
        • CharNextA.USER32(00000000,?,00000000,00405E1A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BF8
        • lstrlenA.KERNEL32(00000000,?,00000000,00405E1A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C01
        Memory Dump Source
        • Source File: 00000000.00000002.1498711239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1498694956.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498724961.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498738256.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1498794320.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_PI_20052024.jbxd
        Similarity
        • API ID: lstrlen$CharNextlstrcmpi
        • String ID:
        • API String ID: 190613189-0
        • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
        • Instruction ID: 9eba209a39fe6667a971e8652d35f93e0e0dd93f5ee50219908c4175a565a31b
        • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
        • Instruction Fuzzy Hash: C7F0F631204914FFDB02DFA4DD40D9FBBA8EF56350B2540B9E840F7211D634EE01ABA8