Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7Y18r(199).exe

Overview

General Information

Sample name:7Y18r(199).exe
Analysis ID:1482720
MD5:9d4867440293a300aa47fde46d955d40
SHA1:fb7ef415c72441bb661449799f36eb2602d84257
SHA256:bffd5fbda2b41386e9022bd0e81e95fe597453a51793302b836d20b1885203f8
Tags:exe
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files

Classification

  • System is w10x64
  • 7Y18r(199).exe (PID: 1616 cmdline: "C:\Users\user\Desktop\7Y18r(199).exe" MD5: 9D4867440293A300AA47FDE46D955D40)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched
Timestamp:2024-07-26T02:46:36.149638+0200
SID:2022930
Source Port:443
Destination Port:49723
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-26T02:45:58.511295+0200
SID:2022930
Source Port:443
Destination Port:49714
Protocol:TCP
Classtype:A Network Trojan was detected

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 7Y18r(199).exeAvira: detected
Source: http://rep.pe-sigh.biz/launch_v5.php?p=sevenzip&pid=1505&tid=4188027&b_typ=pe&n=Virustotal: Detection: 9%Perma Link
Source: http://rep.pe-work.biz/launch_v5.php?p=sevenzip&pid=1505&tid=4188027&b_typ=pe&n=Virustotal: Detection: 8%Perma Link
Source: 7Y18r(199).exeReversingLabs: Detection: 76%
Source: 7Y18r(199).exeVirustotal: Detection: 79%Perma Link
Source: 7Y18r(199).exeJoe Sandbox ML: detected
Source: 7Y18r(199).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_00405315 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405315
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_00405CEB FindFirstFileA,FindClose,0_2_00405CEB
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
Source: unknownDNS traffic detected: query: rep.pe-work.biz replaycode: Name error (3)
Source: unknownDNS traffic detected: query: rep.pe-sigh.biz replaycode: Name error (3)
Source: unknownDNS traffic detected: query: rep.pe-rar.biz replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: rep.pe-sigh.biz
Source: global trafficDNS traffic detected: DNS query: rep.pe-work.biz
Source: global trafficDNS traffic detected: DNS query: rep.pe-rar.biz
Source: 7Y18r(199).exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 7Y18r(199).exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 7Y18r(199).exe, 00000000.00000002.3358489089.0000000000AFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rep.pe-rar.biz/error.php?string=
Source: 7Y18r(199).exe, 00000000.00000002.3358489089.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(199).exe, 00000000.00000002.3358489089.0000000000B50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rep.pe-rar.biz/error.php?string=ZmF0YWwsNixpbXByb3BlciBjb25maWcsJHtTVEFSVFVSTDN9LCxybw==
Source: 7Y18r(199).exe, 00000000.00000002.3358489089.0000000000B50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rep.pe-rar.biz/error.php?string=ZmF0YWwsNixpbXByb3BlciBjb25maWcsJHtTVEFSVFVSTDN9LCxybw==D
Source: 7Y18r(199).exe, 00000000.00000002.3358489089.0000000000AFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rep.pe-sigh.biz/launch_v5.php?p=sevenzip&pid=1505&tid=4188027&b_typ=pe&n=
Source: 7Y18r(199).exe, 00000000.00000002.3358489089.0000000000AFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rep.pe-wok.biz/stats.php?bu=
Source: 7Y18r(199).exe, 00000000.00000002.3358489089.0000000000AFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rep.pe-work.biz/launch_v5.php?p=sevenzip&pid=1505&tid=4188027&b_typ=pe&n=
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_00404ECC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404ECC
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_004030DE EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030DE
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_004046DD0_2_004046DD
Source: 7Y18r(199).exe, 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameButtonEvent.dllR vs 7Y18r(199).exe
Source: 7Y18r(199).exe, 00000000.00000002.3358907819.000000006E5A4000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameButtonEvent.dllR vs 7Y18r(199).exe
Source: 7Y18r(199).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal68.winEXE@1/6@3/0
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_004041E0 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041E0
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
Source: C:\Users\user\Desktop\7Y18r(199).exeFile created: C:\Users\user\AppData\Local\Temp\nssD680.tmpJump to behavior
Source: 7Y18r(199).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7Y18r(199).exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 7Y18r(199).exeReversingLabs: Detection: 76%
Source: 7Y18r(199).exeVirustotal: Detection: 79%
Source: C:\Users\user\Desktop\7Y18r(199).exeFile read: C:\Users\user\Desktop\7Y18r(199).exeJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeAutomated click: Install
Source: C:\Users\user\Desktop\7Y18r(199).exeAutomated click: OK
Source: C:\Users\user\Desktop\7Y18r(199).exeAutomated click: Install
Source: C:\Users\user\Desktop\7Y18r(199).exeAutomated click: OK
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_00405D12 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405D12
Source: C:\Users\user\Desktop\7Y18r(199).exeFile created: C:\Users\user\AppData\Local\Temp\nshD690.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\user\Desktop\7Y18r(199).exeFile created: C:\Users\user\AppData\Local\Temp\nshD690.tmp\NSISdl.dllJump to dropped file
Source: C:\Users\user\Desktop\7Y18r(199).exeFile created: C:\Users\user\AppData\Local\Temp\nshD690.tmp\ButtonEvent.dllJump to dropped file
Source: C:\Users\user\Desktop\7Y18r(199).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\7Y18r(199).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshD690.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\user\Desktop\7Y18r(199).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshD690.tmp\NSISdl.dllJump to dropped file
Source: C:\Users\user\Desktop\7Y18r(199).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshD690.tmp\ButtonEvent.dllJump to dropped file
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_00405315 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405315
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_00405CEB FindFirstFileA,FindClose,0_2_00405CEB
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
Source: 7Y18r(199).exe, 00000000.00000002.3358489089.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\7Y18r(199).exeAPI call chain: ExitProcess graph end nodegraph_0-3739
Source: C:\Users\user\Desktop\7Y18r(199).exeAPI call chain: ExitProcess graph end nodegraph_0-3743
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_00405D12 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405D12
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_10001855 CreateControl,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,GetProcessHeap,HeapReAlloc,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateWindowExA,SetPropA,SendMessageA,SendMessageA,SendMessageA,SetWindowLongA,GetProcessHeap,HeapFree,0_2_10001855
Source: C:\Users\user\Desktop\7Y18r(199).exeCode function: 0_2_00405A12 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405A12
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API
1
DLL Side-Loading
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping11
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
File and Directory Discovery
Remote Desktop Protocol1
Clipboard Data
1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager3
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
7Y18r(199).exe76%ReversingLabsWin32.Downloader.InstallMonster
7Y18r(199).exe79%VirustotalBrowse
7Y18r(199).exe100%AviraTR/Dldr.Agent.zeuoef
7Y18r(199).exe100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nshD690.tmp\ButtonEvent.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nshD690.tmp\ButtonEvent.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nshD690.tmp\NSISdl.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nshD690.tmp\NSISdl.dll1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nshD690.tmp\nsDialogs.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nshD690.tmp\nsDialogs.dll0%VirustotalBrowse
No Antivirus matches
SourceDetectionScannerLabelLink
rep.pe-work.biz3%VirustotalBrowse
rep.pe-sigh.biz3%VirustotalBrowse
rep.pe-rar.biz1%VirustotalBrowse
SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://rep.pe-rar.biz/error.php?string=0%Avira URL Cloudsafe
http://rep.pe-wok.biz/stats.php?bu=0%Avira URL Cloudsafe
http://rep.pe-sigh.biz/launch_v5.php?p=sevenzip&pid=1505&tid=4188027&b_typ=pe&n=0%Avira URL Cloudsafe
http://rep.pe-sigh.biz/launch_v5.php?p=sevenzip&pid=1505&tid=4188027&b_typ=pe&n=10%VirustotalBrowse
http://rep.pe-work.biz/launch_v5.php?p=sevenzip&pid=1505&tid=4188027&b_typ=pe&n=0%Avira URL Cloudsafe
http://rep.pe-rar.biz/error.php?string=5%VirustotalBrowse
http://rep.pe-wok.biz/stats.php?bu=0%VirustotalBrowse
http://rep.pe-work.biz/launch_v5.php?p=sevenzip&pid=1505&tid=4188027&b_typ=pe&n=8%VirustotalBrowse
NameIPActiveMaliciousAntivirus DetectionReputation
rep.pe-rar.biz
unknown
unknownfalseunknown
rep.pe-work.biz
unknown
unknownfalseunknown
rep.pe-sigh.biz
unknown
unknownfalseunknown
NameSourceMaliciousAntivirus DetectionReputation
http://rep.pe-sigh.biz/launch_v5.php?p=sevenzip&pid=1505&tid=4188027&b_typ=pe&n=7Y18r(199).exe, 00000000.00000002.3358489089.0000000000AFE000.00000004.00000020.00020000.00000000.sdmpfalse
  • 10%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_Error7Y18r(199).exefalse
  • URL Reputation: safe
unknown
http://nsis.sf.net/NSIS_ErrorError7Y18r(199).exefalse
  • URL Reputation: safe
unknown
http://rep.pe-rar.biz/error.php?string=7Y18r(199).exe, 00000000.00000002.3358489089.0000000000AFE000.00000004.00000020.00020000.00000000.sdmpfalse
  • 5%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://rep.pe-wok.biz/stats.php?bu=7Y18r(199).exe, 00000000.00000002.3358489089.0000000000AFE000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://rep.pe-work.biz/launch_v5.php?p=sevenzip&pid=1505&tid=4188027&b_typ=pe&n=7Y18r(199).exe, 00000000.00000002.3358489089.0000000000AFE000.00000004.00000020.00020000.00000000.sdmpfalse
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
No contacted IP infos
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1482720
Start date and time:2024-07-26 02:44:49 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:7Y18r(199).exe
Detection:MAL
Classification:mal68.winEXE@1/6@3/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 28
  • Number of non-executed functions: 39
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size getting too big, too many NtQueryValueKey calls found.
No simulations
No context
No context
No context
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\user\AppData\Local\Temp\nshD690.tmp\NSISdl.dllhttps://www.zoominfo.com/pic/kirkham-insurance/354239330Get hashmaliciousUnknownBrowse
    https://www.zoominfo.com/pic/kirkham-insurance/354239330Get hashmaliciousUnknownBrowse
      VxJYz09IcUGet hashmaliciousUnknownBrowse
        atdhenettvapp_setup(19).exeGet hashmaliciousUnknownBrowse
          ZoomInfoContactContributor.exeGet hashmaliciousUnknownBrowse
            b6#U00af.exeGet hashmaliciousUnknownBrowse
              b6#U00af.exeGet hashmaliciousUnknownBrowse
                b6#U00af.exeGet hashmaliciousUnknownBrowse
                  b6#U00af.exeGet hashmaliciousUnknownBrowse
                    v17achbl9y.exeGet hashmaliciousUnknownBrowse
                      C:\Users\user\AppData\Local\Temp\nshD690.tmp\ButtonEvent.dllGeneral_Player_Eng_WIN32_V3.44.0.R.170421.exeGet hashmaliciousUnknownBrowse
                        installer_office_portable_3_2_0_Italian.exeGet hashmaliciousUnknownBrowse
                          Process:C:\Users\user\Desktop\7Y18r(199).exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):4608
                          Entropy (8bit):4.423022883583039
                          Encrypted:false
                          SSDEEP:96:hrA2+5HGZFYJf9D8IjDflDCoMzncsGSmE:hE2+5mMJfJ8v1zFGSm
                          MD5:55788069D3FA4E1DAF80F3339FA86FE2
                          SHA1:D64E05C1879A92D5A8F9FF2FD2F1A53E1A53AE96
                          SHA-256:D6E429A063ADF637F4D19D4E2EB094D9FF27382B21A1F6DCCF9284AFB5FF8C7F
                          SHA-512:D3B1EEC76E571B657DF444C59C48CAD73A58D1A10FF463CE9F3ACD07ACCE17D589C3396AD5BDB94DA585DA08D422D863FFE1DE11F64298329455F6D8EE320616
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          • Antivirus: Virustotal, Detection: 0%, Browse
                          Joe Sandbox View:
                          • Filename: General_Player_Eng_WIN32_V3.44.0.R.170421.exe, Detection: malicious, Browse
                          • Filename: installer_office_portable_3_2_0_Italian.exe, Detection: malicious, Browse
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%Nr.a/..a/..a/..hW..d/..a/..j/..5.,.`/...Y..`/...Y..`/...Y..`/...Y..`/..Richa/..........PE..L...3*.M...........!......................... ...............................`............@.........................p!......H ..<....@.......................P....................................................... ..4............................text...;........................... ..`.rdata....... ......................@..@.data...l....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Users\user\Desktop\7Y18r(199).exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):14848
                          Entropy (8bit):6.054982561433298
                          Encrypted:false
                          SSDEEP:192:tUZTobBDJ68r67wmsvJI5ad9cXzFOVu+mZ/P3p+57CvpVqDxVp01Dwn2GRPgsfA:6Bo/680dCI5adOjFOg9//p27uNw2Go
                          MD5:A5F8399A743AB7F9C88C645C35B1EBB5
                          SHA1:168F3C158913B0367BF79FA413357FBE97018191
                          SHA-256:DACC88A12D3BA438FDAE3535DC7A5A1D389BCE13ADC993706424874A782E51C9
                          SHA-512:824E567F5211BF09C7912537C7836D761B0934207612808E9A191F980375C6A97383DBC6B4A7121C6B5F508CBFD7542A781D6B6B196CA24841F73892EEC5E977
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          • Antivirus: Virustotal, Detection: 1%, Browse
                          Joe Sandbox View:
                          • Filename: , Detection: malicious, Browse
                          • Filename: , Detection: malicious, Browse
                          • Filename: VxJYz09IcU, Detection: malicious, Browse
                          • Filename: atdhenettvapp_setup(19).exe, Detection: malicious, Browse
                          • Filename: ZoomInfoContactContributor.exe, Detection: malicious, Browse
                          • Filename: b6#U00af.exe, Detection: malicious, Browse
                          • Filename: b6#U00af.exe, Detection: malicious, Browse
                          • Filename: b6#U00af.exe, Detection: malicious, Browse
                          • Filename: b6#U00af.exe, Detection: malicious, Browse
                          • Filename: v17achbl9y.exe, Detection: malicious, Browse
                          Reputation:moderate, very likely benign file
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............lI..lI..lI..bI..lI..mI..lI\.1I..lI.\I..lI.]I..lI`.hI..lIRich..lI........................PE..L......K...........!.....&...p.......".......@.......................................................................D.._....@..d....................................................................................@...............................text....$.......&.................. ..`.rdata.......@.......*..............@..@.data....d...P.......0..............@....reloc..D............6..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Users\user\Desktop\7Y18r(199).exe
                          File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                          Category:dropped
                          Size (bytes):1086
                          Entropy (8bit):4.357912248575182
                          Encrypted:false
                          SSDEEP:12:pNU8l0KiapSTfreAyKATsQtmNsVp1UAizipykL0lx+p9qZqSaAta8gtE:pirzyFH5izsiI6Zquo8
                          MD5:786B7D187A6BAA67B339F0AD2B8EDFD2
                          SHA1:A350EFD2659CCB594401A498DE31AE0B60863B03
                          SHA-256:842ACB94BC9448FCAA78ED80436475D4C9581A46BB63099F8303AF29452180A2
                          SHA-512:1FD8CB8E62939D53B835B4B11D97B40962E83CC5481F44057E4307FE6E4539324242785208DAD0A1D3BE229FB853C0DE62C1595AEDD467DB8ACC531B928F8853
                          Malicious:false
                          Reputation:low
                          Preview:............ .(.......(....... ..... ..........................................................................................................` ..h...`.0.c...U.......................................b...b.".d.8.[.I.[.T.d.E.b./.`.-.e.+.e.+.e.+.a.*.d...f.......m...j...d.).:.#...H.....|.P.W.).e.0.e.0.e.0.g./.g./.c...f....................R8..E...9...!...............................................iI..S..._...S...;c..19..28..05..91..@0..F3..=6..7...........\o..T...U...a...[...O...H...E...A...F...F...C...<...+<.j....I.6.a.-.Z...?...;...=...<...;...8...6...4.......-...)...!E..+A..V.e...a.u.H.b.%.E.......%..........................|...v.C......KK@.m.{..}..p..c.u.O.c.7.M.-.@.%.8.!.4...2.../.%.6.#.1I..........L69.q.........g.w.^.h.M.`.A.V.9.R.7.O.7.P.0.N. .9(..............@$;.q.......c.v6....................................................8.l...../..........................................................U<C.k...........................................................................
                          Process:C:\Users\user\Desktop\7Y18r(199).exe
                          File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                          Category:dropped
                          Size (bytes):1086
                          Entropy (8bit):4.691980963047559
                          Encrypted:false
                          SSDEEP:24:dgqfNsSQSKdBjAKPGV1HJqXzJPAGOSaf:WKeddBjYVZyzJPAGO
                          MD5:BDB4885B084BB1CAFE9F025C2748B8A6
                          SHA1:0EF35CFC44BC77311F97D4AC439D27EB08F1FBB2
                          SHA-256:22FF9F7DAA35687958732A864A3506C157DDB7CBD7576C01A8B1658F2F55D17C
                          SHA-512:97626CEAE1BA03E8CC15E4661CA0B520AA3C9319581E38C9FB17806DAD15C56A0FE5FC97BBD52B8E3D3623160B73C81B8DA4EFAE3BD698E72AECC974851CA0F9
                          Malicious:false
                          Reputation:low
                          Preview:............ .(.......(....... ..... ...................................................................................................F....t((.t..F...................`.)).p33.y................ `.77..""............F........... ....;;..NN..AA.............<<.r**.............................~))..==..QQ..``..HH.y........==.i,,.....................}...v....**..77..QQ..[[..EE.o............77.x%%..........................&&..@@..KK..77...].................22.u!!......................--..::........@.........................##.n.... ..<<..>>..11..)).....w...................................w55..qq..........{{..DD.....~................................??..............~~..........VV..%%....F.................((..MM..............**..&&..............mm..00....[.........--.l^^..............88.....v...n;;..................??.r........,,.maa..........II.....~...........uPP..............;;.t............--..aa..VV...... .................xcc..~~..77....f.............99.....m...m@@....................
                          Process:C:\Users\user\Desktop\7Y18r(199).exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):9728
                          Entropy (8bit):5.054726426952
                          Encrypted:false
                          SSDEEP:96:hBABCcnl5TKhkfLxSslykcxM2DjDf3GE+Xv8Xav+Yx4VndY7ndS27gA:h6n+0SAfRE+/8ZYxMdqn420
                          MD5:C10E04DD4AD4277D5ADC951BB331C777
                          SHA1:B1E30808198A3AE6D6D1CCA62DF8893DC2A7AD43
                          SHA-256:E31AD6C6E82E603378CB6B80E67D0E0DCD9CF384E1199AC5A65CB4935680021A
                          SHA-512:853A5564BF751D40484EA482444C6958457CB4A17FB973CF870F03F201B8B2643BE41BCCDE00F6B2026DC0C3D113E6481B0DC4C7B0F3AE7966D38C92C6B5862E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          • Antivirus: Virustotal, Detection: 0%, Browse
                          Reputation:moderate, very likely benign file
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.cXN`0XN`0XN`0XNa0mN`0.A=0UN`0.mP0]N`0.Hf0YN`0.nd0YN`0RichXN`0........................PE..L......K...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...G........................... ..`.rdata..k....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..<....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Users\user\Desktop\7Y18r(199).exe
                          File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                          Category:dropped
                          Size (bytes):1086
                          Entropy (8bit):3.600894799110786
                          Encrypted:false
                          SSDEEP:12:UD/HcIllF1lcqVBn9vSeAdywO9Y84TAXl++YcbsRN:ULHcYLvcq3n9v3AdywQY8208AsRN
                          MD5:AFC64153E21E093F64911BDA4EA628EF
                          SHA1:E5959ABCA67E3F83286FD39BE446AB9CD8B0B525
                          SHA-256:20CEE5342B112C82E8915AE04C78737B852883246C5FD823EEDBC30FD64B8F1E
                          SHA-512:2C82E814F06938D54F16B76BCD2733B98EBF1CE4A91E357D42FEC5404A6F055A2D9F98EDF709383B160F07CACD885EDAFCFE446CF0C2FAC8246A1AB17CAC03FF
                          Malicious:false
                          Reputation:low
                          Preview:............ .(.......(....... ..... ..................................................................................................................5 ..* g....................................................'M-O.o"..a%.B/B.............................................+M1S.j&...%..z&. Y*...U.................................@.+.(\1r.r,...-..t+...+..z,.&]1s............................-V:>$r7...4...5...4.-V6q$s7...8...6.0Y6P......................../Z7]${9...A.!.B.(.@..33.<dHY%.E.!.E.&.B.5a=?....................333..W:,0yD.0.K.;{Nh......t.>.V.0.\.-.W.2.O.:dIB........................f.M.PXPCRRR........._.nCH.n.@.r.=.j.;.[.?hLQU.+.........................................b...Y..N..I.w.A.f.?}S.777.......................................|!k...f..X..S..E.`.111.........................................z..Go..n.._..N.p.................................................u..^p..n..V.y.....................................................l.|Nf...W.u.F.............................................
                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Entropy (8bit):7.297875112602713
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 92.16%
                          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:7Y18r(199).exe
                          File size:86'047 bytes
                          MD5:9d4867440293a300aa47fde46d955d40
                          SHA1:fb7ef415c72441bb661449799f36eb2602d84257
                          SHA256:bffd5fbda2b41386e9022bd0e81e95fe597453a51793302b836d20b1885203f8
                          SHA512:5f55cd9c5ef5ec358b4d1fbdc04c7f7508d0802ba0c48d751747d3d280ddc4bc6deb09a457b1ddb39d7e141c370f82b32f55521a5d2cf5def9b125e6c71c99c1
                          SSDEEP:1536:CiZU91Rzv4f/+LHgmpoM4sXJx4Romu/TIaLI+LwjNOuHdozN0WingZF3qcRXaQ:CiezvrL9oMXJx45JG09ozNXinf8
                          TLSH:7F83D01271C4D837EA9917310D7BD7BACABBCF50016406A36B607F7F1E35242CE2A695
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x...x...x.......z...x...........i...,...t.......y...Richx...................PE..L......K.................\....9......0.....
                          Icon Hash:0771ccf8d84d2907
                          Entrypoint:0x4030de
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          DLL Characteristics:TERMINAL_SERVER_AWARE
                          Time Stamp:0x4B1AE3B5 [Sat Dec 5 22:50:29 2009 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:7fa974366048f9c551ef45714595665e
                          Instruction
                          sub esp, 00000180h
                          push ebx
                          push ebp
                          push esi
                          xor ebx, ebx
                          push edi
                          mov dword ptr [esp+18h], ebx
                          mov dword ptr [esp+10h], 00409160h
                          xor esi, esi
                          mov byte ptr [esp+14h], 00000020h
                          call dword ptr [00407030h]
                          push 00008001h
                          call dword ptr [004070B0h]
                          push ebx
                          call dword ptr [0040727Ch]
                          push 00000008h
                          mov dword ptr [007A2758h], eax
                          call 00007F467913E1E6h
                          mov dword ptr [007A26A4h], eax
                          push ebx
                          lea eax, dword ptr [esp+34h]
                          push 00000160h
                          push eax
                          push ebx
                          push 0079DC68h
                          call dword ptr [00407158h]
                          push 00409154h
                          push 007A1EA0h
                          call 00007F467913DE99h
                          call dword ptr [004070ACh]
                          mov edi, 007A8000h
                          push eax
                          push edi
                          call 00007F467913DE87h
                          push ebx
                          call dword ptr [0040710Ch]
                          cmp byte ptr [007A8000h], 00000022h
                          mov dword ptr [007A26A0h], eax
                          mov eax, edi
                          jne 00007F467913B5FCh
                          mov byte ptr [esp+14h], 00000022h
                          mov eax, 007A8001h
                          push dword ptr [esp+14h]
                          push eax
                          call 00007F467913D97Ah
                          push eax
                          call dword ptr [0040721Ch]
                          mov dword ptr [esp+1Ch], eax
                          jmp 00007F467913B655h
                          cmp cl, 00000020h
                          jne 00007F467913B5F8h
                          inc eax
                          cmp byte ptr [eax], 00000020h
                          je 00007F467913B5ECh
                          cmp byte ptr [eax], 00000022h
                          mov byte ptr [eax+eax+00h], 00000000h
                          Programming Language:
                          • [EXP] VC++ 6.0 SP5 build 8804
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b70000x40a0.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x5a2c0x5c005525d73d28606ba0d0bf63419bc6f2d9False0.6725543478260869data6.458758913332546IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x70000x11900x1200a2c7710fa66fcbb43c7ef0ab9eea5e9aFalse0.4453125data5.179763757809345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x90000x3997980x40076d3c43f58289bceef3ffe4ae66dc848unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .ndata0x3a30000x140000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x3b70000x40a00x42009c4bb318922e117f5c9757855c38ae1fFalse0.623342803030303data5.963555167049198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0x3b72b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.7213883677298312
                          RT_ICON0x3b83580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colorsEnglishUnited States0.6751066098081023
                          RT_ICON0x3b92000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colorsEnglishUnited States0.7851985559566786
                          RT_ICON0x3b9aa80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States0.6560693641618497
                          RT_ICON0x3ba0100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8031914893617021
                          RT_ICON0x3ba4780x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.3118279569892473
                          RT_ICON0x3ba7600x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.36824324324324326
                          RT_DIALOG0x3ba8880x202dataEnglishUnited States0.4085603112840467
                          RT_DIALOG0x3baa900xf8dataEnglishUnited States0.6290322580645161
                          RT_DIALOG0x3bab880xeedataEnglishUnited States0.6260504201680672
                          RT_GROUP_ICON0x3bac780x68dataEnglishUnited States0.6634615384615384
                          RT_MANIFEST0x3bace00x3beXML 1.0 document, ASCII text, with very long lines (958), with no line terminatorsEnglishUnited States0.5198329853862212
                          DLLImport
                          KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                          USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                          GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                          SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                          ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                          ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States
                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                          2024-07-26T02:46:36.149638+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972340.68.123.157192.168.2.6
                          2024-07-26T02:45:58.511295+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971440.127.169.103192.168.2.6
                          TimestampSource PortDest PortSource IPDest IP
                          Jul 26, 2024 02:45:39.395611048 CEST6019153192.168.2.61.1.1.1
                          Jul 26, 2024 02:45:39.404827118 CEST53601911.1.1.1192.168.2.6
                          Jul 26, 2024 02:45:39.426804066 CEST5334653192.168.2.61.1.1.1
                          Jul 26, 2024 02:45:39.436580896 CEST53533461.1.1.1192.168.2.6
                          Jul 26, 2024 02:45:51.439908981 CEST6033453192.168.2.61.1.1.1
                          Jul 26, 2024 02:45:51.449980974 CEST53603341.1.1.1192.168.2.6
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jul 26, 2024 02:45:39.395611048 CEST192.168.2.61.1.1.10xe239Standard query (0)rep.pe-sigh.bizA (IP address)IN (0x0001)false
                          Jul 26, 2024 02:45:39.426804066 CEST192.168.2.61.1.1.10x31d7Standard query (0)rep.pe-work.bizA (IP address)IN (0x0001)false
                          Jul 26, 2024 02:45:51.439908981 CEST192.168.2.61.1.1.10xe2c5Standard query (0)rep.pe-rar.bizA (IP address)IN (0x0001)false
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jul 26, 2024 02:45:39.404827118 CEST1.1.1.1192.168.2.60xe239Name error (3)rep.pe-sigh.biznonenoneA (IP address)IN (0x0001)false
                          Jul 26, 2024 02:45:39.436580896 CEST1.1.1.1192.168.2.60x31d7Name error (3)rep.pe-work.biznonenoneA (IP address)IN (0x0001)false
                          Jul 26, 2024 02:45:51.449980974 CEST1.1.1.1192.168.2.60xe2c5Name error (3)rep.pe-rar.biznonenoneA (IP address)IN (0x0001)false

                          Click to jump to process

                          Click to jump to process

                          Click to dive into process behavior distribution

                          Target ID:0
                          Start time:20:45:38
                          Start date:25/07/2024
                          Path:C:\Users\user\Desktop\7Y18r(199).exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\7Y18r(199).exe"
                          Imagebase:0x400000
                          File size:86'047 bytes
                          MD5 hash:9D4867440293A300AA47FDE46D955D40
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          Reset < >

                            Execution Graph

                            Execution Coverage:17.6%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:20.9%
                            Total number of Nodes:1477
                            Total number of Limit Nodes:35
                            execution_graph 4032 10001000 4033 10001007 SendMessageA 4032->4033 4034 1000101c 4032->4034 4033->4034 4035 10001480 4041 100013c6 GetPropA 4035->4041 4038 100014c6 4039 10001495 LoadCursorA SetCursor 4039->4038 4040 100014ae CallWindowProcA 4040->4038 4042 100013d9 4041->4042 4042->4038 4042->4039 4042->4040 4043 10001d01 4044 10001fc2 2 API calls 4043->4044 4045 10001d06 4044->4045 4046 401cc1 GetDlgItem GetClientRect 4047 4029f6 18 API calls 4046->4047 4048 401cf1 LoadImageA SendMessageA 4047->4048 4049 40288b 4048->4049 4050 401d0f DeleteObject 4048->4050 4050->4049 4051 401dc1 4052 4029f6 18 API calls 4051->4052 4053 401dc7 4052->4053 4054 4029f6 18 API calls 4053->4054 4055 401dd0 4054->4055 4056 4029f6 18 API calls 4055->4056 4057 401dd9 4056->4057 4058 4029f6 18 API calls 4057->4058 4059 401de2 4058->4059 4060 401423 25 API calls 4059->4060 4061 401de9 ShellExecuteA 4060->4061 4062 401e16 4061->4062 4063 401645 4064 4029f6 18 API calls 4063->4064 4065 40164c 4064->4065 4066 4029f6 18 API calls 4065->4066 4067 401655 4066->4067 4068 4029f6 18 API calls 4067->4068 4069 40165e MoveFileA 4068->4069 4070 401671 4069->4070 4076 40166a 4069->4076 4071 405ceb 2 API calls 4070->4071 4074 402169 4070->4074 4073 401680 4071->4073 4072 401423 25 API calls 4072->4074 4073->4074 4075 40573e 38 API calls 4073->4075 4075->4076 4076->4072 4077 401ec5 4078 4029f6 18 API calls 4077->4078 4079 401ecc GetFileVersionInfoSizeA 4078->4079 4080 401f45 4079->4080 4081 401eef GlobalAlloc 4079->4081 4081->4080 4082 401f03 GetFileVersionInfoA 4081->4082 4082->4080 4083 401f14 VerQueryValueA 4082->4083 4083->4080 4084 401f2d 4083->4084 4088 40594e wsprintfA 4084->4088 4086 401f39 4089 40594e wsprintfA 4086->4089 4088->4086 4089->4080 4090 6e5a1350 4091 6e5a1391 GlobalAlloc 4090->4091 4097 6e5a1414 4091->4097 4093 6e5a13ed GlobalFree 4094 6e5a13a4 4094->4093 4095 6e5a13cd 4094->4095 4096 6e5a13c2 GlobalFree 4094->4096 4095->4093 4098 6e5a144d 4097->4098 4099 6e5a141e 4097->4099 4098->4094 4099->4098 4100 6e5a142b lstrcpyA 4099->4100 4101 6e5a143e GlobalFree 4099->4101 4100->4101 4101->4098 4102 6e5a12d0 4103 6e5a1312 wsprintfA 4102->4103 4106 6e5a1454 4103->4106 4107 6e5a145d GlobalAlloc lstrcpynA 4106->4107 4108 6e5a1334 4106->4108 4107->4108 4109 4014ca 4110 404d8e 25 API calls 4109->4110 4111 4014d1 4110->4111 4112 404ecc 4113 405078 4112->4113 4114 404eed GetDlgItem GetDlgItem GetDlgItem 4112->4114 4116 405081 GetDlgItem CreateThread CloseHandle 4113->4116 4118 4050a9 4113->4118 4158 403dd7 SendMessageA 4114->4158 4116->4118 4117 4050d4 4121 405132 4117->4121 4124 4050e5 4117->4124 4125 40510b ShowWindow 4117->4125 4118->4117 4119 4050c0 ShowWindow ShowWindow 4118->4119 4120 4050f6 4118->4120 4160 403dd7 SendMessageA 4119->4160 4126 403e09 8 API calls 4120->4126 4121->4120 4128 40513d SendMessageA 4121->4128 4122 404f5e 4127 404f65 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4122->4127 4129 403d7b SendMessageA 4124->4129 4131 40512b 4125->4131 4132 40511d 4125->4132 4130 405104 4126->4130 4133 404fd4 4127->4133 4134 404fb8 SendMessageA SendMessageA 4127->4134 4128->4130 4135 405156 CreatePopupMenu 4128->4135 4129->4120 4139 403d7b SendMessageA 4131->4139 4138 404d8e 25 API calls 4132->4138 4136 404fe7 4133->4136 4137 404fd9 SendMessageA 4133->4137 4134->4133 4140 405a12 18 API calls 4135->4140 4141 403da2 19 API calls 4136->4141 4137->4136 4138->4131 4139->4121 4142 405166 AppendMenuA 4140->4142 4143 404ff7 4141->4143 4144 405179 GetWindowRect 4142->4144 4145 40518c 4142->4145 4146 405000 ShowWindow 4143->4146 4147 405034 GetDlgItem SendMessageA 4143->4147 4148 405195 TrackPopupMenu 4144->4148 4145->4148 4149 405023 4146->4149 4150 405016 ShowWindow 4146->4150 4147->4130 4151 40505b SendMessageA SendMessageA 4147->4151 4148->4130 4152 4051b3 4148->4152 4159 403dd7 SendMessageA 4149->4159 4150->4149 4151->4130 4153 4051cf SendMessageA 4152->4153 4153->4153 4155 4051ec OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4153->4155 4156 40520e SendMessageA 4155->4156 4156->4156 4157 40522f GlobalUnlock SetClipboardData CloseClipboard 4156->4157 4157->4130 4158->4122 4159->4147 4160->4117 4161 4025cc 4162 4025d3 4161->4162 4164 402838 4161->4164 4163 4029d9 18 API calls 4162->4163 4165 4025de 4163->4165 4166 4025e5 SetFilePointer 4165->4166 4166->4164 4167 4025f5 4166->4167 4169 40594e wsprintfA 4167->4169 4169->4164 3938 4038cf 3939 403a22 3938->3939 3940 4038e7 3938->3940 3942 403a73 3939->3942 3943 403a33 GetDlgItem GetDlgItem 3939->3943 3940->3939 3941 4038f3 3940->3941 3944 403911 3941->3944 3945 4038fe SetWindowPos 3941->3945 3947 403acd 3942->3947 3952 401389 2 API calls 3942->3952 3946 403da2 19 API calls 3943->3946 3949 403916 ShowWindow 3944->3949 3950 40392e 3944->3950 3945->3944 3951 403a5d SetClassLongA 3946->3951 3948 403dee SendMessageA 3947->3948 3953 403a1d 3947->3953 3976 403adf 3948->3976 3949->3950 3954 403950 3950->3954 3955 403936 DestroyWindow 3950->3955 3956 40140b 2 API calls 3951->3956 3957 403aa5 3952->3957 3959 403955 SetWindowLongA 3954->3959 3960 403966 3954->3960 3958 403d4c 3955->3958 3956->3942 3957->3947 3963 403aa9 SendMessageA 3957->3963 3958->3953 3969 403d5c ShowWindow 3958->3969 3959->3953 3961 403972 GetDlgItem 3960->3961 3962 403a0f 3960->3962 3966 4039a2 3961->3966 3967 403985 SendMessageA IsWindowEnabled 3961->3967 4018 403e09 3962->4018 3963->3953 3964 40140b 2 API calls 3964->3976 3965 403d2d DestroyWindow EndDialog 3965->3958 3971 4039af 3966->3971 3972 4039f6 SendMessageA 3966->3972 3973 4039c2 3966->3973 3983 4039a7 3966->3983 3967->3953 3967->3966 3969->3953 3970 405a12 18 API calls 3970->3976 3971->3972 3971->3983 3972->3962 3977 4039ca 3973->3977 3978 4039df 3973->3978 3975 403da2 19 API calls 3975->3976 3976->3953 3976->3964 3976->3965 3976->3970 3976->3975 3999 403c6d DestroyWindow 3976->3999 4009 403da2 3976->4009 3981 40140b 2 API calls 3977->3981 3980 40140b 2 API calls 3978->3980 3979 4039dd 3979->3962 3982 4039e6 3980->3982 3981->3983 3982->3962 3982->3983 4015 403d7b 3983->4015 3985 403b5a GetDlgItem 3986 403b77 ShowWindow KiUserCallbackDispatcher 3985->3986 3987 403b6f 3985->3987 4012 403dc4 EnableWindow 3986->4012 3987->3986 3989 403ba1 EnableWindow 3992 403bb5 3989->3992 3990 403bba GetSystemMenu EnableMenuItem SendMessageA 3991 403bea SendMessageA 3990->3991 3990->3992 3991->3992 3992->3990 4013 403dd7 SendMessageA 3992->4013 4014 4059f0 lstrcpynA 3992->4014 3995 403c18 lstrlenA 3996 405a12 18 API calls 3995->3996 3997 403c29 SetWindowTextA 3996->3997 3998 401389 2 API calls 3997->3998 3998->3976 3999->3958 4000 403c87 CreateDialogParamA 3999->4000 4000->3958 4001 403cba 4000->4001 4002 403da2 19 API calls 4001->4002 4003 403cc5 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4002->4003 4004 401389 2 API calls 4003->4004 4005 403d0b 4004->4005 4005->3953 4006 403d13 ShowWindow 4005->4006 4007 403dee SendMessageA 4006->4007 4008 403d2b 4007->4008 4008->3958 4010 405a12 18 API calls 4009->4010 4011 403dad SetDlgItemTextA 4010->4011 4011->3985 4012->3989 4013->3992 4014->3995 4016 403d82 4015->4016 4017 403d88 SendMessageA 4015->4017 4016->4017 4017->3979 4019 403e21 GetWindowLongA 4018->4019 4020 403eaa 4018->4020 4019->4020 4021 403e32 4019->4021 4020->3953 4022 403e41 GetSysColor 4021->4022 4023 403e44 4021->4023 4022->4023 4024 403e54 SetBkMode 4023->4024 4025 403e4a SetTextColor 4023->4025 4026 403e72 4024->4026 4027 403e6c GetSysColor 4024->4027 4025->4024 4028 403e83 4026->4028 4029 403e79 SetBkColor 4026->4029 4027->4026 4028->4020 4030 403e96 DeleteObject 4028->4030 4031 403e9d CreateBrushIndirect 4028->4031 4029->4028 4030->4031 4031->4020 3255 401f51 3256 401f63 3255->3256 3266 402012 3255->3266 3278 4029f6 3256->3278 3258 401423 25 API calls 3264 402169 3258->3264 3260 4029f6 18 API calls 3261 401f73 3260->3261 3262 401f88 LoadLibraryExA 3261->3262 3263 401f7b GetModuleHandleA 3261->3263 3265 401f98 GetProcAddress 3262->3265 3262->3266 3263->3262 3263->3265 3267 401fe5 3265->3267 3268 401fa8 3265->3268 3266->3258 3334 404d8e 3267->3334 3269 401fb0 3268->3269 3270 401fc7 3268->3270 3331 401423 3269->3331 3284 10001855 GetProcessHeap HeapAlloc 3270->3284 3315 10001759 3270->3315 3324 10001c59 SendMessageA ShowWindow 3270->3324 3273 401fb8 3273->3264 3274 402006 FreeLibrary 3273->3274 3274->3264 3279 402a02 3278->3279 3345 405a12 3279->3345 3282 401f6a 3282->3260 3285 1000189a 3284->3285 3286 1000188b 3284->3286 3385 10001dd9 3285->3385 3407 10001e27 3286->3407 3290 10001b1e 3290->3273 3291 100018d7 3292 10001e27 2 API calls 3291->3292 3294 100018e1 GetProcessHeap 3292->3294 3293 100018a2 3293->3291 3390 10001252 GetClientRect 3293->3390 3295 10001b17 HeapFree 3294->3295 3295->3290 3297 100018cb 3298 10001dd9 2 API calls 3297->3298 3299 100018d3 3298->3299 3299->3291 3300 100018eb GetProcessHeap HeapReAlloc lstrcmpiA 3299->3300 3301 10001946 lstrcmpiA 3300->3301 3312 1000192b 3300->3312 3302 1000196d lstrcmpiA 3301->3302 3301->3312 3303 10001994 lstrcmpiA 3302->3303 3302->3312 3304 100019bb lstrcmpiA 3303->3304 3303->3312 3306 100019df lstrcmpiA 3304->3306 3304->3312 3305 10001a66 lstrcmpiA 3307 10001a72 3305->3307 3308 10001a77 CreateWindowExA SetPropA SendMessageA SendMessageA 3305->3308 3311 10001a03 lstrcmpiA 3306->3311 3306->3312 3307->3308 3309 10001b06 GetProcessHeap 3308->3309 3310 10001aeb SetWindowLongA 3308->3310 3309->3295 3310->3309 3311->3312 3313 10001a27 lstrcmpiA 3311->3313 3312->3305 3313->3312 3316 1000178a 3315->3316 3417 10001fc2 3316->3417 3318 1000179e GetDlgItem GetWindowRect MapWindowPoints CreateDialogParamA 3319 100017eb SetWindowPos SetWindowLongA GetProcessHeap HeapAlloc 3318->3319 3320 100017df 3318->3320 3322 1000184e 3319->3322 3321 10001e27 2 API calls 3320->3321 3323 100017e9 3321->3323 3322->3273 3323->3322 3325 10001c8d 3324->3325 3326 10001cde SetWindowLongA 3324->3326 3327 10001c94 KiUserCallbackDispatcher IsDialogMessageA 3325->3327 3330 10001cdd 3325->3330 3326->3273 3327->3325 3328 10001cb1 IsDialogMessageA 3327->3328 3328->3325 3329 10001cc1 TranslateMessage DispatchMessageA 3328->3329 3329->3325 3330->3326 3332 404d8e 25 API calls 3331->3332 3333 401431 3332->3333 3333->3273 3335 404da9 3334->3335 3344 404e4c 3334->3344 3336 404dc6 lstrlenA 3335->3336 3339 405a12 18 API calls 3335->3339 3337 404dd4 lstrlenA 3336->3337 3338 404def 3336->3338 3340 404de6 lstrcatA 3337->3340 3337->3344 3341 404e02 3338->3341 3342 404df5 SetWindowTextA 3338->3342 3339->3336 3340->3338 3343 404e08 SendMessageA SendMessageA SendMessageA 3341->3343 3341->3344 3342->3341 3343->3344 3344->3273 3348 405a1f 3345->3348 3346 405c39 3347 402a23 3346->3347 3380 4059f0 lstrcpynA 3346->3380 3347->3282 3364 405c52 3347->3364 3348->3346 3350 405ab7 GetVersion 3348->3350 3351 405c10 lstrlenA 3348->3351 3354 405a12 10 API calls 3348->3354 3359 405c52 5 API calls 3348->3359 3378 40594e wsprintfA 3348->3378 3379 4059f0 lstrcpynA 3348->3379 3355 405ac4 3350->3355 3351->3348 3354->3351 3355->3348 3356 405b2f GetSystemDirectoryA 3355->3356 3358 405b42 GetWindowsDirectoryA 3355->3358 3360 405b76 SHGetSpecialFolderLocation 3355->3360 3361 405a12 10 API calls 3355->3361 3362 405bb9 lstrcatA 3355->3362 3373 4058d7 RegOpenKeyExA 3355->3373 3356->3355 3358->3355 3359->3348 3360->3355 3363 405b8e SHGetPathFromIDListA CoTaskMemFree 3360->3363 3361->3355 3362->3348 3363->3355 3370 405c5e 3364->3370 3365 405cc6 3366 405cca CharPrevA 3365->3366 3368 405ce5 3365->3368 3366->3365 3367 405cbb CharNextA 3367->3365 3367->3370 3368->3282 3370->3365 3370->3367 3371 405ca9 CharNextA 3370->3371 3372 405cb6 CharNextA 3370->3372 3381 40550e 3370->3381 3371->3370 3372->3367 3374 405948 3373->3374 3375 40590a RegQueryValueExA 3373->3375 3374->3355 3376 40592b RegCloseKey 3375->3376 3376->3374 3378->3348 3379->3348 3380->3347 3382 405514 3381->3382 3383 405527 3382->3383 3384 40551a CharNextA 3382->3384 3383->3370 3384->3382 3386 10001e20 3385->3386 3388 10001de3 3385->3388 3386->3293 3387 10001e11 GlobalFree 3387->3386 3388->3386 3388->3387 3389 10001dfd lstrcpynA 3388->3389 3389->3387 3391 10001dd9 2 API calls 3390->3391 3392 10001289 3391->3392 3406 100012fa 3392->3406 3410 10001329 lstrlenA CharPrevA 3392->3410 3395 10001dd9 2 API calls 3396 100012ad 3395->3396 3397 10001329 4 API calls 3396->3397 3396->3406 3398 100012c0 3397->3398 3399 10001dd9 2 API calls 3398->3399 3400 100012d2 3399->3400 3401 10001329 4 API calls 3400->3401 3400->3406 3402 100012e4 3401->3402 3403 10001dd9 2 API calls 3402->3403 3404 100012f6 3403->3404 3405 10001329 4 API calls 3404->3405 3404->3406 3405->3406 3406->3297 3408 10001e30 GlobalAlloc lstrcpynA 3407->3408 3409 10001895 3407->3409 3408->3409 3409->3290 3411 1000134d 3410->3411 3412 10001354 MulDiv 3411->3412 3413 10001369 3411->3413 3416 1000129b 3412->3416 3415 1000136e MapDialogRect 3413->3415 3413->3416 3415->3416 3416->3395 3418 10001dd9 2 API calls 3417->3418 3419 10001fd9 3418->3419 3419->3318 4170 4014d6 4171 4029d9 18 API calls 4170->4171 4172 4014dc Sleep 4171->4172 4174 40288b 4172->4174 4180 4018d8 4181 40190f 4180->4181 4182 4029f6 18 API calls 4181->4182 4183 401914 4182->4183 4184 405315 68 API calls 4183->4184 4185 40191d 4184->4185 4186 40155b 4187 401561 4186->4187 4190 40594e wsprintfA 4187->4190 4189 402838 4190->4189 4191 4018db 4192 4029f6 18 API calls 4191->4192 4193 4018e2 4192->4193 4194 4052b1 MessageBoxIndirectA 4193->4194 4195 4018eb 4194->4195 4196 4046dd GetDlgItem GetDlgItem 4197 404731 7 API calls 4196->4197 4205 40494e 4196->4205 4198 4047d7 DeleteObject 4197->4198 4199 4047ca SendMessageA 4197->4199 4200 4047e2 4198->4200 4199->4198 4202 404819 4200->4202 4204 405a12 18 API calls 4200->4204 4201 404a38 4203 404ae7 4201->4203 4211 404a91 SendMessageA 4201->4211 4238 404941 4201->4238 4206 403da2 19 API calls 4202->4206 4207 404af0 SendMessageA 4203->4207 4208 404afc 4203->4208 4209 4047fb SendMessageA SendMessageA 4204->4209 4205->4201 4239 4049c2 4205->4239 4249 40465d SendMessageA 4205->4249 4210 40482d 4206->4210 4207->4208 4220 404b15 4208->4220 4221 404b0e ImageList_Destroy 4208->4221 4225 404b25 4208->4225 4209->4200 4215 403da2 19 API calls 4210->4215 4218 404aa6 SendMessageA 4211->4218 4211->4238 4212 403e09 8 API calls 4219 404cd7 4212->4219 4213 404a2a SendMessageA 4213->4201 4216 40483b 4215->4216 4222 40490f GetWindowLongA SetWindowLongA 4216->4222 4231 40488a SendMessageA 4216->4231 4234 404909 4216->4234 4236 4048c6 SendMessageA 4216->4236 4237 4048d7 SendMessageA 4216->4237 4217 404c8b 4226 404c9d ShowWindow GetDlgItem ShowWindow 4217->4226 4217->4238 4223 404ab9 4218->4223 4224 404b1e GlobalFree 4220->4224 4220->4225 4221->4220 4227 404928 4222->4227 4233 404aca SendMessageA 4223->4233 4224->4225 4225->4217 4232 40140b 2 API calls 4225->4232 4243 404b57 4225->4243 4226->4238 4228 404946 4227->4228 4229 40492e ShowWindow 4227->4229 4248 403dd7 SendMessageA 4228->4248 4247 403dd7 SendMessageA 4229->4247 4231->4216 4232->4243 4233->4203 4234->4222 4234->4227 4236->4216 4237->4216 4238->4212 4239->4201 4239->4213 4240 404c61 InvalidateRect 4240->4217 4241 404c77 4240->4241 4254 40457b 4241->4254 4242 404b85 SendMessageA 4246 404b9b 4242->4246 4243->4242 4243->4246 4245 404c0f SendMessageA SendMessageA 4245->4246 4246->4240 4246->4245 4247->4238 4248->4205 4250 404680 GetMessagePos ScreenToClient SendMessageA 4249->4250 4251 4046bc SendMessageA 4249->4251 4252 4046b4 4250->4252 4253 4046b9 4250->4253 4251->4252 4252->4239 4253->4251 4255 404595 4254->4255 4256 405a12 18 API calls 4255->4256 4257 4045ca 4256->4257 4258 405a12 18 API calls 4257->4258 4259 4045d5 4258->4259 4260 405a12 18 API calls 4259->4260 4261 404606 lstrlenA wsprintfA SetDlgItemTextA 4260->4261 4261->4217 3708 4030de #17 SetErrorMode OleInitialize 3709 405d12 3 API calls 3708->3709 3710 403121 SHGetFileInfoA 3709->3710 3778 4059f0 lstrcpynA 3710->3778 3712 40314c GetCommandLineA 3779 4059f0 lstrcpynA 3712->3779 3714 40315e GetModuleHandleA 3715 403175 3714->3715 3716 40550e CharNextA 3715->3716 3717 403189 CharNextA 3716->3717 3725 403196 3717->3725 3718 4031ff 3719 403212 GetTempPathA 3718->3719 3780 4030aa 3719->3780 3721 403228 3723 40324c DeleteFileA 3721->3723 3724 40322c GetWindowsDirectoryA lstrcatA 3721->3724 3722 40550e CharNextA 3722->3725 3788 402c22 GetTickCount GetModuleFileNameA 3723->3788 3726 4030aa 11 API calls 3724->3726 3725->3718 3725->3722 3728 403201 3725->3728 3730 403248 3726->3730 3870 4059f0 lstrcpynA 3728->3870 3729 40325d 3734 40550e CharNextA 3729->3734 3764 4032b6 3729->3764 3773 4032c6 3729->3773 3730->3723 3730->3773 3736 403274 3734->3736 3745 403291 3736->3745 3746 4032f5 lstrcatA lstrcmpiA 3736->3746 3737 4033c4 3739 403447 ExitProcess 3737->3739 3741 405d12 3 API calls 3737->3741 3738 4032df 3740 4052b1 MessageBoxIndirectA 3738->3740 3743 4032ed ExitProcess 3740->3743 3744 4033d3 3741->3744 3747 405d12 3 API calls 3744->3747 3748 4055c4 18 API calls 3745->3748 3749 403311 CreateDirectoryA SetCurrentDirectoryA 3746->3749 3746->3773 3750 4033dc 3747->3750 3751 40329c 3748->3751 3752 403333 3749->3752 3753 403328 3749->3753 3754 405d12 3 API calls 3750->3754 3751->3773 3871 4059f0 lstrcpynA 3751->3871 3881 4059f0 lstrcpynA 3752->3881 3880 4059f0 lstrcpynA 3753->3880 3762 4033e5 3754->3762 3758 403433 ExitWindowsEx 3758->3739 3761 403440 3758->3761 3759 4032ab 3872 4059f0 lstrcpynA 3759->3872 3760 405a12 18 API calls 3765 403363 DeleteFileA 3760->3765 3885 40140b 3761->3885 3762->3758 3767 4033f3 GetCurrentProcess 3762->3767 3816 403539 3764->3816 3768 403370 CopyFileA 3765->3768 3774 403341 3765->3774 3769 403403 3767->3769 3768->3774 3769->3758 3770 4033b8 3772 40573e 38 API calls 3770->3772 3771 40573e 38 API calls 3771->3774 3772->3773 3873 40345f 3773->3873 3774->3760 3774->3770 3774->3771 3775 405a12 18 API calls 3774->3775 3777 4033a4 CloseHandle 3774->3777 3882 405250 CreateProcessA 3774->3882 3775->3774 3777->3774 3778->3712 3779->3714 3781 405c52 5 API calls 3780->3781 3782 4030b6 3781->3782 3783 4030c0 3782->3783 3784 4054e3 3 API calls 3782->3784 3783->3721 3785 4030c8 CreateDirectoryA 3784->3785 3786 4056f6 2 API calls 3785->3786 3787 4030dc 3786->3787 3787->3721 3888 4056c7 GetFileAttributesA CreateFileA 3788->3888 3790 402c62 3809 402c72 3790->3809 3889 4059f0 lstrcpynA 3790->3889 3792 402c88 3793 40552a 2 API calls 3792->3793 3794 402c8e 3793->3794 3890 4059f0 lstrcpynA 3794->3890 3796 402c99 GetFileSize 3801 402cb0 3796->3801 3813 402d95 3796->3813 3798 402d9e 3800 402dce GlobalAlloc 3798->3800 3798->3809 3902 403093 SetFilePointer 3798->3902 3799 403061 ReadFile 3799->3801 3903 403093 SetFilePointer 3800->3903 3801->3799 3802 402e01 3801->3802 3801->3809 3811 402bbe 6 API calls 3801->3811 3801->3813 3806 402bbe 6 API calls 3802->3806 3805 402de9 3808 402e5b 33 API calls 3805->3808 3806->3809 3807 402db7 3810 403061 ReadFile 3807->3810 3814 402df5 3808->3814 3809->3729 3812 402dc2 3810->3812 3811->3801 3812->3800 3812->3809 3891 402bbe 3813->3891 3814->3809 3815 402e32 SetFilePointer 3814->3815 3815->3809 3817 405d12 3 API calls 3816->3817 3818 40354d 3817->3818 3819 403553 3818->3819 3820 403565 3818->3820 3917 40594e wsprintfA 3819->3917 3821 4058d7 3 API calls 3820->3821 3822 403586 3821->3822 3823 4035a4 lstrcatA 3822->3823 3825 4058d7 3 API calls 3822->3825 3826 403563 3823->3826 3825->3823 3908 403802 3826->3908 3829 4055c4 18 API calls 3830 4035d6 3829->3830 3831 40365f 3830->3831 3833 4058d7 3 API calls 3830->3833 3832 4055c4 18 API calls 3831->3832 3834 403665 3832->3834 3835 403602 3833->3835 3836 403675 LoadImageA 3834->3836 3837 405a12 18 API calls 3834->3837 3835->3831 3842 40361e lstrlenA 3835->3842 3843 40550e CharNextA 3835->3843 3838 4036a0 RegisterClassA 3836->3838 3839 403729 3836->3839 3837->3836 3840 4036dc SystemParametersInfoA CreateWindowExA 3838->3840 3869 403733 3838->3869 3841 40140b 2 API calls 3839->3841 3840->3839 3846 40372f 3841->3846 3844 403652 3842->3844 3845 40362c lstrcmpiA 3842->3845 3847 40361c 3843->3847 3849 4054e3 3 API calls 3844->3849 3845->3844 3848 40363c GetFileAttributesA 3845->3848 3851 403802 19 API calls 3846->3851 3846->3869 3847->3842 3850 403648 3848->3850 3852 403658 3849->3852 3850->3844 3853 40552a 2 API calls 3850->3853 3854 403740 3851->3854 3918 4059f0 lstrcpynA 3852->3918 3853->3844 3856 40374c ShowWindow LoadLibraryA 3854->3856 3857 4037cf 3854->3857 3859 403772 GetClassInfoA 3856->3859 3860 40376b LoadLibraryA 3856->3860 3919 404e60 OleInitialize 3857->3919 3862 403786 GetClassInfoA RegisterClassA 3859->3862 3863 40379c DialogBoxParamA 3859->3863 3860->3859 3861 4037d5 3865 4037f1 3861->3865 3866 4037d9 3861->3866 3862->3863 3864 40140b 2 API calls 3863->3864 3864->3869 3867 40140b 2 API calls 3865->3867 3868 40140b 2 API calls 3866->3868 3866->3869 3867->3869 3868->3869 3869->3773 3870->3719 3871->3759 3872->3764 3874 403477 3873->3874 3875 403469 CloseHandle 3873->3875 3934 4034a4 3874->3934 3875->3874 3878 405315 68 API calls 3879 4032cf OleUninitialize 3878->3879 3879->3737 3879->3738 3880->3752 3881->3774 3883 40528b 3882->3883 3884 40527f CloseHandle 3882->3884 3883->3774 3884->3883 3886 401389 2 API calls 3885->3886 3887 401420 3886->3887 3887->3739 3888->3790 3889->3792 3890->3796 3892 402bc7 3891->3892 3893 402bdf 3891->3893 3894 402bd0 DestroyWindow 3892->3894 3895 402bd7 3892->3895 3896 402be7 3893->3896 3897 402bef GetTickCount 3893->3897 3894->3895 3895->3798 3904 405d4b 3896->3904 3898 402c20 3897->3898 3899 402bfd CreateDialogParamA ShowWindow 3897->3899 3898->3798 3899->3898 3902->3807 3903->3805 3905 405d68 PeekMessageA 3904->3905 3906 402bed 3905->3906 3907 405d5e DispatchMessageA 3905->3907 3906->3798 3907->3905 3909 403816 3908->3909 3926 40594e wsprintfA 3909->3926 3911 403887 3912 405a12 18 API calls 3911->3912 3913 403893 SetWindowTextA 3912->3913 3914 4035b4 3913->3914 3915 4038af 3913->3915 3914->3829 3915->3914 3916 405a12 18 API calls 3915->3916 3916->3915 3917->3826 3918->3831 3927 403dee 3919->3927 3921 404eaa 3922 403dee SendMessageA 3921->3922 3923 404ebc OleUninitialize 3922->3923 3923->3861 3924 404e83 3924->3921 3930 401389 3924->3930 3926->3911 3928 403e06 3927->3928 3929 403df7 SendMessageA 3927->3929 3928->3924 3929->3928 3932 401390 3930->3932 3931 4013fe 3931->3924 3932->3931 3933 4013cb MulDiv SendMessageA 3932->3933 3933->3932 3935 4034b2 3934->3935 3936 40347c 3935->3936 3937 4034b7 FreeLibrary GlobalFree 3935->3937 3936->3878 3937->3936 3937->3937 4262 404cde 4263 404d03 4262->4263 4264 404cec 4262->4264 4266 404d11 IsWindowVisible 4263->4266 4272 404d28 4263->4272 4265 404cf2 4264->4265 4280 404d6c 4264->4280 4267 403dee SendMessageA 4265->4267 4269 404d1e 4266->4269 4266->4280 4270 404cfc 4267->4270 4268 404d72 CallWindowProcA 4268->4270 4271 40465d 5 API calls 4269->4271 4271->4272 4272->4268 4281 4059f0 lstrcpynA 4272->4281 4274 404d57 4282 40594e wsprintfA 4274->4282 4276 404d5e 4277 40140b 2 API calls 4276->4277 4278 404d65 4277->4278 4283 4059f0 lstrcpynA 4278->4283 4280->4268 4281->4274 4282->4276 4283->4280 4284 4041e0 4285 404211 4284->4285 4286 40421e 4284->4286 4345 405295 GetDlgItemTextA 4285->4345 4288 404227 GetDlgItem 4286->4288 4294 40428a 4286->4294 4290 40423b 4288->4290 4289 404218 4292 405c52 5 API calls 4289->4292 4293 40424f SetWindowTextA 4290->4293 4300 405577 4 API calls 4290->4300 4291 40436e 4343 4044fa 4291->4343 4347 405295 GetDlgItemTextA 4291->4347 4292->4286 4296 403da2 19 API calls 4293->4296 4294->4291 4297 405a12 18 API calls 4294->4297 4294->4343 4301 40426d 4296->4301 4302 404300 SHBrowseForFolderA 4297->4302 4298 40439a 4303 4055c4 18 API calls 4298->4303 4299 403e09 8 API calls 4304 40450e 4299->4304 4305 404245 4300->4305 4306 403da2 19 API calls 4301->4306 4302->4291 4307 404318 CoTaskMemFree 4302->4307 4308 4043a0 4303->4308 4305->4293 4311 4054e3 3 API calls 4305->4311 4309 40427b 4306->4309 4310 4054e3 3 API calls 4307->4310 4348 4059f0 lstrcpynA 4308->4348 4346 403dd7 SendMessageA 4309->4346 4313 404325 4310->4313 4311->4293 4316 40435c SetDlgItemTextA 4313->4316 4320 405a12 18 API calls 4313->4320 4315 404283 4318 405d12 3 API calls 4315->4318 4316->4291 4317 4043b7 4319 405d12 3 API calls 4317->4319 4318->4294 4327 4043bf 4319->4327 4321 404344 lstrcmpiA 4320->4321 4321->4316 4324 404355 lstrcatA 4321->4324 4322 4043f9 4349 4059f0 lstrcpynA 4322->4349 4324->4316 4325 404402 4326 405577 4 API calls 4325->4326 4328 404408 GetDiskFreeSpaceA 4326->4328 4327->4322 4330 40552a 2 API calls 4327->4330 4332 40444c 4327->4332 4331 40442a MulDiv 4328->4331 4328->4332 4330->4327 4331->4332 4333 4044a9 4332->4333 4334 40457b 21 API calls 4332->4334 4335 4044cc 4333->4335 4337 40140b 2 API calls 4333->4337 4336 40449b 4334->4336 4350 403dc4 EnableWindow 4335->4350 4339 4044a0 4336->4339 4340 4044ab SetDlgItemTextA 4336->4340 4337->4335 4342 40457b 21 API calls 4339->4342 4340->4333 4341 4044e8 4341->4343 4351 404175 4341->4351 4342->4333 4343->4299 4345->4289 4346->4315 4347->4298 4348->4317 4349->4325 4350->4341 4352 404183 4351->4352 4353 404188 SendMessageA 4351->4353 4352->4353 4353->4343 4354 10001021 4355 10001dd9 2 API calls 4354->4355 4357 10001054 4355->4357 4356 100010b4 4359 10001e27 2 API calls 4356->4359 4357->4356 4358 10001dd9 2 API calls 4357->4358 4360 10001069 4358->4360 4361 100010be 4359->4361 4360->4356 4362 1000106d SHBrowseForFolderA 4360->4362 4362->4356 4363 100010c0 SHGetPathFromIDListA 4362->4363 4364 100010d2 4363->4364 4365 10001e27 2 API calls 4364->4365 4366 100010e5 CoTaskMemFree 4365->4366 4366->4361 4367 10001b23 CreateControl 4368 401ae5 4369 4029f6 18 API calls 4368->4369 4370 401aec 4369->4370 4371 4029d9 18 API calls 4370->4371 4372 401af5 wsprintfA 4371->4372 4373 40288b 4372->4373 4374 402866 SendMessageA 4375 402880 InvalidateRect 4374->4375 4376 40288b 4374->4376 4375->4376 4377 4019e6 4378 4029f6 18 API calls 4377->4378 4379 4019ef ExpandEnvironmentStringsA 4378->4379 4380 401a03 4379->4380 4382 401a16 4379->4382 4381 401a08 lstrcmpA 4380->4381 4380->4382 4381->4382 4383 401567 4384 401577 ShowWindow 4383->4384 4385 40157e 4383->4385 4384->4385 4386 40288b 4385->4386 4387 40158c ShowWindow 4385->4387 4387->4386 4388 402267 4389 4029f6 18 API calls 4388->4389 4390 402275 4389->4390 4391 4029f6 18 API calls 4390->4391 4392 40227e 4391->4392 4393 4029f6 18 API calls 4392->4393 4394 402288 GetPrivateProfileStringA 4393->4394 4395 403eea 4397 403f00 4395->4397 4401 40400d 4395->4401 4396 40407c 4398 404150 4396->4398 4400 404086 GetDlgItem 4396->4400 4399 403da2 19 API calls 4397->4399 4406 403e09 8 API calls 4398->4406 4402 403f56 4399->4402 4403 40409c 4400->4403 4404 40410e 4400->4404 4401->4396 4401->4398 4405 404051 GetDlgItem SendMessageA 4401->4405 4407 403da2 19 API calls 4402->4407 4403->4404 4412 4040c2 6 API calls 4403->4412 4404->4398 4408 404120 4404->4408 4426 403dc4 EnableWindow 4405->4426 4410 40414b 4406->4410 4411 403f63 CheckDlgButton 4407->4411 4413 404126 SendMessageA 4408->4413 4414 404137 4408->4414 4424 403dc4 EnableWindow 4411->4424 4412->4404 4413->4414 4414->4410 4417 40413d SendMessageA 4414->4417 4415 404077 4418 404175 SendMessageA 4415->4418 4417->4410 4418->4396 4419 403f81 GetDlgItem 4425 403dd7 SendMessageA 4419->4425 4421 403f97 SendMessageA 4422 403fb5 GetSysColor 4421->4422 4423 403fbe SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4421->4423 4422->4423 4423->4410 4424->4419 4425->4421 4426->4415 4427 401c6d 4428 4029d9 18 API calls 4427->4428 4429 401c73 IsWindow 4428->4429 4430 4019d6 4429->4430 4431 4014f0 SetForegroundWindow 4432 40288b 4431->4432 4433 402172 4434 4029f6 18 API calls 4433->4434 4435 402178 4434->4435 4436 4029f6 18 API calls 4435->4436 4437 402181 4436->4437 4438 4029f6 18 API calls 4437->4438 4439 40218a 4438->4439 4440 405ceb 2 API calls 4439->4440 4441 402193 4440->4441 4442 4021a4 lstrlenA lstrlenA 4441->4442 4443 402197 4441->4443 4445 404d8e 25 API calls 4442->4445 4444 404d8e 25 API calls 4443->4444 4447 40219f 4443->4447 4444->4447 4446 4021e0 SHFileOperationA 4445->4446 4446->4443 4446->4447 4448 10001bb4 4449 10001fc2 2 API calls 4448->4449 4450 10001bba 4449->4450 4451 10001fc2 2 API calls 4450->4451 4452 10001bc1 4451->4452 4453 10001bdc 4452->4453 4454 10001bc9 SetTimer 4452->4454 4454->4453 4455 4021f4 4456 4021fb 4455->4456 4459 40220e 4455->4459 4457 405a12 18 API calls 4456->4457 4458 402208 4457->4458 4460 4052b1 MessageBoxIndirectA 4458->4460 4460->4459 4461 4034f7 4462 403502 4461->4462 4463 403506 4462->4463 4464 403509 GlobalAlloc 4462->4464 4464->4463 4465 10001c39 4468 10001bf1 4465->4468 4469 10001fc2 2 API calls 4468->4469 4470 10001bf8 4469->4470 4471 10001fc2 2 API calls 4470->4471 4472 10001bff IsWindow 4471->4472 4473 10001c0c 4472->4473 4475 10001c12 4472->4475 4474 100013c6 GetPropA 4473->4474 4474->4475 3568 6e5a10e0 3569 6e5a10f4 3568->3569 3572 6e5a1115 3568->3572 3570 6e5a10fd GetDlgItem 3569->3570 3571 6e5a1142 CallWindowProcA 3569->3571 3570->3571 3573 6e5a110f 3570->3573 3572->3571 3575 6e5a1000 3573->3575 3576 6e5a1075 3575->3576 3577 6e5a100e 3575->3577 3576->3572 3577->3576 3578 6e5a1037 PostMessageA 3577->3578 3578->3577 4476 4016fa 4477 4029f6 18 API calls 4476->4477 4478 401701 SearchPathA 4477->4478 4479 40171c 4478->4479 4480 4025fb 4481 402602 4480->4481 4482 40288b 4480->4482 4483 402608 FindClose 4481->4483 4483->4482 4484 40267c 4485 4029f6 18 API calls 4484->4485 4487 40268a 4485->4487 4486 4026a0 4489 4056a8 2 API calls 4486->4489 4487->4486 4488 4029f6 18 API calls 4487->4488 4488->4486 4490 4026a6 4489->4490 4510 4056c7 GetFileAttributesA CreateFileA 4490->4510 4492 4026b3 4493 40275c 4492->4493 4494 4026bf GlobalAlloc 4492->4494 4497 402764 DeleteFileA 4493->4497 4498 402777 4493->4498 4495 402753 CloseHandle 4494->4495 4496 4026d8 4494->4496 4495->4493 4511 403093 SetFilePointer 4496->4511 4497->4498 4500 4026de 4501 403061 ReadFile 4500->4501 4502 4026e7 GlobalAlloc 4501->4502 4503 4026f7 4502->4503 4504 40272b WriteFile GlobalFree 4502->4504 4505 402e5b 33 API calls 4503->4505 4506 402e5b 33 API calls 4504->4506 4509 402704 4505->4509 4507 402750 4506->4507 4507->4495 4508 402722 GlobalFree 4508->4504 4509->4508 4510->4492 4511->4500 4512 4014fe 4513 401506 4512->4513 4515 401519 4512->4515 4514 4029d9 18 API calls 4513->4514 4514->4515 4516 10001b3f 4517 10001fc2 2 API calls 4516->4517 4518 10001b45 IsWindow 4517->4518 4519 10001b52 4518->4519 4520 100013c6 GetPropA 4519->4520 4521 10001b5e 4520->4521 4522 10001b70 4521->4522 4523 10001dd9 2 API calls 4521->4523 4523->4522 4524 401000 4525 401037 BeginPaint GetClientRect 4524->4525 4526 40100c DefWindowProcA 4524->4526 4528 4010f3 4525->4528 4529 401179 4526->4529 4530 401073 CreateBrushIndirect FillRect DeleteObject 4528->4530 4531 4010fc 4528->4531 4530->4528 4532 401102 CreateFontIndirectA 4531->4532 4533 401167 EndPaint 4531->4533 4532->4533 4534 401112 6 API calls 4532->4534 4533->4529 4534->4533 4535 10001c41 4536 10001bf1 4 API calls 4535->4536 4537 10001c48 4536->4537 4538 402303 4539 402309 4538->4539 4540 4029f6 18 API calls 4539->4540 4541 40231b 4540->4541 4542 4029f6 18 API calls 4541->4542 4543 402325 RegCreateKeyExA 4542->4543 4544 40288b 4543->4544 4545 40234f 4543->4545 4546 402367 4545->4546 4547 4029f6 18 API calls 4545->4547 4548 402373 4546->4548 4551 4029d9 18 API calls 4546->4551 4550 402360 lstrlenA 4547->4550 4549 40238e RegSetValueExA 4548->4549 4552 402e5b 33 API calls 4548->4552 4553 4023a4 RegCloseKey 4549->4553 4550->4546 4551->4548 4552->4549 4553->4544 4555 402803 4556 4029d9 18 API calls 4555->4556 4557 402809 4556->4557 4558 40283a 4557->4558 4559 40265c 4557->4559 4561 402817 4557->4561 4558->4559 4560 405a12 18 API calls 4558->4560 4560->4559 4561->4559 4563 40594e wsprintfA 4561->4563 4563->4559 3545 401b06 3546 401b13 3545->3546 3547 401b57 3545->3547 3550 4021fb 3546->3550 3554 401b2a 3546->3554 3548 401b80 GlobalAlloc 3547->3548 3549 401b5b 3547->3549 3551 405a12 18 API calls 3548->3551 3555 401b9b 3549->3555 3566 4059f0 lstrcpynA 3549->3566 3552 405a12 18 API calls 3550->3552 3551->3555 3557 402208 3552->3557 3564 4059f0 lstrcpynA 3554->3564 3556 401b6d GlobalFree 3556->3555 3559 4052b1 MessageBoxIndirectA 3557->3559 3559->3555 3560 401b39 3565 4059f0 lstrcpynA 3560->3565 3562 401b48 3567 4059f0 lstrcpynA 3562->3567 3564->3560 3565->3562 3566->3556 3567->3555 4564 402506 4565 4029d9 18 API calls 4564->4565 4566 402510 4565->4566 4567 402544 ReadFile 4566->4567 4568 402588 4566->4568 4569 402598 4566->4569 4572 402586 4566->4572 4567->4566 4567->4572 4573 40594e wsprintfA 4568->4573 4571 4025ae SetFilePointer 4569->4571 4569->4572 4571->4572 4573->4572 4577 100014ca 4578 10001722 4577->4578 4579 100014e2 4577->4579 4581 1000172e RemovePropA 4578->4581 4591 10001549 4578->4591 4582 100015d7 4579->4582 4583 100014f7 4579->4583 4595 100015de 4579->4595 4580 100013c6 GetPropA 4584 10001636 4580->4584 4581->4581 4581->4591 4585 100013c6 GetPropA 4582->4585 4586 10001533 GetDlgItem 4583->4586 4587 100014fe 4583->4587 4588 1000163e GetWindowTextA DrawTextA 4584->4588 4584->4591 4585->4595 4589 100013c6 GetPropA 4586->4589 4590 1000151b SendMessageA 4587->4590 4587->4591 4593 10001691 4588->4593 4589->4591 4590->4591 4592 100016f8 4592->4591 4598 10001710 DrawFocusRect 4592->4598 4593->4592 4594 100016c5 GetWindowLongA 4593->4594 4596 100016e2 DrawTextA 4594->4596 4597 100016d4 SetTextColor 4594->4597 4595->4580 4595->4591 4596->4592 4597->4596 4598->4591 4599 401c8a 4600 4029d9 18 API calls 4599->4600 4601 401c91 4600->4601 4602 4029d9 18 API calls 4601->4602 4603 401c99 GetDlgItem 4602->4603 4604 4024b8 4603->4604 3579 40190d 3580 40190f 3579->3580 3581 4029f6 18 API calls 3580->3581 3582 401914 3581->3582 3585 405315 3582->3585 3627 4055c4 3585->3627 3588 405332 DeleteFileA 3590 40191d 3588->3590 3589 405349 3591 405488 3589->3591 3641 4059f0 lstrcpynA 3589->3641 3591->3590 3598 405ceb 2 API calls 3591->3598 3593 405373 3594 405384 3593->3594 3595 405377 lstrcatA 3593->3595 3642 40552a lstrlenA 3594->3642 3596 40538a 3595->3596 3599 405398 lstrcatA 3596->3599 3600 40538f 3596->3600 3601 4054a3 3598->3601 3602 4053a3 lstrlenA FindFirstFileA 3599->3602 3600->3599 3600->3602 3601->3590 3604 4054e3 3 API calls 3601->3604 3603 40547e 3602->3603 3617 4053c7 3602->3617 3603->3591 3606 4054ad 3604->3606 3605 40550e CharNextA 3605->3617 3607 4056a8 2 API calls 3606->3607 3608 4054b3 RemoveDirectoryA 3607->3608 3609 4054d5 3608->3609 3610 4054be 3608->3610 3613 404d8e 25 API calls 3609->3613 3610->3590 3612 4054c4 3610->3612 3615 404d8e 25 API calls 3612->3615 3613->3590 3614 40545d FindNextFileA 3616 405475 FindClose 3614->3616 3614->3617 3618 4054cc 3615->3618 3616->3603 3617->3605 3617->3614 3620 4056a8 2 API calls 3617->3620 3621 405315 59 API calls 3617->3621 3624 404d8e 25 API calls 3617->3624 3625 404d8e 25 API calls 3617->3625 3646 4059f0 lstrcpynA 3617->3646 3647 40573e 3617->3647 3619 40573e 38 API calls 3618->3619 3622 4054d3 3619->3622 3623 40542a DeleteFileA 3620->3623 3621->3617 3622->3590 3623->3617 3624->3614 3625->3617 3673 4059f0 lstrcpynA 3627->3673 3629 4055d5 3630 405577 4 API calls 3629->3630 3631 4055db 3630->3631 3632 405329 3631->3632 3633 405c52 5 API calls 3631->3633 3632->3588 3632->3589 3639 4055eb 3633->3639 3634 405616 lstrlenA 3635 405621 3634->3635 3634->3639 3637 4054e3 3 API calls 3635->3637 3636 405ceb 2 API calls 3636->3639 3638 405626 GetFileAttributesA 3637->3638 3638->3632 3639->3632 3639->3634 3639->3636 3640 40552a 2 API calls 3639->3640 3640->3634 3641->3593 3643 405537 3642->3643 3644 405548 3643->3644 3645 40553c CharPrevA 3643->3645 3644->3596 3645->3643 3645->3644 3646->3617 3674 405d12 GetModuleHandleA 3647->3674 3650 4057a6 GetShortPathNameA 3652 40589b 3650->3652 3653 4057bb 3650->3653 3652->3617 3653->3652 3655 4057c3 wsprintfA 3653->3655 3654 40578a CloseHandle GetShortPathNameA 3654->3652 3656 40579e 3654->3656 3657 405a12 18 API calls 3655->3657 3656->3650 3656->3652 3658 4057eb 3657->3658 3679 4056c7 GetFileAttributesA CreateFileA 3658->3679 3660 4057f8 3660->3652 3661 405807 GetFileSize GlobalAlloc 3660->3661 3662 405894 CloseHandle 3661->3662 3663 405825 ReadFile 3661->3663 3662->3652 3663->3662 3664 405839 3663->3664 3664->3662 3680 40563c lstrlenA 3664->3680 3667 4058a8 3669 40563c 4 API calls 3667->3669 3668 40584e 3685 4059f0 lstrcpynA 3668->3685 3671 40585c 3669->3671 3672 40586f SetFilePointer WriteFile GlobalFree 3671->3672 3672->3662 3673->3629 3675 405d39 GetProcAddress 3674->3675 3676 405d2e LoadLibraryA 3674->3676 3677 405749 3675->3677 3676->3675 3676->3677 3677->3650 3677->3652 3678 4056c7 GetFileAttributesA CreateFileA 3677->3678 3678->3654 3679->3660 3681 405672 lstrlenA 3680->3681 3682 405650 lstrcmpiA 3681->3682 3683 40567c 3681->3683 3682->3683 3684 405669 CharNextA 3682->3684 3683->3667 3683->3668 3684->3681 3685->3671 4605 10001c51 4608 10001c26 4605->4608 4609 10001fc2 2 API calls 4608->4609 4610 10001c2b 4609->4610 3534 401d95 3542 4029d9 3534->3542 3536 401d9b 3537 4029d9 18 API calls 3536->3537 3538 401da4 3537->3538 3539 401db6 KiUserCallbackDispatcher 3538->3539 3540 401dab ShowWindow 3538->3540 3541 40288b 3539->3541 3540->3541 3543 405a12 18 API calls 3542->3543 3544 4029ed 3543->3544 3544->3536 4611 404515 4612 404541 4611->4612 4613 404525 4611->4613 4614 404574 4612->4614 4615 404547 SHGetPathFromIDListA 4612->4615 4622 405295 GetDlgItemTextA 4613->4622 4617 40455e SendMessageA 4615->4617 4618 404557 4615->4618 4617->4614 4620 40140b 2 API calls 4618->4620 4619 404532 SendMessageA 4619->4612 4620->4617 4622->4619 4623 402615 4624 402618 4623->4624 4626 402630 4623->4626 4625 402625 FindNextFileA 4624->4625 4625->4626 4627 40266f 4625->4627 4629 4059f0 lstrcpynA 4627->4629 4629->4626 4630 401595 4631 4029f6 18 API calls 4630->4631 4632 40159c SetFileAttributesA 4631->4632 4633 4015ae 4632->4633 4634 401e95 4635 4029f6 18 API calls 4634->4635 4636 401e9c 4635->4636 4637 405ceb 2 API calls 4636->4637 4638 401ea2 4637->4638 4640 401eb4 4638->4640 4641 40594e wsprintfA 4638->4641 4641->4640 4642 401696 4643 4029f6 18 API calls 4642->4643 4644 40169c GetFullPathNameA 4643->4644 4645 4016b3 4644->4645 4651 4016d4 4644->4651 4647 405ceb 2 API calls 4645->4647 4645->4651 4646 4016e8 GetShortPathNameA 4648 40288b 4646->4648 4649 4016c4 4647->4649 4649->4651 4652 4059f0 lstrcpynA 4649->4652 4651->4646 4651->4648 4652->4651 4653 404199 4654 4041a9 4653->4654 4655 4041cf 4653->4655 4656 403da2 19 API calls 4654->4656 4657 403e09 8 API calls 4655->4657 4658 4041b6 SetDlgItemTextA 4656->4658 4659 4041db 4657->4659 4658->4655 4660 6e5a1180 4661 6e5a11c0 4660->4661 4662 6e5a12c8 4661->4662 4663 6e5a11cd GlobalAlloc 4661->4663 4664 6e5a1414 2 API calls 4663->4664 4666 6e5a11df 4664->4666 4665 6e5a12c0 GlobalFree 4665->4662 4666->4665 4667 6e5a1414 2 API calls 4666->4667 4674 6e5a1238 4666->4674 4668 6e5a1214 4667->4668 4668->4665 4671 6e5a121c lstrcmpiA 4668->4671 4669 6e5a1286 GetDlgItem 4672 6e5a12bf 4669->4672 4673 6e5a1295 FindWindowExA 4669->4673 4670 6e5a1274 SetWindowLongA 4670->4669 4671->4674 4672->4665 4673->4672 4675 6e5a12ab SetWindowLongA 4673->4675 4674->4669 4674->4670 4675->4672 4676 6e5a1080 4677 6e5a10b7 CallWindowProcA 4676->4677 4678 6e5a1094 4676->4678 4678->4677 4679 6e5a109d GetDlgItem 4678->4679 4680 6e5a10ad 4679->4680 4681 6e5a10b3 4679->4681 4682 6e5a1000 PostMessageA 4680->4682 4681->4677 4682->4681 4683 401d1b GetDC GetDeviceCaps 4684 4029d9 18 API calls 4683->4684 4685 401d37 MulDiv 4684->4685 4686 4029d9 18 API calls 4685->4686 4687 401d4c 4686->4687 4688 405a12 18 API calls 4687->4688 4689 401d85 CreateFontIndirectA 4688->4689 4690 4024b8 4689->4690 4691 401e1b 4692 4029f6 18 API calls 4691->4692 4693 401e21 4692->4693 4694 404d8e 25 API calls 4693->4694 4695 401e2b 4694->4695 4696 405250 2 API calls 4695->4696 4700 401e31 4696->4700 4697 401e87 CloseHandle 4699 40265c 4697->4699 4698 401e50 WaitForSingleObject 4698->4700 4701 401e5e GetExitCodeProcess 4698->4701 4700->4697 4700->4698 4700->4699 4702 405d4b 2 API calls 4700->4702 4703 401e70 4701->4703 4704 401e79 4701->4704 4702->4698 4706 40594e wsprintfA 4703->4706 4704->4697 4706->4704 4707 40249c 4708 4029f6 18 API calls 4707->4708 4709 4024a3 4708->4709 4712 4056c7 GetFileAttributesA CreateFileA 4709->4712 4711 4024af 4712->4711 4713 10001bde 4714 10001fc2 2 API calls 4713->4714 4715 10001be3 KillTimer 4714->4715 4716 402020 4717 4029f6 18 API calls 4716->4717 4718 402027 4717->4718 4719 4029f6 18 API calls 4718->4719 4720 402031 4719->4720 4721 4029f6 18 API calls 4720->4721 4722 40203a 4721->4722 4723 4029f6 18 API calls 4722->4723 4724 402044 4723->4724 4725 4029f6 18 API calls 4724->4725 4727 40204e 4725->4727 4726 402062 CoCreateInstance 4729 402081 4726->4729 4730 402137 4726->4730 4727->4726 4728 4029f6 18 API calls 4727->4728 4728->4726 4729->4730 4733 402116 MultiByteToWideChar 4729->4733 4731 401423 25 API calls 4730->4731 4732 402169 4730->4732 4731->4732 4733->4730 3420 401721 3421 4029f6 18 API calls 3420->3421 3422 401728 3421->3422 3426 4056f6 3422->3426 3424 40172f 3425 4056f6 2 API calls 3424->3425 3425->3424 3427 405701 GetTickCount GetTempFileNameA 3426->3427 3428 405731 3427->3428 3429 40572d 3427->3429 3428->3424 3429->3427 3429->3428 4734 401922 4735 4029f6 18 API calls 4734->4735 4736 401929 lstrlenA 4735->4736 4737 4024b8 4736->4737 4738 402223 4739 40222b 4738->4739 4742 402231 4738->4742 4740 4029f6 18 API calls 4739->4740 4740->4742 4741 402241 4744 40224f 4741->4744 4745 4029f6 18 API calls 4741->4745 4742->4741 4743 4029f6 18 API calls 4742->4743 4743->4741 4746 4029f6 18 API calls 4744->4746 4745->4744 4747 402258 WritePrivateProfileStringA 4746->4747 4748 401ca5 4749 4029d9 18 API calls 4748->4749 4750 401cb5 SetWindowLongA 4749->4750 4751 40288b 4750->4751 4752 401a26 4753 4029d9 18 API calls 4752->4753 4754 401a2c 4753->4754 4755 4029d9 18 API calls 4754->4755 4756 4019d6 4755->4756 4757 402427 4767 402b00 4757->4767 4759 402431 4760 4029d9 18 API calls 4759->4760 4761 40243a 4760->4761 4762 402451 RegEnumKeyA 4761->4762 4763 40245d RegEnumValueA 4761->4763 4764 40265c 4761->4764 4765 402476 RegCloseKey 4762->4765 4763->4764 4763->4765 4765->4764 4768 4029f6 18 API calls 4767->4768 4769 402b19 4768->4769 4770 402b27 RegOpenKeyExA 4769->4770 4770->4759 4771 4022a7 4772 4022d7 4771->4772 4773 4022ac 4771->4773 4775 4029f6 18 API calls 4772->4775 4774 402b00 19 API calls 4773->4774 4776 4022b3 4774->4776 4777 4022de 4775->4777 4778 4029f6 18 API calls 4776->4778 4781 4022f4 4776->4781 4782 402a36 RegOpenKeyExA 4777->4782 4780 4022c4 RegDeleteValueA RegCloseKey 4778->4780 4780->4781 4788 402a61 4782->4788 4791 402aad 4782->4791 4783 402a87 RegEnumKeyA 4784 402a99 RegCloseKey 4783->4784 4783->4788 4786 405d12 3 API calls 4784->4786 4785 402abe RegCloseKey 4785->4791 4789 402aa9 4786->4789 4787 402a36 3 API calls 4787->4788 4788->4783 4788->4784 4788->4785 4788->4787 4790 402ad9 RegDeleteKeyA 4789->4790 4789->4791 4790->4791 4791->4781 3686 401bad 3687 4029d9 18 API calls 3686->3687 3688 401bb4 3687->3688 3689 4029d9 18 API calls 3688->3689 3690 401bbe 3689->3690 3691 401bce 3690->3691 3692 4029f6 18 API calls 3690->3692 3693 401bde 3691->3693 3694 4029f6 18 API calls 3691->3694 3692->3691 3695 401be9 3693->3695 3696 401c2d 3693->3696 3694->3693 3697 4029d9 18 API calls 3695->3697 3698 4029f6 18 API calls 3696->3698 3699 401bee 3697->3699 3700 401c32 3698->3700 3701 4029d9 18 API calls 3699->3701 3702 4029f6 18 API calls 3700->3702 3703 401bf7 3701->3703 3704 401c3b FindWindowExA 3702->3704 3705 401c1d SendMessageA 3703->3705 3706 401bff SendMessageTimeoutA 3703->3706 3707 401c59 3704->3707 3705->3707 3706->3707 4792 100010ef 4793 10001dd9 2 API calls 4792->4793 4794 10001151 4793->4794 4795 10001dd9 2 API calls 4794->4795 4796 10001158 4795->4796 4797 10001dd9 2 API calls 4796->4797 4798 1000115f lstrcmpiA GetFileAttributesA 4797->4798 4799 10001185 4798->4799 4800 100011a7 4798->4800 4799->4800 4801 10001189 lstrcpyA 4799->4801 4802 100011b0 lstrcpyA 4800->4802 4803 100011bc 4800->4803 4801->4800 4802->4803 4804 100011de GetCurrentDirectoryA 4803->4804 4807 100011d2 CharNextA 4803->4807 4805 10001205 GetOpenFileNameA 4804->4805 4806 100011fd GetSaveFileNameA 4804->4806 4808 10001207 4805->4808 4806->4808 4807->4803 4809 1000120b CommDlgExtendedError 4808->4809 4814 10001231 4808->4814 4810 10001218 4809->4810 4809->4814 4811 10001227 GetSaveFileNameA 4810->4811 4812 1000122f GetOpenFileNameA 4810->4812 4811->4814 4812->4814 4813 10001e27 2 API calls 4815 10001246 SetCurrentDirectoryA 4813->4815 4814->4813 4816 4023af 4817 402b00 19 API calls 4816->4817 4818 4023b9 4817->4818 4819 4029f6 18 API calls 4818->4819 4820 4023c2 4819->4820 4821 4023cc RegQueryValueExA 4820->4821 4824 40265c 4820->4824 4822 4023f2 RegCloseKey 4821->4822 4823 4023ec 4821->4823 4822->4824 4823->4822 4827 40594e wsprintfA 4823->4827 4827->4822 4828 10001b72 4829 10001fc2 2 API calls 4828->4829 4830 10001b78 IsWindow 4829->4830 4831 10001b85 4830->4831 4832 10001b8b 4830->4832 4833 100013c6 GetPropA 4831->4833 4834 10001e27 2 API calls 4832->4834 4833->4832 4835 10001b9f 4834->4835 3430 4015b3 3431 4029f6 18 API calls 3430->3431 3432 4015ba 3431->3432 3448 405577 CharNextA CharNextA 3432->3448 3434 40160a 3436 40162d 3434->3436 3437 40160f 3434->3437 3435 40550e CharNextA 3438 4015d0 CreateDirectoryA 3435->3438 3442 401423 25 API calls 3436->3442 3439 401423 25 API calls 3437->3439 3440 4015e5 GetLastError 3438->3440 3444 4015c2 3438->3444 3441 401616 3439->3441 3443 4015f2 GetFileAttributesA 3440->3443 3440->3444 3454 4059f0 lstrcpynA 3441->3454 3446 402169 3442->3446 3443->3444 3444->3434 3444->3435 3447 401621 SetCurrentDirectoryA 3447->3446 3449 405591 3448->3449 3453 40559d 3448->3453 3450 405598 CharNextA 3449->3450 3449->3453 3451 4055ba 3450->3451 3451->3444 3452 40550e CharNextA 3452->3453 3453->3451 3453->3452 3454->3447 3455 401734 3456 4029f6 18 API calls 3455->3456 3457 40173b 3456->3457 3458 401761 3457->3458 3459 401759 3457->3459 3517 4059f0 lstrcpynA 3458->3517 3516 4059f0 lstrcpynA 3459->3516 3462 40175f 3466 405c52 5 API calls 3462->3466 3463 40176c 3518 4054e3 lstrlenA CharPrevA 3463->3518 3487 40177e 3466->3487 3470 401795 CompareFileTime 3470->3487 3471 401859 3473 404d8e 25 API calls 3471->3473 3472 401830 3474 404d8e 25 API calls 3472->3474 3482 401845 3472->3482 3475 401863 3473->3475 3474->3482 3494 402e5b 3475->3494 3477 4059f0 lstrcpynA 3477->3487 3479 40188a SetFileTime 3481 40189c FindCloseChangeNotification 3479->3481 3480 405a12 18 API calls 3480->3487 3481->3482 3483 4018ad 3481->3483 3484 4018b2 3483->3484 3485 4018c5 3483->3485 3488 405a12 18 API calls 3484->3488 3486 405a12 18 API calls 3485->3486 3490 4018cd 3486->3490 3487->3470 3487->3471 3487->3472 3487->3477 3487->3480 3493 4056c7 GetFileAttributesA CreateFileA 3487->3493 3521 405ceb FindFirstFileA 3487->3521 3524 4056a8 GetFileAttributesA 3487->3524 3527 4052b1 3487->3527 3489 4018ba lstrcatA 3488->3489 3489->3490 3492 4052b1 MessageBoxIndirectA 3490->3492 3492->3482 3493->3487 3496 402e73 3494->3496 3495 402ea0 3531 403061 ReadFile 3495->3531 3496->3495 3533 403093 SetFilePointer 3496->3533 3500 402ff0 3502 40303c 3500->3502 3507 402ff4 3500->3507 3501 402ebd GetTickCount 3503 401876 3501->3503 3513 402ee6 3501->3513 3504 403061 ReadFile 3502->3504 3503->3479 3503->3481 3504->3503 3505 403061 ReadFile 3505->3513 3506 403061 ReadFile 3506->3507 3507->3503 3507->3506 3508 403014 WriteFile 3507->3508 3508->3503 3509 403029 3508->3509 3509->3503 3509->3507 3510 40303a 3509->3510 3510->3503 3511 402f3c GetTickCount 3511->3513 3512 402f65 MulDiv wsprintfA 3514 404d8e 25 API calls 3512->3514 3513->3503 3513->3505 3513->3511 3513->3512 3515 402fa3 WriteFile 3513->3515 3514->3513 3515->3503 3515->3513 3516->3462 3517->3463 3519 401772 lstrcatA 3518->3519 3520 4054fd lstrcatA 3518->3520 3519->3462 3520->3519 3522 405d01 FindClose 3521->3522 3523 405d0c 3521->3523 3522->3523 3523->3487 3525 4056c4 3524->3525 3526 4056b7 SetFileAttributesA 3524->3526 3525->3487 3526->3525 3528 4052c6 3527->3528 3529 405312 3528->3529 3530 4052da MessageBoxIndirectA 3528->3530 3529->3487 3530->3529 3532 402eab 3531->3532 3532->3500 3532->3501 3532->3503 3533->3495 4836 401634 4837 4029f6 18 API calls 4836->4837 4838 40163a 4837->4838 4839 405ceb 2 API calls 4838->4839 4840 401640 4839->4840 4841 401934 4842 4029d9 18 API calls 4841->4842 4843 40193b 4842->4843 4844 4029d9 18 API calls 4843->4844 4845 401945 4844->4845 4846 4029f6 18 API calls 4845->4846 4847 40194e 4846->4847 4848 401961 lstrlenA 4847->4848 4850 40199c 4847->4850 4849 40196b 4848->4849 4849->4850 4854 4059f0 lstrcpynA 4849->4854 4852 401985 4852->4850 4853 401992 lstrlenA 4852->4853 4853->4850 4854->4852 4855 4019b5 4856 4029f6 18 API calls 4855->4856 4857 4019bc 4856->4857 4858 4029f6 18 API calls 4857->4858 4859 4019c5 4858->4859 4860 4019cc lstrcmpiA 4859->4860 4861 4019de lstrcmpA 4859->4861 4862 4019d2 4860->4862 4861->4862 4863 403eb6 lstrcpynA lstrlenA 4864 4014b7 4865 4014bd 4864->4865 4866 401389 2 API calls 4865->4866 4867 4014c5 4866->4867 4868 402b3b 4869 402b63 4868->4869 4870 402b4a SetTimer 4868->4870 4871 402bb8 4869->4871 4872 402b7d MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4869->4872 4870->4869 4872->4871 4873 100013fb 4874 10001428 CallWindowProcA 4873->4874 4875 10001409 4873->4875 4876 10001424 4874->4876 4877 10001448 4874->4877 4875->4874 4875->4876 4877->4876 4878 1000144c DestroyWindow GetProcessHeap HeapFree 4877->4878 4878->4876 4879 40263e 4880 4029f6 18 API calls 4879->4880 4881 402645 FindFirstFileA 4880->4881 4882 402668 4881->4882 4883 402658 4881->4883 4884 40266f 4882->4884 4887 40594e wsprintfA 4882->4887 4888 4059f0 lstrcpynA 4884->4888 4887->4884 4888->4883 4889 4024be 4890 4024c3 4889->4890 4891 4024d4 4889->4891 4892 4029d9 18 API calls 4890->4892 4893 4029f6 18 API calls 4891->4893 4895 4024ca 4892->4895 4894 4024db lstrlenA 4893->4894 4894->4895 4896 4024fa WriteFile 4895->4896 4897 40265c 4895->4897 4896->4897

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 4030de-403173 #17 SetErrorMode OleInitialize call 405d12 SHGetFileInfoA call 4059f0 GetCommandLineA call 4059f0 GetModuleHandleA 7 403175-40317a 0->7 8 40317f-403194 call 40550e CharNextA 0->8 7->8 11 4031f9-4031fd 8->11 12 403196-403199 11->12 13 4031ff 11->13 14 4031a1-4031a9 12->14 15 40319b-40319f 12->15 16 403212-40322a GetTempPathA call 4030aa 13->16 17 4031b1-4031b4 14->17 18 4031ab-4031ac 14->18 15->14 15->15 26 40324c-403263 DeleteFileA call 402c22 16->26 27 40322c-40324a GetWindowsDirectoryA lstrcatA call 4030aa 16->27 20 4031b6-4031ba 17->20 21 4031e9-4031f6 call 40550e 17->21 18->17 24 4031ca-4031d0 20->24 25 4031bc-4031c5 20->25 21->11 36 4031f8 21->36 31 4031e0-4031e7 24->31 32 4031d2-4031db 24->32 25->24 29 4031c7 25->29 39 403265-40326b 26->39 40 4032ca-4032d9 call 40345f OleUninitialize 26->40 27->26 27->40 29->24 31->21 34 403201-40320d call 4059f0 31->34 32->31 38 4031dd 32->38 34->16 36->11 38->31 42 4032ba-4032c1 call 403539 39->42 43 40326d-403276 call 40550e 39->43 50 4033c4-4033ca 40->50 51 4032df-4032ef call 4052b1 ExitProcess 40->51 48 4032c6 42->48 54 403281-403283 43->54 48->40 52 403447-40344f 50->52 53 4033cc-4033e9 call 405d12 * 3 50->53 57 403451 52->57 58 403455-403459 ExitProcess 52->58 81 403433-40343e ExitWindowsEx 53->81 82 4033eb-4033ed 53->82 59 403285-40328f 54->59 60 403278-40327e 54->60 57->58 64 403291-40329e call 4055c4 59->64 65 4032f5-40330f lstrcatA lstrcmpiA 59->65 60->59 63 403280 60->63 63->54 64->40 74 4032a0-4032b6 call 4059f0 * 2 64->74 65->40 68 403311-403326 CreateDirectoryA SetCurrentDirectoryA 65->68 71 403333-40334d call 4059f0 68->71 72 403328-40332e call 4059f0 68->72 80 403352-40336e call 405a12 DeleteFileA 71->80 72->71 74->42 92 403370-403380 CopyFileA 80->92 93 4033af-4033b6 80->93 81->52 85 403440-403442 call 40140b 81->85 82->81 86 4033ef-4033f1 82->86 85->52 86->81 91 4033f3-403405 GetCurrentProcess 86->91 91->81 98 403407-403429 91->98 92->93 94 403382-4033a2 call 40573e call 405a12 call 405250 92->94 93->80 96 4033b8-4033bf call 40573e 93->96 94->93 107 4033a4-4033ab CloseHandle 94->107 96->40 98->81 107->93
                            APIs
                            • #17.COMCTL32 ref: 004030FD
                            • SetErrorMode.KERNELBASE(00008001), ref: 00403108
                            • OleInitialize.OLE32(00000000), ref: 0040310F
                              • Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
                              • Part of subcall function 00405D12: LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
                              • Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40
                            • SHGetFileInfoA.SHELL32(0079DC68,00000000,?,00000160,00000000,00000008), ref: 00403137
                              • Part of subcall function 004059F0: lstrcpynA.KERNEL32(?,?,00000400,0040314C,Mount and blade warband versio Setup,NSIS Error), ref: 004059FD
                            • GetCommandLineA.KERNEL32(Mount and blade warband versio Setup,NSIS Error), ref: 0040314C
                            • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 0040315F
                            • CharNextA.USER32(00000000,"C:\Users\user\Desktop\7Y18r(199).exe",00000020), ref: 0040318A
                            • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040321D
                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403232
                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040323E
                            • DeleteFileA.KERNELBASE(1033), ref: 00403251
                            • OleUninitialize.OLE32(00000000), ref: 004032CF
                            • ExitProcess.KERNEL32 ref: 004032EF
                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\7Y18r(199).exe",00000000,00000000), ref: 004032FB
                            • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403307
                            • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403313
                            • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040331A
                            • DeleteFileA.KERNEL32(0079D868,0079D868,?,007A3000,?), ref: 00403364
                            • CopyFileA.KERNEL32(C:\Users\user\Desktop\7Y18r(199).exe,0079D868,00000001), ref: 00403378
                            • CloseHandle.KERNEL32(00000000,0079D868,0079D868,?,0079D868,00000000), ref: 004033A5
                            • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033FA
                            • ExitWindowsEx.USER32(00000002,00000000), ref: 00403436
                            • ExitProcess.KERNEL32 ref: 00403459
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                            • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\7Y18r(199).exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nshD690.tmp$C:\Users\user\Desktop$C:\Users\user\Desktop\7Y18r(199).exe$Error launching installer$Mount and blade warband versio Setup$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                            • API String ID: 2278157092-2543921284
                            • Opcode ID: 9f750081e11f88a8e12691a1a1ef9b03ca910f69a9f52a3bad1054baabe69759
                            • Instruction ID: c06640ca20332521aa721382e66be8e1b76ebde20c67774dcdc9df0bee368a25
                            • Opcode Fuzzy Hash: 9f750081e11f88a8e12691a1a1ef9b03ca910f69a9f52a3bad1054baabe69759
                            • Instruction Fuzzy Hash: 0C91D171908341AEE7216F619C49B2B7EACEF46306F04457EF542B61D2CB7C8A058B6F

                            Control-flow Graph

                            APIs
                            • GetProcessHeap.KERNEL32(00000008,?), ref: 1000186E
                            • HeapAlloc.KERNEL32(00000000), ref: 10001871
                            • GetProcessHeap.KERNEL32(00000000,00000000,error,00000000,00000000), ref: 100018E4
                            • HeapFree.KERNEL32(00000000), ref: 10001B18
                              • Part of subcall function 10001E27: GlobalAlloc.KERNEL32(00000040,?,?,100010BE,error,?,00000104), ref: 10001E3C
                              • Part of subcall function 10001E27: lstrcpynA.KERNEL32(00000004,?,?,100010BE,error,?,00000104), ref: 10001E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358809541.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000000.00000002.3358795936.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358823763.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358837265.0000000010004000.00000008.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358850867.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_10000000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Heap$AllocProcess$FreeGloballstrcpyn
                            • String ID: BUTTON$COMBOBOX$EDIT$LINK$LISTBOX$NSIS: nsControl pointer property$RICHEDIT_CLASS$RichEdit$STATIC$error
                            • API String ID: 1913068523-3375361224
                            • Opcode ID: be3b3b4c4983e11dc1b5c33d61b0f8411bea3997500eba5d3c8a15e298a32339
                            • Instruction ID: 57bf1a15009ea8118c4abf9dc258b68912d7113ae57ceda1fee72d940ab8fc2c
                            • Opcode Fuzzy Hash: be3b3b4c4983e11dc1b5c33d61b0f8411bea3997500eba5d3c8a15e298a32339
                            • Instruction Fuzzy Hash: 57812BB2900219ABF711DBA4CD84FDEBBFCEB043C5F128025EA05B7159DB35A9448BA4

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 395 405315-405330 call 4055c4 398 405332-405344 DeleteFileA 395->398 399 405349-405353 395->399 400 4054dd-4054e0 398->400 401 405355-405357 399->401 402 405367-405375 call 4059f0 399->402 403 405488-40548e 401->403 404 40535d-405361 401->404 408 405384-405385 call 40552a 402->408 409 405377-405382 lstrcatA 402->409 403->400 406 405490-405493 403->406 404->402 404->403 410 405495-40549b 406->410 411 40549d-4054a5 call 405ceb 406->411 412 40538a-40538d 408->412 409->412 410->400 411->400 419 4054a7-4054bc call 4054e3 call 4056a8 RemoveDirectoryA 411->419 415 405398-40539e lstrcatA 412->415 416 40538f-405396 412->416 418 4053a3-4053c1 lstrlenA FindFirstFileA 415->418 416->415 416->418 420 4053c7-4053de call 40550e 418->420 421 40547e-405482 418->421 431 4054d5-4054d8 call 404d8e 419->431 432 4054be-4054c2 419->432 429 4053e0-4053e4 420->429 430 4053e9-4053ec 420->430 421->403 423 405484 421->423 423->403 429->430 433 4053e6 429->433 434 4053ee-4053f3 430->434 435 4053ff-40540d call 4059f0 430->435 431->400 432->410 437 4054c4-4054d3 call 404d8e call 40573e 432->437 433->430 439 4053f5-4053f7 434->439 440 40545d-40546f FindNextFileA 434->440 445 405424-405433 call 4056a8 DeleteFileA 435->445 446 40540f-405417 435->446 437->400 439->435 444 4053f9-4053fd 439->444 440->420 443 405475-405478 FindClose 440->443 443->421 444->435 444->440 455 405455-405458 call 404d8e 445->455 456 405435-405439 445->456 446->440 448 405419-405422 call 405315 446->448 448->440 455->440 458 40543b-40544b call 404d8e call 40573e 456->458 459 40544d-405453 456->459 458->440 459->440
                            APIs
                            • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 00405333
                            • lstrcatA.KERNEL32(0079FCB8,\*.*,0079FCB8,?,00000000,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 0040537D
                            • lstrcatA.KERNEL32(?,00409010,?,0079FCB8,?,00000000,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 0040539E
                            • lstrlenA.KERNEL32(?,?,00409010,?,0079FCB8,?,00000000,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 004053A4
                            • FindFirstFileA.KERNEL32(0079FCB8,?,?,?,00409010,?,0079FCB8,?,00000000,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 004053B5
                            • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405467
                            • FindClose.KERNEL32(?), ref: 00405478
                            Strings
                            • "C:\Users\user\Desktop\7Y18r(199).exe", xrefs: 0040531F
                            • \*.*, xrefs: 00405377
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405315
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                            • String ID: "C:\Users\user\Desktop\7Y18r(199).exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                            • API String ID: 2035342205-198363691
                            • Opcode ID: 39e34597e89103f40bf303ae304e277a2ff0d6451d3761f652cf1e448691c31d
                            • Instruction ID: 9b04dac29dcc4b4d84644a0af4332dd3e6e05df14bb309c03d787920b78b00af
                            • Opcode Fuzzy Hash: 39e34597e89103f40bf303ae304e277a2ff0d6451d3761f652cf1e448691c31d
                            • Instruction Fuzzy Hash: B151B030904A446ACB226B219C45BFF3B68DF42766F14817BFD01B51D2D77C49829F6A
                            APIs
                            • FindFirstFileA.KERNELBASE(?,007A0D00,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00405607,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,?,?,00000000,00405329,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 00405CF6
                            • FindClose.KERNEL32(00000000), ref: 00405D02
                            Strings
                            • C:\Users\user\AppData\Local\Temp\nshD690.tmp, xrefs: 00405CEB
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Find$CloseFileFirst
                            • String ID: C:\Users\user\AppData\Local\Temp\nshD690.tmp
                            • API String ID: 2295610775-1590289044
                            • Opcode ID: ce619e3c0cd93535cf82cb93458e8bfb31a69e78f8762b28985b7a15ca56ae2d
                            • Instruction ID: 527a2f3a2d8314a1ee48294a06c0a1317b7b9df5ccf63707559f0611b6390efd
                            • Opcode Fuzzy Hash: ce619e3c0cd93535cf82cb93458e8bfb31a69e78f8762b28985b7a15ca56ae2d
                            • Instruction Fuzzy Hash: B2D0C9319195206BC2001B686C0C94B6A58EF45330B209B32B02AE22E0C2349C518AA9
                            APIs
                            • GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
                            • LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00405D40
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: AddressHandleLibraryLoadModuleProc
                            • String ID:
                            • API String ID: 310444273-0
                            • Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
                            • Instruction ID: e428d20ee9bf7b263dfbdc6b1eaa460cc0a746502d73873f4fda876fa73e4f8f
                            • Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
                            • Instruction Fuzzy Hash: 10E08C36A04510BBD3215F209E0896B73A8EEDAB40300487EF615F6251D734AC11DFBA

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 108 4038cf-4038e1 109 403a22-403a31 108->109 110 4038e7-4038ed 108->110 112 403a80-403a95 109->112 113 403a33-403a7b GetDlgItem * 2 call 403da2 SetClassLongA call 40140b 109->113 110->109 111 4038f3-4038fc 110->111 114 403911-403914 111->114 115 4038fe-40390b SetWindowPos 111->115 117 403ad5-403ada call 403dee 112->117 118 403a97-403a9a 112->118 113->112 122 403916-403928 ShowWindow 114->122 123 40392e-403934 114->123 115->114 127 403adf-403afa 117->127 119 403a9c-403aa7 call 401389 118->119 120 403acd-403acf 118->120 119->120 141 403aa9-403ac8 SendMessageA 119->141 120->117 126 403d6f 120->126 122->123 128 403950-403953 123->128 129 403936-40394b DestroyWindow 123->129 134 403d71-403d78 126->134 132 403b03-403b09 127->132 133 403afc-403afe call 40140b 127->133 137 403955-403961 SetWindowLongA 128->137 138 403966-40396c 128->138 135 403d4c-403d52 129->135 144 403d2d-403d46 DestroyWindow EndDialog 132->144 145 403b0f-403b1a 132->145 133->132 135->126 142 403d54-403d5a 135->142 137->134 139 403972-403983 GetDlgItem 138->139 140 403a0f-403a1d call 403e09 138->140 146 4039a2-4039a5 139->146 147 403985-40399c SendMessageA IsWindowEnabled 139->147 140->134 141->134 142->126 149 403d5c-403d65 ShowWindow 142->149 144->135 145->144 150 403b20-403b6d call 405a12 call 403da2 * 3 GetDlgItem 145->150 151 4039a7-4039a8 146->151 152 4039aa-4039ad 146->152 147->126 147->146 149->126 178 403b77-403bb3 ShowWindow KiUserCallbackDispatcher call 403dc4 EnableWindow 150->178 179 403b6f-403b74 150->179 155 4039d8-4039dd call 403d7b 151->155 156 4039bb-4039c0 152->156 157 4039af-4039b5 152->157 155->140 159 4039f6-403a09 SendMessageA 156->159 161 4039c2-4039c8 156->161 157->159 160 4039b7-4039b9 157->160 159->140 160->155 165 4039ca-4039d0 call 40140b 161->165 166 4039df-4039e8 call 40140b 161->166 176 4039d6 165->176 166->140 175 4039ea-4039f4 166->175 175->176 176->155 182 403bb5-403bb6 178->182 183 403bb8 178->183 179->178 184 403bba-403be8 GetSystemMenu EnableMenuItem SendMessageA 182->184 183->184 185 403bea-403bfb SendMessageA 184->185 186 403bfd 184->186 187 403c03-403c35 call 403dd7 call 4059f0 lstrlenA call 405a12 SetWindowTextA call 401389 185->187 186->187 195 403c3a-403c3c 187->195 195->127 196 403c42-403c44 195->196 196->127 197 403c4a-403c4e 196->197 198 403c50-403c56 197->198 199 403c6d-403c81 DestroyWindow 197->199 198->126 200 403c5c-403c62 198->200 199->135 201 403c87-403cb4 CreateDialogParamA 199->201 200->127 202 403c68 200->202 201->135 203 403cba-403d11 call 403da2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 201->203 202->126 203->126 208 403d13-403d2b ShowWindow call 403dee 203->208 208->135
                            APIs
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040390B
                            • ShowWindow.USER32(?), ref: 00403928
                            • DestroyWindow.USER32 ref: 0040393C
                            • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403958
                            • GetDlgItem.USER32(?,?), ref: 00403979
                            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040398D
                            • IsWindowEnabled.USER32(00000000), ref: 00403994
                            • GetDlgItem.USER32(?,00000001), ref: 00403A42
                            • GetDlgItem.USER32(?,00000002), ref: 00403A4C
                            • SetClassLongA.USER32(?,000000F2,?), ref: 00403A66
                            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AB7
                            • GetDlgItem.USER32(?,00000003), ref: 00403B5D
                            • ShowWindow.USER32(00000000,?), ref: 00403B7E
                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403B90
                            • EnableWindow.USER32(?,?), ref: 00403BAB
                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BC1
                            • EnableMenuItem.USER32(00000000), ref: 00403BC8
                            • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BE0
                            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BF3
                            • lstrlenA.KERNEL32(0079ECB0,?,0079ECB0,Mount and blade warband versio Setup), ref: 00403C1C
                            • SetWindowTextA.USER32(?,0079ECB0), ref: 00403C2B
                            • ShowWindow.USER32(?,0000000A), ref: 00403D5F
                            Strings
                            • Mount and blade warband versio Setup, xrefs: 00403C0D
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                            • String ID: Mount and blade warband versio Setup
                            • API String ID: 3282139019-1737275860
                            • Opcode ID: 3ba9eb501cf0afc309b9a9b698dd50e1597eb940e8c2df81ce24b8b22047d6b2
                            • Instruction ID: 6b3114fe654f1d3c4f51374485ef09311043e0f3346464a3226604b80c41a106
                            • Opcode Fuzzy Hash: 3ba9eb501cf0afc309b9a9b698dd50e1597eb940e8c2df81ce24b8b22047d6b2
                            • Instruction Fuzzy Hash: BCC1B071904204BFEB216F25ED85E2B3E6CEB45706F00453EF541B51E1C67DA9429B2E

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 257 403539-403551 call 405d12 260 403553-403563 call 40594e 257->260 261 403565-40358c call 4058d7 257->261 269 4035af-4035d8 call 403802 call 4055c4 260->269 265 4035a4-4035aa lstrcatA 261->265 266 40358e-40359f call 4058d7 261->266 265->269 266->265 275 4035de-4035e3 269->275 276 40365f-403667 call 4055c4 269->276 275->276 277 4035e5-403609 call 4058d7 275->277 282 403675-40369a LoadImageA 276->282 283 403669-403670 call 405a12 276->283 277->276 287 40360b-40360d 277->287 285 4036a0-4036d6 RegisterClassA 282->285 286 403729-403731 call 40140b 282->286 283->282 288 4037f8 285->288 289 4036dc-403724 SystemParametersInfoA CreateWindowExA 285->289 300 403733-403736 286->300 301 40373b-403746 call 403802 286->301 291 40361e-40362a lstrlenA 287->291 292 40360f-40361c call 40550e 287->292 297 4037fa-403801 288->297 289->286 294 403652-40365a call 4054e3 call 4059f0 291->294 295 40362c-40363a lstrcmpiA 291->295 292->291 294->276 295->294 299 40363c-403646 GetFileAttributesA 295->299 303 403648-40364a 299->303 304 40364c-40364d call 40552a 299->304 300->297 310 40374c-403769 ShowWindow LoadLibraryA 301->310 311 4037cf-4037d7 call 404e60 301->311 303->294 303->304 304->294 313 403772-403784 GetClassInfoA 310->313 314 40376b-403770 LoadLibraryA 310->314 319 4037f1-4037f3 call 40140b 311->319 320 4037d9-4037df 311->320 316 403786-403796 GetClassInfoA RegisterClassA 313->316 317 40379c-4037bf DialogBoxParamA call 40140b 313->317 314->313 316->317 321 4037c4-4037cd call 403489 317->321 319->288 320->300 322 4037e5-4037ec call 40140b 320->322 321->297 322->300
                            APIs
                              • Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
                              • Part of subcall function 00405D12: LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
                              • Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40
                            • lstrcatA.KERNEL32(1033,0079ECB0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079ECB0,00000000,00000006,"C:\Users\user\Desktop\7Y18r(199).exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035AA
                            • lstrlenA.KERNEL32(0x000C,?,?,?,0x000C,00000000,007A8400,1033,0079ECB0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079ECB0,00000000,00000006,"C:\Users\user\Desktop\7Y18r(199).exe"), ref: 0040361F
                            • lstrcmpiA.KERNEL32(?,.exe), ref: 00403632
                            • GetFileAttributesA.KERNEL32(0x000C), ref: 0040363D
                            • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,007A8400), ref: 00403686
                              • Part of subcall function 0040594E: wsprintfA.USER32 ref: 0040595B
                            • RegisterClassA.USER32 ref: 004036CD
                            • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036E5
                            • CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040371E
                            • ShowWindow.USER32(00000005,00000000), ref: 00403754
                            • LoadLibraryA.KERNELBASE(RichEd20), ref: 00403765
                            • LoadLibraryA.KERNEL32(RichEd32), ref: 00403770
                            • GetClassInfoA.USER32(00000000,RichEdit20A,007A1E40), ref: 00403780
                            • GetClassInfoA.USER32(00000000,RichEdit,007A1E40), ref: 0040378D
                            • RegisterClassA.USER32(007A1E40), ref: 00403796
                            • DialogBoxParamA.USER32(?,00000000,004038CF,00000000), ref: 004037B5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                            • String ID: "C:\Users\user\Desktop\7Y18r(199).exe"$.DEFAULT\Control Panel\International$.exe$0x000C$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                            • API String ID: 914957316-3921948846
                            • Opcode ID: e3e8f5651e9638ab8791dadec6b49b02216067b49f459946b0461f03917a9e21
                            • Instruction ID: 6e10fd4a81438f6e6dfae107f56132375d5ac2fbc20d0bfcde5cb54349fbbce2
                            • Opcode Fuzzy Hash: e3e8f5651e9638ab8791dadec6b49b02216067b49f459946b0461f03917a9e21
                            • Instruction Fuzzy Hash: 9A61C2B0544240BEE620AF659C45E2B3AADEB81746F44853FF941B62E2D67C9D018B3E

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 328 402c22-402c70 GetTickCount GetModuleFileNameA call 4056c7 331 402c72-402c77 328->331 332 402c7c-402caa call 4059f0 call 40552a call 4059f0 GetFileSize 328->332 333 402e54-402e58 331->333 340 402cb0 332->340 341 402d97-402da5 call 402bbe 332->341 343 402cb5-402ccc 340->343 347 402da7-402daa 341->347 348 402dfa-402dff 341->348 345 402cd0-402cd2 call 403061 343->345 346 402cce 343->346 352 402cd7-402cd9 345->352 346->345 350 402dac-402dbd call 403093 call 403061 347->350 351 402dce-402df8 GlobalAlloc call 403093 call 402e5b 347->351 348->333 373 402dc2-402dc4 350->373 351->348 379 402e0b-402e1c 351->379 353 402e01-402e09 call 402bbe 352->353 354 402cdf-402ce6 352->354 353->348 357 402d62-402d66 354->357 358 402ce8-402cfc call 405688 354->358 365 402d70-402d76 357->365 366 402d68-402d6f call 402bbe 357->366 358->365 377 402cfe-402d05 358->377 368 402d85-402d8f 365->368 369 402d78-402d82 call 405d7e 365->369 366->365 368->343 378 402d95 368->378 369->368 373->348 375 402dc6-402dcc 373->375 375->348 375->351 377->365 381 402d07-402d0e 377->381 378->341 382 402e24-402e29 379->382 383 402e1e 379->383 381->365 384 402d10-402d17 381->384 385 402e2a-402e30 382->385 383->382 384->365 386 402d19-402d20 384->386 385->385 387 402e32-402e4d SetFilePointer call 405688 385->387 386->365 388 402d22-402d42 386->388 390 402e52 387->390 388->348 391 402d48-402d4c 388->391 390->333 392 402d54-402d5c 391->392 393 402d4e-402d52 391->393 392->365 394 402d5e-402d60 392->394 393->378 393->392 394->365
                            APIs
                            • GetTickCount.KERNEL32 ref: 00402C33
                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\7Y18r(199).exe,00000400), ref: 00402C4F
                              • Part of subcall function 004056C7: GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\7Y18r(199).exe,80000000,00000003), ref: 004056CB
                              • Part of subcall function 004056C7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056ED
                            • GetFileSize.KERNEL32(00000000,00000000,007AA000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\7Y18r(199).exe,C:\Users\user\Desktop\7Y18r(199).exe,80000000,00000003), ref: 00402C9B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                            • String ID: "C:\Users\user\Desktop\7Y18r(199).exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\7Y18r(199).exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$`Xy$soft
                            • API String ID: 4283519449-2967927924
                            • Opcode ID: fa98c6f18a0da3153c00bfc8c1a4b8a051aecf58ec2d25405f8c332eb4502544
                            • Instruction ID: cc4cd2eb48b7f85ac47b3683ce8d7c63e5a23dd5f55c69fb5b50f15ec9442a45
                            • Opcode Fuzzy Hash: fa98c6f18a0da3153c00bfc8c1a4b8a051aecf58ec2d25405f8c332eb4502544
                            • Instruction Fuzzy Hash: C9510271941214ABDB109F64CE89BAE7BA8EF04319F10413BF905B62D1D7BC9E418BAD

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 464 401734-401757 call 4029f6 call 405550 469 401761-401773 call 4059f0 call 4054e3 lstrcatA 464->469 470 401759-40175f call 4059f0 464->470 476 401778-40177e call 405c52 469->476 470->476 480 401783-401787 476->480 481 401789-401793 call 405ceb 480->481 482 4017ba-4017bd 480->482 490 4017a5-4017b7 481->490 491 401795-4017a3 CompareFileTime 481->491 484 4017c5-4017e1 call 4056c7 482->484 485 4017bf-4017c0 call 4056a8 482->485 492 4017e3-4017e6 484->492 493 401859-401882 call 404d8e call 402e5b 484->493 485->484 490->482 491->490 494 4017e8-40182a call 4059f0 * 2 call 405a12 call 4059f0 call 4052b1 492->494 495 40183b-401845 call 404d8e 492->495 507 401884-401888 493->507 508 40188a-401896 SetFileTime 493->508 494->480 528 401830-401831 494->528 505 40184e-401854 495->505 509 402894 505->509 507->508 511 40189c-4018a7 FindCloseChangeNotification 507->511 508->511 512 402896-40289a 509->512 514 40288b-40288e 511->514 515 4018ad-4018b0 511->515 514->509 517 4018b2-4018c3 call 405a12 lstrcatA 515->517 518 4018c5-4018c8 call 405a12 515->518 523 4018cd-402213 call 4052b1 517->523 518->523 523->512 531 40265c-402663 523->531 528->505 530 401833-401834 528->530 530->495 531->514
                            APIs
                            • lstrcatA.KERNEL32(00000000,00000000,UnsetEventHandler,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,00000000,00000031), ref: 00401773
                            • CompareFileTime.KERNEL32(-00000014,?,UnsetEventHandler,UnsetEventHandler,00000000,00000000,UnsetEventHandler,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,00000000,00000031), ref: 0040179D
                              • Part of subcall function 004059F0: lstrcpynA.KERNEL32(?,?,00000400,0040314C,Mount and blade warband versio Setup,NSIS Error), ref: 004059FD
                              • Part of subcall function 00404D8E: lstrlenA.KERNEL32(0079E488,00000000,0078EA58,00789858,?,?,?,?,?,?,?,?,?,00402F95,00000000,?), ref: 00404DC7
                              • Part of subcall function 00404D8E: lstrlenA.KERNEL32(00402F95,0079E488,00000000,0078EA58,00789858,?,?,?,?,?,?,?,?,?,00402F95,00000000), ref: 00404DD7
                              • Part of subcall function 00404D8E: lstrcatA.KERNEL32(0079E488,00402F95,00402F95,0079E488,00000000,0078EA58,00789858), ref: 00404DEA
                              • Part of subcall function 00404D8E: SetWindowTextA.USER32(0079E488,0079E488), ref: 00404DFC
                              • Part of subcall function 00404D8E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E22
                              • Part of subcall function 00404D8E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E3C
                              • Part of subcall function 00404D8E: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E4A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                            • String ID: C:\Users\user\AppData\Local\Temp\nshD690.tmp$C:\Users\user\AppData\Local\Temp\nshD690.tmp$C:\Users\user\AppData\Local\Temp\nshD690.tmp\ButtonEvent.dll$UnsetEventHandler
                            • API String ID: 1941528284-1634257925
                            • Opcode ID: 2220008d2c52789995b0f2990e4752600f40ee43621458507400723a4dd63d38
                            • Instruction ID: 56661b9a40de4e3363eb15decf6dedf1de64afe9537ef87c3932afdeb7d66f88
                            • Opcode Fuzzy Hash: 2220008d2c52789995b0f2990e4752600f40ee43621458507400723a4dd63d38
                            • Instruction Fuzzy Hash: AE41E771900515BACF10BBB5CD85EAF3A69EF42328B20433BF515F10E2D63C8A419E6D

                            Control-flow Graph

                            APIs
                            • GetDlgItem.USER32(?,00000000), ref: 100017A0
                            • GetWindowRect.USER32(00000000,?), ref: 100017AB
                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 100017BB
                            • CreateDialogParamA.USER32(00000001,?,100014CA,00000000), ref: 100017D0
                            • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 10001803
                            • SetWindowLongA.USER32(?,00000004,100013FB), ref: 10001811
                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 1000182B
                            • HeapAlloc.KERNEL32(00000000), ref: 10001832
                              • Part of subcall function 10001E27: GlobalAlloc.KERNEL32(00000040,?,?,100010BE,error,?,00000104), ref: 10001E3C
                              • Part of subcall function 10001E27: lstrcpynA.KERNEL32(00000004,?,?,100010BE,error,?,00000104), ref: 10001E52
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358809541.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000000.00000002.3358795936.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358823763.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358837265.0000000010004000.00000008.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358850867.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_10000000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Window$AllocHeap$CreateDialogGlobalItemLongParamPointsProcessRectlstrcpyn
                            • String ID: error
                            • API String ID: 1928716940-1574812785
                            • Opcode ID: 076d4dbdaccacf51b42516d4d78f513792876f9d85fae9c02780eec9c75aeb75
                            • Instruction ID: da06ddcdc36cf1fc2372cec8b2b4e0d3d54046517dea9c4c0835938c29bd36d4
                            • Opcode Fuzzy Hash: 076d4dbdaccacf51b42516d4d78f513792876f9d85fae9c02780eec9c75aeb75
                            • Instruction Fuzzy Hash: A421F576901225EFFB01DFA5CC99EAFBFB9FB49382B008509F61597268DB715500CBA0

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 541 402e5b-402e71 542 402e73 541->542 543 402e7a-402e82 541->543 542->543 544 402e84 543->544 545 402e8b-402e90 543->545 544->545 546 402ea0-402ead call 403061 545->546 547 402e92-402e9b call 403093 545->547 551 402eb3-402eb7 546->551 552 40304f 546->552 547->546 554 402ff0-402ff2 551->554 555 402ebd-402ee0 GetTickCount 551->555 553 403051-403052 552->553 558 40305a-40305e 553->558 556 402ff4-402ff7 554->556 557 40303c-40303f 554->557 559 402ee6 555->559 560 403057 555->560 556->560 563 402ff9 556->563 561 403041 557->561 562 403044-40304d call 403061 557->562 564 402eeb-402ef3 559->564 560->558 561->562 562->552 574 403054 562->574 566 402ffe-403004 563->566 567 402ef5 564->567 568 402ef8-402f01 call 403061 564->568 571 403006 566->571 572 403009-403012 call 403061 566->572 567->568 568->552 577 402f07-402f10 568->577 571->572 572->552 578 403014-403027 WriteFile 572->578 574->560 579 402f16-402f36 call 405dec 577->579 580 403029-40302c 578->580 581 402fec-402fee 578->581 586 402fe8-402fea 579->586 587 402f3c-402f53 GetTickCount 579->587 580->581 583 40302e-403038 580->583 581->553 583->566 585 40303a 583->585 585->560 586->553 588 402f55-402f5d 587->588 589 402f98-402f9c 587->589 590 402f65-402f95 MulDiv wsprintfA call 404d8e 588->590 591 402f5f-402f63 588->591 592 402fdd-402fe0 589->592 593 402f9e-402fa1 589->593 590->589 591->589 591->590 592->564 594 402fe6 592->594 596 402fc3-402fce 593->596 597 402fa3-402fb7 WriteFile 593->597 594->560 599 402fd1-402fd5 596->599 597->581 598 402fb9-402fbc 597->598 598->581 601 402fbe-402fc1 598->601 599->579 602 402fdb 599->602 601->599 602->560
                            APIs
                            • GetTickCount.KERNEL32 ref: 00402EBD
                            • GetTickCount.KERNEL32 ref: 00402F44
                            • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F71
                            • wsprintfA.USER32 ref: 00402F81
                            • WriteFile.KERNELBASE(00000000,00000000,0078EA58,7FFFFFFF,00000000), ref: 00402FAF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CountTick$FileWritewsprintf
                            • String ID: ... %d%%$Xx
                            • API String ID: 4209647438-3059610700
                            • Opcode ID: 66be6ea0f8994ca985f250e109732287ec392314631f476161bbaf9676f9f34b
                            • Instruction ID: 757a158c2d49c8523133c414bd0f06684cc2d7309a11ee0dee407d3fac6bc3c1
                            • Opcode Fuzzy Hash: 66be6ea0f8994ca985f250e109732287ec392314631f476161bbaf9676f9f34b
                            • Instruction Fuzzy Hash: 2651AE7180121ADFCF10DF65DA48A9F7BB8AB05359F10003BF910B72C4C7789A50DBAA

                            Control-flow Graph

                            APIs
                            • SendMessageA.USER32(?,0000040D,00000000), ref: 10001C71
                            • ShowWindow.USER32(00000008), ref: 10001C7F
                            • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 10001C9B
                            • IsDialogMessageA.USER32(?), ref: 10001CAB
                            • IsDialogMessageA.USER32(?), ref: 10001CBB
                            • TranslateMessage.USER32(?), ref: 10001CC5
                            • DispatchMessageA.USER32(?), ref: 10001CCF
                            • SetWindowLongA.USER32(?,00000004), ref: 10001CE9
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358809541.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000000.00000002.3358795936.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358823763.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358837265.0000000010004000.00000008.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358850867.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_10000000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Message$DialogWindow$CallbackDispatchDispatcherLongSendShowTranslateUser
                            • String ID:
                            • API String ID: 4159918924-0
                            • Opcode ID: 716d1f326841b8c89a0f97ad3bd45cbe88ff7acd533940a23d6c43e829f4c26b
                            • Instruction ID: 4cbc1df2721f4002ccc1d99008fa43fc86f26f63345a02fff2ee20be1cd4638b
                            • Opcode Fuzzy Hash: 716d1f326841b8c89a0f97ad3bd45cbe88ff7acd533940a23d6c43e829f4c26b
                            • Instruction Fuzzy Hash: 96111B31801229EBFB029BA5DD98D9F7FBEFB457C2B408121F60192028D7319405CBA0

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 611 401f51-401f5d 612 401f63-401f79 call 4029f6 * 2 611->612 613 402019-40201b 611->613 622 401f88-401f96 LoadLibraryExA 612->622 623 401f7b-401f86 GetModuleHandleA 612->623 614 402164-402169 call 401423 613->614 620 40288b-40289a 614->620 626 401f98-401fa6 GetProcAddress 622->626 627 402012-402014 622->627 623->622 623->626 628 401fe5-401fea call 404d8e 626->628 629 401fa8-401fae 626->629 627->614 634 401fef-401ff2 628->634 630 401fb0-401fbc call 401423 629->630 631 401fc7-401fdb 629->631 630->634 642 401fbe-401fc5 630->642 643 401fde call 10001855 631->643 644 401fde call 10001c59 631->644 645 401fde call 10001759 631->645 634->620 635 401ff8-402000 call 4034d9 634->635 635->620 641 402006-40200d FreeLibrary 635->641 637 401fe0-401fe3 637->634 641->620 642->634 643->637 644->637 645->637
                            APIs
                            • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
                              • Part of subcall function 00404D8E: lstrlenA.KERNEL32(0079E488,00000000,0078EA58,00789858,?,?,?,?,?,?,?,?,?,00402F95,00000000,?), ref: 00404DC7
                              • Part of subcall function 00404D8E: lstrlenA.KERNEL32(00402F95,0079E488,00000000,0078EA58,00789858,?,?,?,?,?,?,?,?,?,00402F95,00000000), ref: 00404DD7
                              • Part of subcall function 00404D8E: lstrcatA.KERNEL32(0079E488,00402F95,00402F95,0079E488,00000000,0078EA58,00789858), ref: 00404DEA
                              • Part of subcall function 00404D8E: SetWindowTextA.USER32(0079E488,0079E488), ref: 00404DFC
                              • Part of subcall function 00404D8E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E22
                              • Part of subcall function 00404D8E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E3C
                              • Part of subcall function 00404D8E: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E4A
                            • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                            • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                            • String ID: 'z
                            • API String ID: 2987980305-2904143285
                            • Opcode ID: b32720d9bc81c61d67e05913461186d49e161c0a49dbeb79296eddf1c012acbf
                            • Instruction ID: 1eaf9a67c69ade1601289c60989e8831752e40e27030405c61ed07ea1cd8f83e
                            • Opcode Fuzzy Hash: b32720d9bc81c61d67e05913461186d49e161c0a49dbeb79296eddf1c012acbf
                            • Instruction Fuzzy Hash: BD21EE76D04216ABCF107FA4CE49A6E75B0AB85398F20433BF611F52E1C77C4941965E

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 646 4015b3-4015c6 call 4029f6 call 405577 651 4015c8-4015e3 call 40550e CreateDirectoryA 646->651 652 40160a-40160d 646->652 659 401600-401608 651->659 660 4015e5-4015f0 GetLastError 651->660 654 40162d-402169 call 401423 652->654 655 40160f-401628 call 401423 call 4059f0 SetCurrentDirectoryA 652->655 668 40288b-40289a 654->668 655->668 659->651 659->652 663 4015f2-4015fb GetFileAttributesA 660->663 664 4015fd 660->664 663->659 663->664 664->659
                            APIs
                              • Part of subcall function 00405577: CharNextA.USER32()S@,?,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,004055DB,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,?,?,00000000,00405329,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 00405585
                              • Part of subcall function 00405577: CharNextA.USER32(00000000), ref: 0040558A
                              • Part of subcall function 00405577: CharNextA.USER32(00000000), ref: 00405599
                            • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                            • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,00000000,000000F0), ref: 00401622
                            Strings
                            • C:\Users\user\AppData\Local\Temp\nshD690.tmp, xrefs: 00401617
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                            • String ID: C:\Users\user\AppData\Local\Temp\nshD690.tmp
                            • API String ID: 3751793516-1590289044
                            • Opcode ID: f96e7136895fd08305bb3825f5adb2718a00d7215cf38a52ff4adb86686201ac
                            • Instruction ID: 88e88ba724b4eae6d0f08ec328b4944dd902225f4b5088a009125791a3141398
                            • Opcode Fuzzy Hash: f96e7136895fd08305bb3825f5adb2718a00d7215cf38a52ff4adb86686201ac
                            • Instruction Fuzzy Hash: 56012632808141AFDB212F791D44D7F27B4EA963A5724073FF492B22E2C63C4942962E

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 671 4056f6-405700 672 405701-40572b GetTickCount GetTempFileNameA 671->672 673 40573a-40573c 672->673 674 40572d-40572f 672->674 675 405734-405737 673->675 674->672 676 405731 674->676 676->675
                            APIs
                            • GetTickCount.KERNEL32 ref: 00405709
                            • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405723
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CountFileNameTempTick
                            • String ID: "C:\Users\user\Desktop\7Y18r(199).exe"$C:\Users\user\AppData\Local\Temp\$nsa
                            • API String ID: 1716503409-2894786849
                            • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                            • Instruction ID: a41147e2ad70ab0e88512ae138b54e0503036a62734e23b080708fabd9fe5612
                            • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                            • Instruction Fuzzy Hash: 56F0A036348248BBEB104E55EC04B9B7FADDF91760F14C03BFA449B1C0D6B1995897A9

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 677 401bad-401bc5 call 4029d9 * 2 682 401bd1-401bd5 677->682 683 401bc7-401bce call 4029f6 677->683 685 401be1-401be7 682->685 686 401bd7-401bde call 4029f6 682->686 683->682 689 401be9-401bfd call 4029d9 * 2 685->689 690 401c2d-401c53 call 4029f6 * 2 FindWindowExA 685->690 686->685 700 401c1d-401c2b SendMessageA 689->700 701 401bff-401c1b SendMessageTimeoutA 689->701 702 401c59 690->702 700->702 703 401c5c-401c5f 701->703 702->703 704 401c65 703->704 705 40288b-40289a 703->705 704->705
                            APIs
                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: MessageSend$Timeout
                            • String ID: !
                            • API String ID: 1777923405-2657877971
                            • Opcode ID: aafc7da7fcf0f859562f8e53678b28dbdf51dd9104fc06ae6a10a0cba618a25d
                            • Instruction ID: acab59ca6daa6e40ea07b44f182e2c9f7eb166a93146884f99df16ca5508a79d
                            • Opcode Fuzzy Hash: aafc7da7fcf0f859562f8e53678b28dbdf51dd9104fc06ae6a10a0cba618a25d
                            • Instruction Fuzzy Hash: 8721C7B1A44209BFEF01AFB4CE4AAAD7B75EF44344F14053EF602B60D1D6B84980E718

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00405C52: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7Y18r(199).exe",C:\Users\user\AppData\Local\Temp\,00000000,004030B6,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 00405CAA
                              • Part of subcall function 00405C52: CharNextA.USER32(?,?,?,00000000), ref: 00405CB7
                              • Part of subcall function 00405C52: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7Y18r(199).exe",C:\Users\user\AppData\Local\Temp\,00000000,004030B6,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 00405CBC
                              • Part of subcall function 00405C52: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\7Y18r(199).exe",C:\Users\user\AppData\Local\Temp\,00000000,004030B6,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 00405CCC
                            • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 004030CB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Char$Next$CreateDirectoryPrev
                            • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                            • API String ID: 4115351271-3512041753
                            • Opcode ID: 19a2235e473e394b5ec2d3f658693fbb336647dc7041e16462950f3e09e2c32e
                            • Instruction ID: 46dc73cc30ce5dfe81ab8becc5f712a7f1698ef9e1cce9bc41b67eac17bf13da
                            • Opcode Fuzzy Hash: 19a2235e473e394b5ec2d3f658693fbb336647dc7041e16462950f3e09e2c32e
                            • Instruction Fuzzy Hash: B7D0A92150BD3031C9A2332A3D06FCF0A0C8F4332AF00813BFA04B10C65A6C1A8389EE
                            APIs
                            • GlobalFree.KERNEL32(00B6D548), ref: 00401B75
                            • GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401B87
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Global$AllocFree
                            • String ID: UnsetEventHandler
                            • API String ID: 3394109436-4293098496
                            • Opcode ID: cd0fe79ff73c1b44926daa46411282dd1b71a90f5fa747b5a8bf942e4db69892
                            • Instruction ID: 4dbbe2f82731553461dd9c1b6933e29fbe391e0b104ee0c44436983609d2ff82
                            • Opcode Fuzzy Hash: cd0fe79ff73c1b44926daa46411282dd1b71a90f5fa747b5a8bf942e4db69892
                            • Instruction Fuzzy Hash: D921EBB6600102DBC710FBA4DE84A5F73A8FB84328714463BF602F32D1D778A8119B5E
                            APIs
                            • MessageBoxIndirectA.USER32(004091D8), ref: 0040530C
                            Strings
                            • Mount and blade warband versio Setup, xrefs: 004052FC
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: IndirectMessage
                            • String ID: Mount and blade warband versio Setup
                            • API String ID: 1874166685-1737275860
                            • Opcode ID: 3959549642625b8fa42c28d357fb2005b7a002b40946ec899d5ce4f1526c34f7
                            • Instruction ID: 6d1407588111d22f6559e20d312ba22aea0c015c58ada44c37dd95e130911be7
                            • Opcode Fuzzy Hash: 3959549642625b8fa42c28d357fb2005b7a002b40946ec899d5ce4f1526c34f7
                            • Instruction Fuzzy Hash: 15F0F8356112068FE764CF18EA4875637E0F78A341F54813EE540AA3B2C7785981CF08
                            APIs
                            • GetDlgItem.USER32(?), ref: 6E5A1105
                              • Part of subcall function 6E5A1000: PostMessageA.USER32(?,00000408,00000001,00000001), ref: 6E5A1049
                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 6E5A1153
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358879072.000000006E5A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E5A0000, based on PE: true
                            • Associated: 00000000.00000002.3358865606.000000006E5A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000000.00000002.3358891417.000000006E5A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000000.00000002.3358907819.000000006E5A4000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e5a0000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CallItemMessagePostProcWindow
                            • String ID:
                            • API String ID: 3221298011-0
                            • Opcode ID: ef69d0a25b04fd83e4e8959294491d4bbb6b5bad5f2f4ef34a9b7e353d2009cf
                            • Instruction ID: 427b87056c1e75160d2bfcf1efa7567f4061d7fa448d178a0ec6657c9cf2fd1d
                            • Opcode Fuzzy Hash: ef69d0a25b04fd83e4e8959294491d4bbb6b5bad5f2f4ef34a9b7e353d2009cf
                            • Instruction Fuzzy Hash: 2C018FF9600205ABDB00CE9EEE84EAF7BADFB86764F018015FB0487240DA35EC45C760
                            APIs
                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                            • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: f14657ebd28fc6baf9b9ff9e92c25a5f7a8dfc1a89bd07eb24b2803ab223f6fe
                            • Instruction ID: 3c5d5ded27ab8161cdf62c55c7ff868099a2a5436aaabb2293ed2b08c0ba0c1c
                            • Opcode Fuzzy Hash: f14657ebd28fc6baf9b9ff9e92c25a5f7a8dfc1a89bd07eb24b2803ab223f6fe
                            • Instruction Fuzzy Hash: A501F4326282109BE7195B389D04B6A36D8E751355F10823BF855F76F1D678DC029B4D
                            APIs
                            • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DAB
                            • KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 00401DB6
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CallbackDispatcherShowUserWindow
                            • String ID:
                            • API String ID: 82835404-0
                            • Opcode ID: 072d3a7041dd750855194a8d9b225d97678dd4d495dcb591809413a269ec3e63
                            • Instruction ID: cf917e2a5d01758f127baceaa286b7e3c9e625de45ef1693142e197693b850ed
                            • Opcode Fuzzy Hash: 072d3a7041dd750855194a8d9b225d97678dd4d495dcb591809413a269ec3e63
                            • Instruction Fuzzy Hash: 4DE0C272A08210DBD710FBB4AE899AE3264DB403A9B10453BF503F20C1D2B89C8197EE
                            APIs
                            • GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\7Y18r(199).exe,80000000,00000003), ref: 004056CB
                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056ED
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: File$AttributesCreate
                            • String ID:
                            • API String ID: 415043291-0
                            • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                            • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
                            • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                            • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                            APIs
                            • GetFileAttributesA.KERNELBASE(?,004054B3,?,?,?), ref: 004056AC
                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 004056BE
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                            • Instruction ID: 5b6c8abf5c6657dd1eb2aacdbb88165d5ef3b362f1ace4ec03089f8aa3a349a3
                            • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                            • Instruction Fuzzy Hash: 07C04CB1818501ABDA015B24DF0D82F7F66EB60322B508F35F56DE00F0CB355C66DA1A
                            APIs
                            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EAB,000000FF,00000004,00000000,00000000,00000000), ref: 00403078
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
                            • Instruction ID: 6f2b57ed93274e24fd49225d19a01d35385a3562131b0f82fbcc89c4f8353da0
                            • Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
                            • Instruction Fuzzy Hash: 9CE08631111118BBDF209F61DC00A977B6CEB05362F008036FE44E6190D530DA10DBB9
                            APIs
                            • SetDlgItemTextA.USER32(?,?,00000000), ref: 00403DBC
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: ItemText
                            • String ID:
                            • API String ID: 3367045223-0
                            • Opcode ID: 3e813572aabfc24dd457d3397d8ae2cb884b5dfcfb659632984281e934c33c5c
                            • Instruction ID: 967b4ebdc23d6ba587af7062d593019b7971b152c1c34c6e85d63a88f0849f22
                            • Opcode Fuzzy Hash: 3e813572aabfc24dd457d3397d8ae2cb884b5dfcfb659632984281e934c33c5c
                            • Instruction Fuzzy Hash: 4DC08C35108200BFD281A755CC42F2FB398EFA4315F00C52EB05CE00D2C634C8209E2A
                            APIs
                            • SendMessageA.USER32(00000028,?,00000001,00403C08), ref: 00403DE5
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: d4e1e312f6f8726f8453fbe9bd890eb949c19cc18b2f2d87ff1feb2c3bbfeee7
                            • Instruction ID: 1d968ed1ca59693261094655a7bd881166979b6a74dc5893cfd6553764acf6b4
                            • Opcode Fuzzy Hash: d4e1e312f6f8726f8453fbe9bd890eb949c19cc18b2f2d87ff1feb2c3bbfeee7
                            • Instruction Fuzzy Hash: A1B012756C7201BFDE515B00DE09F457E72E7A4701F00C064B304244F0C6B200A1DB09
                            APIs
                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DE9,?), ref: 004030A1
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: FilePointer
                            • String ID:
                            • API String ID: 973152223-0
                            • Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
                            • Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
                            • Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
                            • Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E
                            APIs
                            • GetDlgItem.USER32(?,00000403), ref: 00404F2B
                            • GetDlgItem.USER32(?,000003EE), ref: 00404F3A
                            • GetClientRect.USER32(?,?), ref: 00404F77
                            • GetSystemMetrics.USER32(00000015), ref: 00404F7F
                            • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404FA0
                            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404FB1
                            • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FC4
                            • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FD2
                            • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FE5
                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405007
                            • ShowWindow.USER32(?,00000008), ref: 0040501B
                            • GetDlgItem.USER32(?,000003EC), ref: 0040503C
                            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040504C
                            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405065
                            • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405071
                            • GetDlgItem.USER32(?,000003F8), ref: 00404F49
                              • Part of subcall function 00403DD7: SendMessageA.USER32(00000028,?,00000001,00403C08), ref: 00403DE5
                            • GetDlgItem.USER32(?,000003EC), ref: 0040508E
                            • CreateThread.KERNEL32(00000000,00000000,Function_00004E60,00000000), ref: 0040509C
                            • CloseHandle.KERNEL32(00000000), ref: 004050A3
                            • ShowWindow.USER32(00000000), ref: 004050C7
                            • ShowWindow.USER32(00000000,00000008), ref: 004050CC
                            • ShowWindow.USER32(00000008), ref: 00405113
                            • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405145
                            • CreatePopupMenu.USER32 ref: 00405156
                            • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040516B
                            • GetWindowRect.USER32(00000000,?), ref: 0040517E
                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004051A2
                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051DD
                            • OpenClipboard.USER32(00000000), ref: 004051ED
                            • EmptyClipboard.USER32 ref: 004051F3
                            • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051FC
                            • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405206
                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040521A
                            • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405232
                            • SetClipboardData.USER32(00000001,00000000), ref: 0040523D
                            • CloseClipboard.USER32 ref: 00405243
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                            • String ID: {
                            • API String ID: 590372296-366298937
                            • Opcode ID: 5fa8be3bfb14bc7cfff307f2fca82298cb08855669577aecda1dfe655a3c239f
                            • Instruction ID: c44d8bc161a02afc0db2ed8700647d2145cd734f39557cc01e1de1dc461ee546
                            • Opcode Fuzzy Hash: 5fa8be3bfb14bc7cfff307f2fca82298cb08855669577aecda1dfe655a3c239f
                            • Instruction Fuzzy Hash: D0A14870904208BFEB119F61DD89AAE3F79FB44355F00802AFA04BA1A0C7799E41DF99
                            APIs
                            • GetDlgItem.USER32(?,000003F9), ref: 004046F4
                            • GetDlgItem.USER32(?,00000408), ref: 00404701
                            • GlobalAlloc.KERNEL32(00000040,?), ref: 0040474D
                            • LoadBitmapA.USER32(0000006E), ref: 00404760
                            • SetWindowLongA.USER32(?,000000FC,00404CDE), ref: 0040477A
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040478E
                            • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004047A2
                            • SendMessageA.USER32(?,00001109,00000002), ref: 004047B7
                            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047C3
                            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047D5
                            • DeleteObject.GDI32(?), ref: 004047DA
                            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404805
                            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404811
                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048A6
                            • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048D1
                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048E5
                            • GetWindowLongA.USER32(?,000000F0), ref: 00404914
                            • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404922
                            • ShowWindow.USER32(?,00000005), ref: 00404933
                            • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A36
                            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A9B
                            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404AB0
                            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AD4
                            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404AFA
                            • ImageList_Destroy.COMCTL32(?), ref: 00404B0F
                            • GlobalFree.KERNEL32(?), ref: 00404B1F
                            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B8F
                            • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C38
                            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C47
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C67
                            • ShowWindow.USER32(?,00000000), ref: 00404CB5
                            • GetDlgItem.USER32(?,000003FE), ref: 00404CC0
                            • ShowWindow.USER32(00000000), ref: 00404CC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                            • String ID: $M$N
                            • API String ID: 1638840714-813528018
                            • Opcode ID: 1235462460089bc7471f559be2d9480082261221246f1f0c7c3950ddd303c69e
                            • Instruction ID: fb507fea98db5aaa3294b09c786d2d275a1bb3007ea5746a7c7bf1d549d88891
                            • Opcode Fuzzy Hash: 1235462460089bc7471f559be2d9480082261221246f1f0c7c3950ddd303c69e
                            • Instruction Fuzzy Hash: 7F02AFB0900208EFEB10DF65DD45AAE7BB5FB85314F10817AF610BA2E1C7799A41DF58
                            APIs
                            • GetDlgItem.USER32(?,000003FB), ref: 0040422C
                            • SetWindowTextA.USER32(?,?), ref: 00404259
                            • SHBrowseForFolderA.SHELL32(?,0079E080,?), ref: 0040430E
                            • CoTaskMemFree.OLE32(00000000), ref: 00404319
                            • lstrcmpiA.KERNEL32(0x000C,0079ECB0), ref: 0040434B
                            • lstrcatA.KERNEL32(?,0x000C), ref: 00404357
                            • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404367
                              • Part of subcall function 00405295: GetDlgItemTextA.USER32(?,?,00000400,0040439A), ref: 004052A8
                              • Part of subcall function 00405C52: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7Y18r(199).exe",C:\Users\user\AppData\Local\Temp\,00000000,004030B6,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 00405CAA
                              • Part of subcall function 00405C52: CharNextA.USER32(?,?,?,00000000), ref: 00405CB7
                              • Part of subcall function 00405C52: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7Y18r(199).exe",C:\Users\user\AppData\Local\Temp\,00000000,004030B6,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 00405CBC
                              • Part of subcall function 00405C52: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\7Y18r(199).exe",C:\Users\user\AppData\Local\Temp\,00000000,004030B6,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 00405CCC
                            • GetDiskFreeSpaceA.KERNEL32(0079DC78,?,?,0000040F,?,0079DC78,0079DC78,?,00000000,0079DC78,?,?,000003FB,?), ref: 00404420
                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040443B
                            • SetDlgItemTextA.USER32(00000000,00000400,0079DC68), ref: 004044B4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                            • String ID: 0x000C$A
                            • API String ID: 2246997448-3908564715
                            • Opcode ID: be89b72108ad81e19374e29e85662dea810b71444be68eacd6f6b68653deaa4f
                            • Instruction ID: a088248d0120326a2a7193fe274691d38c4097ed38d59b91b5b3761a319d8410
                            • Opcode Fuzzy Hash: be89b72108ad81e19374e29e85662dea810b71444be68eacd6f6b68653deaa4f
                            • Instruction Fuzzy Hash: 129172B1900208ABDF11AFA1DD85AAF7BB8EF85314F10407BFA04B62D1D77C99419F69
                            APIs
                            • GetVersion.KERNEL32(?,0079E488,00000000,00404DC6,0079E488,00000000), ref: 00405ABA
                            • GetSystemDirectoryA.KERNEL32(0x000C,00000400), ref: 00405B35
                            • GetWindowsDirectoryA.KERNEL32(0x000C,00000400), ref: 00405B48
                            • SHGetSpecialFolderLocation.SHELL32(?,0078EA58), ref: 00405B84
                            • SHGetPathFromIDListA.SHELL32(0078EA58,0x000C), ref: 00405B92
                            • CoTaskMemFree.OLE32(0078EA58), ref: 00405B9D
                            • lstrcatA.KERNEL32(0x000C,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BBF
                            • lstrlenA.KERNEL32(0x000C,?,0079E488,00000000,00404DC6,0079E488,00000000), ref: 00405C11
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                            • String ID: 0x000C$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                            • API String ID: 900638850-1334114377
                            • Opcode ID: 57ab25149ad12bf0c75bcc00809bdb782574da7809549e735744c03fa5970541
                            • Instruction ID: 4d09abd6f052033a3d41754f0be5b6bf2f3975eab4cef7345a670ae4dd5e13eb
                            • Opcode Fuzzy Hash: 57ab25149ad12bf0c75bcc00809bdb782574da7809549e735744c03fa5970541
                            • Instruction Fuzzy Hash: 2C51C471A04A04ABEF216F289C84B7F3B74DB56324F14423BE511BA2D1D27C6942DF5E
                            APIs
                            • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409348,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D
                            Strings
                            • C:\Users\user\AppData\Local\Temp\nshD690.tmp, xrefs: 004020AB
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID: C:\Users\user\AppData\Local\Temp\nshD690.tmp
                            • API String ID: 123533781-1590289044
                            • Opcode ID: b77a51f224e28c47b49417957a5a36aa14206e31a169157970346d99be7a70a7
                            • Instruction ID: 7292818645f1116ec89690e38501c36d61a092d5262e53446680688b9da0bc44
                            • Opcode Fuzzy Hash: b77a51f224e28c47b49417957a5a36aa14206e31a169157970346d99be7a70a7
                            • Instruction Fuzzy Hash: 33419071A00205AFCB40DFA4CD88E9E7BBAFF48354B204269FA15FB2D1CA799D41CB54
                            APIs
                            • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: FileFindFirst
                            • String ID:
                            • API String ID: 1974802433-0
                            • Opcode ID: a28d4e24cd7d65395e35d338acc7230e4765af8edcb66052a975a71a47c867b3
                            • Instruction ID: 0cc3c8f68634a7e8302c36dd57b2e55cd5eed94b35c4f9e1bb414670c608f674
                            • Opcode Fuzzy Hash: a28d4e24cd7d65395e35d338acc7230e4765af8edcb66052a975a71a47c867b3
                            • Instruction Fuzzy Hash: 54F0A072504101DBD701EBB49D49AEEB768EB51328F60067BE102F21C2C6B84A45AB2B
                            APIs
                            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F75
                            • GetDlgItem.USER32(00000000,000003E8), ref: 00403F89
                            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FA7
                            • GetSysColor.USER32(?), ref: 00403FB8
                            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FC7
                            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FD6
                            • lstrlenA.KERNEL32(?), ref: 00403FE0
                            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FEE
                            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00403FFD
                            • GetDlgItem.USER32(?,0000040A), ref: 00404060
                            • SendMessageA.USER32(00000000), ref: 00404063
                            • GetDlgItem.USER32(?,000003E8), ref: 0040408E
                            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040CE
                            • LoadCursorA.USER32(00000000,00007F02), ref: 004040DD
                            • SetCursor.USER32(00000000), ref: 004040E6
                            • ShellExecuteA.SHELL32(0000070B,open,007A1640,00000000,00000000,00000001), ref: 004040F9
                            • LoadCursorA.USER32(00000000,00007F00), ref: 00404106
                            • SetCursor.USER32(00000000), ref: 00404109
                            • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404135
                            • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404149
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                            • String ID: 0x000C$N$open
                            • API String ID: 3615053054-1545876400
                            • Opcode ID: 7039d35395c8a6dfa0eb624c4e5e46008d28a35689ffeea2a58e1a2886da11f6
                            • Instruction ID: 5cf5ebbde0ea0e224e1c1c89ac2c75cb239626fd5e4202b08f831cf517230a15
                            • Opcode Fuzzy Hash: 7039d35395c8a6dfa0eb624c4e5e46008d28a35689ffeea2a58e1a2886da11f6
                            • Instruction Fuzzy Hash: CC61BFB1A40309BFEB109F60DC45F6A7B69EB54705F108426FB05BA2D1C7B8E991CF98
                            APIs
                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                            • BeginPaint.USER32(?,?), ref: 00401047
                            • GetClientRect.USER32(?,?), ref: 0040105B
                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                            • DeleteObject.GDI32(?), ref: 004010ED
                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                            • SelectObject.GDI32(00000000,?), ref: 00401140
                            • DrawTextA.USER32(00000000,Mount and blade warband versio Setup,000000FF,00000010,00000820), ref: 00401156
                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                            • DeleteObject.GDI32(?), ref: 00401165
                            • EndPaint.USER32(?,?), ref: 0040116E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                            • String ID: F$Mount and blade warband versio Setup
                            • API String ID: 941294808-526432462
                            • Opcode ID: a1b69719d413d6eb1b9d60d8a7c4d54be9142ba142ae879b6ed1fc3e6957a23b
                            • Instruction ID: f1623386d31465930f138e91e30eaf8b180d6d1799e53ea9d017dc7d56a7ab10
                            • Opcode Fuzzy Hash: a1b69719d413d6eb1b9d60d8a7c4d54be9142ba142ae879b6ed1fc3e6957a23b
                            • Instruction Fuzzy Hash: 4E41AA71804249AFCB058FA5CD459BFBFB9FF45314F00812AF951AA1A0C738EA50DFA5
                            APIs
                              • Part of subcall function 10001DD9: lstrcpynA.KERNEL32(10001054,?,?,?,10001054,?), ref: 10001E06
                              • Part of subcall function 10001DD9: GlobalFree.KERNEL32 ref: 10001E16
                            • lstrcmpiA.KERNEL32(?,save), ref: 10001168
                            • GetFileAttributesA.KERNEL32(100048A0), ref: 1000117A
                            • lstrcpyA.KERNEL32(10004CA0,100048A0), ref: 10001193
                            • lstrcpyA.KERNEL32(100044A0,All Files|*.*), ref: 100011B6
                            • CharNextA.USER32(100044A0), ref: 100011D3
                            • GetCurrentDirectoryA.KERNEL32(00000400,100040A0), ref: 100011E9
                            • GetSaveFileNameA.COMDLG32(0000004C), ref: 100011FD
                            • GetOpenFileNameA.COMDLG32(0000004C), ref: 10001205
                            • CommDlgExtendedError.COMDLG32 ref: 1000120B
                            • GetSaveFileNameA.COMDLG32(0000004C), ref: 10001227
                            • GetOpenFileNameA.COMDLG32(0000004C), ref: 1000122F
                            • SetCurrentDirectoryA.KERNEL32(100040A0,100048A0), ref: 10001247
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358809541.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000000.00000002.3358795936.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358823763.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358837265.0000000010004000.00000008.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358850867.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_10000000_7Y18r(199).jbxd
                            Similarity
                            • API ID: File$Name$CurrentDirectoryOpenSavelstrcpy$AttributesCharCommErrorExtendedFreeGlobalNextlstrcmpilstrcpyn
                            • String ID: All Files|*.*$L$save
                            • API String ID: 3853173656-601108453
                            • Opcode ID: ee7c01f886b4788410f5ea61e22284b288ee5a55540d47cc7701049f7c833bfe
                            • Instruction ID: bda79d0c1617a53c2ae572c25b6cebfb1753f7d627be79b9d5d66e21c02e6488
                            • Opcode Fuzzy Hash: ee7c01f886b4788410f5ea61e22284b288ee5a55540d47cc7701049f7c833bfe
                            • Instruction Fuzzy Hash: B541ADB4901298AFF701DFA0DC98BCF3FECEB063D4F528416E601E6199CB7499148B66
                            APIs
                              • Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
                              • Part of subcall function 00405D12: LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
                              • Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40
                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054D3,?,00000000,000000F1,?), ref: 0040578B
                            • GetShortPathNameA.KERNEL32(?,007A0E40,00000400), ref: 00405794
                            • GetShortPathNameA.KERNEL32(00000000,007A08B8,00000400), ref: 004057B1
                            • wsprintfA.USER32 ref: 004057CF
                            • GetFileSize.KERNEL32(00000000,00000000,007A08B8,C0000000,00000004,007A08B8,?,?,?,00000000,000000F1,?), ref: 0040580A
                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405819
                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040582F
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A04B8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405875
                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405887
                            • GlobalFree.KERNEL32(00000000), ref: 0040588E
                            • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405895
                              • Part of subcall function 0040563C: lstrlenA.KERNEL32(00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405643
                              • Part of subcall function 0040563C: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405673
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                            • String ID: %s=%s$[Rename]
                            • API String ID: 3772915668-1727408572
                            • Opcode ID: ee2dba630dac438606ad06d3db9563dc901c6f1c98f3c43eddc8cf5b61b8d4d8
                            • Instruction ID: cf50ac85c4282b88ef8f77f851aa0afb118ddc72369741310617bfb4f8b839d4
                            • Opcode Fuzzy Hash: ee2dba630dac438606ad06d3db9563dc901c6f1c98f3c43eddc8cf5b61b8d4d8
                            • Instruction Fuzzy Hash: D241E172604B116BE7207B619C49F6B3A5CEF86704F04893AFD05F62D2D63DA8018ABD
                            APIs
                            • SendMessageA.USER32(?,?,?), ref: 10001528
                            • GetDlgItem.USER32(?,?), ref: 1000153B
                            • GetWindowTextA.USER32(?,00000000,00000400), ref: 1000165E
                            • DrawTextA.USER32(?,00000000,000000FF,?,00000414), ref: 1000167F
                            • GetWindowLongA.USER32(?,000000EB), ref: 100016CA
                            • SetTextColor.GDI32(?,00FF0000), ref: 100016DC
                            • DrawTextA.USER32(?,00000000,000000FF,00000000,?), ref: 100016F6
                            • DrawFocusRect.USER32(?,00000010), ref: 10001717
                            • RemovePropA.USER32(00000000,NSIS: nsControl pointer property), ref: 1000173B
                            Strings
                            • NSIS: nsControl pointer property, xrefs: 10001733
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358809541.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000000.00000002.3358795936.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358823763.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358837265.0000000010004000.00000008.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358850867.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_10000000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Text$Draw$Window$ColorFocusItemLongMessagePropRectRemoveSend
                            • String ID: NSIS: nsControl pointer property
                            • API String ID: 2331901045-1714965683
                            • Opcode ID: e4d1c9716ebe2af1565e915246fa69ec26c243216045d82295f49798d47b10df
                            • Instruction ID: a25cf0b58983efc43e1d94949bc1ea38fb28a260226272d23706f895723df3db
                            • Opcode Fuzzy Hash: e4d1c9716ebe2af1565e915246fa69ec26c243216045d82295f49798d47b10df
                            • Instruction Fuzzy Hash: B7718C7090461A9BFB11CF64CC84BEA7BFAFB443C1F118565E905AA1AEC771DC80CBA1
                            APIs
                            • GlobalAlloc.KERNEL32(00000040,?), ref: 6E5A11D1
                              • Part of subcall function 6E5A1414: lstrcpyA.KERNEL32(?,?,?,6E5A11DF,00000000), ref: 6E5A1433
                              • Part of subcall function 6E5A1414: GlobalFree.KERNEL32(?), ref: 6E5A1443
                            • lstrcmpiA.KERNEL32(00000000,/NOTIFY), ref: 6E5A122E
                            • SetWindowLongA.USER32(?,00000004,6E5A10E0), ref: 6E5A127F
                            • GetDlgItem.USER32(?,00000000), ref: 6E5A128B
                            • FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 6E5A129D
                            • SetWindowLongA.USER32(00000000,00000004,6E5A1080), ref: 6E5A12B8
                            • GlobalFree.KERNEL32(00000000), ref: 6E5A12C1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358879072.000000006E5A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E5A0000, based on PE: true
                            • Associated: 00000000.00000002.3358865606.000000006E5A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000000.00000002.3358891417.000000006E5A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000000.00000002.3358907819.000000006E5A4000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e5a0000_7Y18r(199).jbxd
                            Similarity
                            • API ID: GlobalWindow$FreeLong$AllocFindItemlstrcmpilstrcpy
                            • String ID: #32770$/NOTIFY
                            • API String ID: 1156966252-2748884102
                            • Opcode ID: bef51e49d4da51708df00ce117e7abfbcb3230c3a21e6039629fdc7258ce0645
                            • Instruction ID: 4c5eb3ba781849367c0c58bf072d9de170db949798ececf659b0059bab2c44a3
                            • Opcode Fuzzy Hash: bef51e49d4da51708df00ce117e7abfbcb3230c3a21e6039629fdc7258ce0645
                            • Instruction Fuzzy Hash: FD314EF4504A01EBDB00DFAECA49A6E7BEEFB4B3597028516EB05D7241EB30D804CB64
                            APIs
                            • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7Y18r(199).exe",C:\Users\user\AppData\Local\Temp\,00000000,004030B6,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 00405CAA
                            • CharNextA.USER32(?,?,?,00000000), ref: 00405CB7
                            • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7Y18r(199).exe",C:\Users\user\AppData\Local\Temp\,00000000,004030B6,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 00405CBC
                            • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\7Y18r(199).exe",C:\Users\user\AppData\Local\Temp\,00000000,004030B6,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 00405CCC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Char$Next$Prev
                            • String ID: "C:\Users\user\Desktop\7Y18r(199).exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                            • API String ID: 589700163-1463001479
                            • Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
                            • Instruction ID: 7689e4b4801a359f66f53c78b0d93180a9ac7ee38d4886d9260c1dcf5575a0d1
                            • Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
                            • Instruction Fuzzy Hash: B311BF5180DB952EFB3216280C44B77BF99CB97B64F18487BE8C4722C2D67C5C429A6D
                            APIs
                            • GetWindowLongA.USER32(?,000000EB), ref: 00403E26
                            • GetSysColor.USER32(00000000), ref: 00403E42
                            • SetTextColor.GDI32(?,00000000), ref: 00403E4E
                            • SetBkMode.GDI32(?,?), ref: 00403E5A
                            • GetSysColor.USER32(?), ref: 00403E6D
                            • SetBkColor.GDI32(?,?), ref: 00403E7D
                            • DeleteObject.GDI32(?), ref: 00403E97
                            • CreateBrushIndirect.GDI32(?), ref: 00403EA1
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                            • String ID:
                            • API String ID: 2320649405-0
                            • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                            • Instruction ID: 23fe23233752db352f6be517f60e1726b7b78b34ca8d68f921d759bc1ba8debd
                            • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                            • Instruction Fuzzy Hash: EC219671904744ABC7219F78DD08B4BBFF8AF00715F048A69F855E22E0D338EA04CB95
                            APIs
                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
                            • GlobalFree.KERNEL32(?), ref: 00402725
                            • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
                            • GlobalFree.KERNEL32(00000000), ref: 0040273E
                            • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
                            • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                            • String ID:
                            • API String ID: 3294113728-0
                            • Opcode ID: f1cba3d73995f492d77871ffa6bbd3112d603c6fe9c948512c51a4f784bb3d54
                            • Instruction ID: d17638687656c2af98ffed251a41a25e7d839fa69c709fd570dd4870017581e2
                            • Opcode Fuzzy Hash: f1cba3d73995f492d77871ffa6bbd3112d603c6fe9c948512c51a4f784bb3d54
                            • Instruction Fuzzy Hash: FA318D71C00128BBDF216FA9CD89DAE7E78EF04364F10422AF924762E0C7795D419BA9
                            APIs
                            • lstrlenA.KERNEL32(0079E488,00000000,0078EA58,00789858,?,?,?,?,?,?,?,?,?,00402F95,00000000,?), ref: 00404DC7
                            • lstrlenA.KERNEL32(00402F95,0079E488,00000000,0078EA58,00789858,?,?,?,?,?,?,?,?,?,00402F95,00000000), ref: 00404DD7
                            • lstrcatA.KERNEL32(0079E488,00402F95,00402F95,0079E488,00000000,0078EA58,00789858), ref: 00404DEA
                            • SetWindowTextA.USER32(0079E488,0079E488), ref: 00404DFC
                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E22
                            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E3C
                            • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E4A
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                            • String ID:
                            • API String ID: 2531174081-0
                            • Opcode ID: 7c946aa882376e61021ad55a98b95887a42e7d284b2945170bbcda9cef4c4f1f
                            • Instruction ID: 911b2357669dfc4f2dcc682043719c86eb8e783607cd55d570bb929c3ee146d9
                            • Opcode Fuzzy Hash: 7c946aa882376e61021ad55a98b95887a42e7d284b2945170bbcda9cef4c4f1f
                            • Instruction Fuzzy Hash: C12190B1900158BBDF019FA5DD80ADEBFA9EF45354F14807AFA04B6291C2788E408FA8
                            APIs
                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404678
                            • GetMessagePos.USER32 ref: 00404680
                            • ScreenToClient.USER32(?,?), ref: 0040469A
                            • SendMessageA.USER32(?,00001111,00000000,?), ref: 004046AC
                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046D2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Message$Send$ClientScreen
                            • String ID: f
                            • API String ID: 41195575-1993550816
                            • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                            • Instruction ID: e7c9d57121ddc41c0a3d2f02451d01aacee450f322fa05715597327617e8ebb1
                            • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                            • Instruction Fuzzy Hash: B4014C71D00219BADB01DBA4DC85FEEBBB8AB59711F10012ABB00B61C0D7B8A9458BA5
                            APIs
                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
                            • MulDiv.KERNEL32(0001501B,00000064,0001501F), ref: 00402B81
                            • wsprintfA.USER32 ref: 00402B91
                            • SetWindowTextA.USER32(?,?), ref: 00402BA1
                            • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3
                            Strings
                            • verifying installer: %d%%, xrefs: 00402B8B
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Text$ItemTimerWindowwsprintf
                            • String ID: verifying installer: %d%%
                            • API String ID: 1451636040-82062127
                            • Opcode ID: 65107b1068d714d130bf360d889ba00a24a3bf290c2fc781fa33bc1375505f6a
                            • Instruction ID: 4c5115f8b5e1a61e63b67e418306830d6b2221a3fa7de7be1d1b1d9c34ebd618
                            • Opcode Fuzzy Hash: 65107b1068d714d130bf360d889ba00a24a3bf290c2fc781fa33bc1375505f6a
                            • Instruction Fuzzy Hash: E301447094020DBBDB209F60DD09EAE37A9BB04345F008039FA06A92D1D7B89A158F99
                            APIs
                            • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402341
                            • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
                            • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040239A
                            • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CloseCreateValuelstrlen
                            • String ID: C:\Users\user\AppData\Local\Temp\nshD690.tmp
                            • API String ID: 1356686001-1590289044
                            • Opcode ID: 35f69cb458b450af0dd53c45f8c1da4de3985c5726f62db4196f3e04ea9c34e1
                            • Instruction ID: d3b1d8695df3eedb6d484e206247d6e4ffffe6f82d7309af67a8b840a12edaae
                            • Opcode Fuzzy Hash: 35f69cb458b450af0dd53c45f8c1da4de3985c5726f62db4196f3e04ea9c34e1
                            • Instruction Fuzzy Hash: D41163B1E00209BFEB10AFA4DE89EAF767CFB44398F10413AF905B71D0D6B95D019669
                            APIs
                              • Part of subcall function 10001DD9: lstrcpynA.KERNEL32(10001054,?,?,?,10001054,?), ref: 10001E06
                              • Part of subcall function 10001DD9: GlobalFree.KERNEL32 ref: 10001E16
                            • SHBrowseForFolderA.SHELL32(?,?,00000400,?,00000104), ref: 100010A8
                            • SHGetPathFromIDListA.SHELL32(00000000,?), ref: 100010C8
                            • CoTaskMemFree.OLE32(00000000,error), ref: 100010E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358809541.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000000.00000002.3358795936.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358823763.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358837265.0000000010004000.00000008.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358850867.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_10000000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Free$BrowseFolderFromGlobalListPathTasklstrcpyn
                            • String ID: E$error
                            • API String ID: 1728609016-2359134700
                            • Opcode ID: e1a7eb802c3a0e6178e2f854ce9366eb71ade3bb25b89a52586c1a3f4d4a4e58
                            • Instruction ID: c5b31664aa199b9ded98f2e5680432c5be8bc3db31d95fa12b81e091e202fa71
                            • Opcode Fuzzy Hash: e1a7eb802c3a0e6178e2f854ce9366eb71ade3bb25b89a52586c1a3f4d4a4e58
                            • Instruction Fuzzy Hash: AE214DB58012699BEB11CF91DD85BDE77FCEB083C1F004152EA45E7108EB75EA848F91
                            APIs
                            • GetDC.USER32(?), ref: 00401D22
                            • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                            • CreateFontIndirectA.GDI32(0040AF54), ref: 00401D8A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CapsCreateDeviceFontIndirect
                            • String ID: Microsoft Sans Serif
                            • API String ID: 3272661963-3285577483
                            • Opcode ID: 78f79da71c4801185515a33ee10eecec6988933ac577fdebba6a0d8b1e27de8a
                            • Instruction ID: b07056355aa748e9637186271e62d846d47d93c63a22b35c813f822f854c06ae
                            • Opcode Fuzzy Hash: 78f79da71c4801185515a33ee10eecec6988933ac577fdebba6a0d8b1e27de8a
                            • Instruction Fuzzy Hash: 48F0A4F0A44341AEE7016770AE0AB993B649719305F140436F241BA1E3C5BC0414DB7F
                            APIs
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
                            • RegCloseKey.ADVAPI32(?), ref: 00402A9C
                            • RegCloseKey.ADVAPI32(?), ref: 00402AC1
                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Close$DeleteEnumOpen
                            • String ID:
                            • API String ID: 1912718029-0
                            • Opcode ID: a0ede783c1c14f31dceae3eff69e8610737a26339735157f287b51b4e95df90e
                            • Instruction ID: d37bb7f39c88b774a7be6041cf008def183204316efedf1aff79e29a05d1abcd
                            • Opcode Fuzzy Hash: a0ede783c1c14f31dceae3eff69e8610737a26339735157f287b51b4e95df90e
                            • Instruction Fuzzy Hash: 22113A75600009FFDF21AF90DE49DAB7B6DEB84344B108036FA05A10E0DBB59E52AF69
                            APIs
                            • GetDlgItem.USER32(?), ref: 00401CC5
                            • GetClientRect.USER32(00000000,?), ref: 00401CD2
                            • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
                            • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                            • DeleteObject.GDI32(00000000), ref: 00401D10
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                            • String ID:
                            • API String ID: 1849352358-0
                            • Opcode ID: 4cb08ea776c253760630ebab50e56f3cb4b8185907ba3b390f2d770fe9724cea
                            • Instruction ID: 6cac6728625c50fa62f3debf762ff21453b98aa54e3a27d026f271b72aada3ae
                            • Opcode Fuzzy Hash: 4cb08ea776c253760630ebab50e56f3cb4b8185907ba3b390f2d770fe9724cea
                            • Instruction Fuzzy Hash: 8AF06DB2E04105BFD700EBA4EE88DAFB7BCEB44344B004476F602F2090C6389D018B29
                            APIs
                            • CharNextA.USER32()S@,?,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,004055DB,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,?,?,00000000,00405329,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 00405585
                            • CharNextA.USER32(00000000), ref: 0040558A
                            • CharNextA.USER32(00000000), ref: 00405599
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CharNext
                            • String ID: )S@$C:\Users\user\AppData\Local\Temp\nshD690.tmp
                            • API String ID: 3213498283-1619993823
                            • Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
                            • Instruction ID: 986bac38fae6e29e8d308ce63eb2e299cdb348cdc64b8b0e232f7fb5ff74d272
                            • Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
                            • Instruction Fuzzy Hash: 91F0A791D05A21B7F72222644C49B6F5BADDB59710F140477E100B61D592BC4C82CFAA
                            APIs
                            • lstrlenA.KERNEL32(0079ECB0,0079ECB0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040449B,000000DF,0000040F,00000400,00000000), ref: 00404609
                            • wsprintfA.USER32 ref: 00404611
                            • SetDlgItemTextA.USER32(?,0079ECB0), ref: 00404624
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: ItemTextlstrlenwsprintf
                            • String ID: %u.%u%s%s
                            • API String ID: 3540041739-3551169577
                            • Opcode ID: 0df45964844d9ddb2fe3b9f5595076d9c8974c465ceb43beb8d7be15ebaff978
                            • Instruction ID: 0ef31870237fd37ffc6c63c08a378dc6be541b4d7cbe3fd16cf2258ec9441b00
                            • Opcode Fuzzy Hash: 0df45964844d9ddb2fe3b9f5595076d9c8974c465ceb43beb8d7be15ebaff978
                            • Instruction Fuzzy Hash: 5A1108737001243BEB00626A9C45FAF3249DBC6335F14423BFA25F61D1E9789C1186E9
                            APIs
                            • SetWindowTextA.USER32(00000000,Mount and blade warband versio Setup), ref: 0040389A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: TextWindow
                            • String ID: 1033$C:\Users\user\AppData\Local\Temp\$Mount and blade warband versio Setup
                            • API String ID: 530164218-3260960769
                            • Opcode ID: 4978258438137e95e4771e022528e5c10f7b60ecf2e5b415123a8070e6729062
                            • Instruction ID: 71fcf7a4c25086905bfc9d19c1bb67ea60a05b000740a51653418da127233ed1
                            • Opcode Fuzzy Hash: 4978258438137e95e4771e022528e5c10f7b60ecf2e5b415123a8070e6729062
                            • Instruction Fuzzy Hash: DB11D176A041019BD724AF19DC80A3337EDEBC6756728C2BBF801677A1D63D9D029B58
                            APIs
                              • Part of subcall function 100013C6: GetPropA.USER32(?,NSIS: nsControl pointer property), ref: 100013CF
                            • LoadCursorA.USER32(00000000,00007F89), ref: 1000149C
                            • SetCursor.USER32(00000000,?,?,?), ref: 100014A3
                            • CallWindowProcA.USER32(?,?,00000020,?,?), ref: 100014C0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358809541.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000000.00000002.3358795936.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358823763.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358837265.0000000010004000.00000008.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358850867.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_10000000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Cursor$CallLoadProcPropWindow
                            • String ID:
                            • API String ID: 1635134901-3916222277
                            • Opcode ID: af7a24d79bba28b0373c8a06307af88f9924382bbc0fc11fee82021492e34f15
                            • Instruction ID: 0556be71602f8ff1d696ea859767fe994534909fc462006999ad460077578aeb
                            • Opcode Fuzzy Hash: af7a24d79bba28b0373c8a06307af88f9924382bbc0fc11fee82021492e34f15
                            • Instruction Fuzzy Hash: 3CE0C932545209BBEF529FA0CC05ADA3BA9EB083D1F01C420FA1994079C7719560AFA1
                            APIs
                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,007A0CB8,Error launching installer), ref: 00405275
                            • CloseHandle.KERNEL32(?), ref: 00405282
                            Strings
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405250
                            • Error launching installer, xrefs: 00405263
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CloseCreateHandleProcess
                            • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                            • API String ID: 3712363035-4043152584
                            • Opcode ID: d9230f062b0808db09ac1187b32078dd7bb69549eb0ac679bf663652bf3a1df3
                            • Instruction ID: a814f4e937b64091bc5a9fe4b24cddb9c30c3b085a7c0cc379bd18a51cbec2e9
                            • Opcode Fuzzy Hash: d9230f062b0808db09ac1187b32078dd7bb69549eb0ac679bf663652bf3a1df3
                            • Instruction Fuzzy Hash: A3E0ECB4904209ABEB409FA4DD099AB7BBCFB01304B008A25AD11E2250D778D514CAB9
                            APIs
                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030C8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 004054E9
                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030C8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403228), ref: 004054F2
                            • lstrcatA.KERNEL32(?,00409010), ref: 00405503
                            Strings
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004054E3
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CharPrevlstrcatlstrlen
                            • String ID: C:\Users\user\AppData\Local\Temp\
                            • API String ID: 2659869361-3936084776
                            • Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                            • Instruction ID: e709143d7c6029c9bacde6b4fa316c5d863d3e1b5f856ca0ff26f77f6592c41c
                            • Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                            • Instruction Fuzzy Hash: 5ED0A9A2605AB03EE2022A158C05E8F7A08CF52351B054422F100B22D2C23C6D418FFE
                            APIs
                            • lstrlenA.KERNEL32(7622F380,00000400,?,00000400,?,7622F380,00000000), ref: 10001335
                            • CharPrevA.USER32(7622F380,00000000,?,7622F380,00000000), ref: 1000133F
                            • MulDiv.KERNEL32(?,00000000,00000064), ref: 10001361
                            • MapDialogRect.USER32(7622F380,7622F380), ref: 10001386
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358809541.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000000.00000002.3358795936.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358823763.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358837265.0000000010004000.00000008.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358850867.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_10000000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CharDialogPrevRectlstrlen
                            • String ID:
                            • API String ID: 3411278111-0
                            • Opcode ID: ee05941cbb0010e5f5c6526b921f77febfcf527a02eae7712f4de4b9ee175961
                            • Instruction ID: c0227da4e0a6f8b068a6b3556f96f506b12a61a0069e54e06ba25e2db4e352f6
                            • Opcode Fuzzy Hash: ee05941cbb0010e5f5c6526b921f77febfcf527a02eae7712f4de4b9ee175961
                            • Instruction Fuzzy Hash: 4F113435E02668EBEB25CB44CC48BDF7BB8EF007E5F018451FD15A665AC330AA008BD1
                            APIs
                            • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                            • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                            • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24
                              • Part of subcall function 0040594E: wsprintfA.USER32 ref: 0040595B
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                            • String ID:
                            • API String ID: 1404258612-0
                            • Opcode ID: fc7fccfa304c0981f5f2548b59b79dd0efeb22a75f109edf33b579c09c3987e7
                            • Instruction ID: 2158e3bfc32ceb83b949eeb287646ec12c5f6ae98c75d4272555de6f69af3fcd
                            • Opcode Fuzzy Hash: fc7fccfa304c0981f5f2548b59b79dd0efeb22a75f109edf33b579c09c3987e7
                            • Instruction Fuzzy Hash: 7E113A71A00109BFDB01EFA9D941DAEBBB9EB04354B20803AF501F61A1D7389E509B28
                            APIs
                            • CallWindowProcA.USER32(?,?,?,?), ref: 1000143B
                            • DestroyWindow.USER32 ref: 10001452
                            • GetProcessHeap.KERNEL32(00000000), ref: 1000145F
                            • HeapFree.KERNEL32(00000000), ref: 10001466
                            Memory Dump Source
                            • Source File: 00000000.00000002.3358809541.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000000.00000002.3358795936.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358823763.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358837265.0000000010004000.00000008.00000001.01000000.00000005.sdmpDownload File
                            • Associated: 00000000.00000002.3358850867.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_10000000_7Y18r(199).jbxd
                            Similarity
                            • API ID: HeapWindow$CallDestroyFreeProcProcess
                            • String ID:
                            • API String ID: 1278960361-0
                            • Opcode ID: 7b9cd953bd664abae8205231ba6a83e54e7b9c286202457f16ecc7c69d2d5d03
                            • Instruction ID: a637dc317a5f84f288a8c6f0a953db2449819efd3de5f231667a3370de739b3b
                            • Opcode Fuzzy Hash: 7b9cd953bd664abae8205231ba6a83e54e7b9c286202457f16ecc7c69d2d5d03
                            • Instruction Fuzzy Hash: DD011E32500266EBEB029F95DC9899F3BB9FB453E3B51C525FA5882078C7328854DFA0
                            APIs
                            • DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
                            • GetTickCount.KERNEL32 ref: 00402BEF
                            • CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
                            • ShowWindow.USER32(00000000,00000005), ref: 00402C1A
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                            • String ID:
                            • API String ID: 2102729457-0
                            • Opcode ID: bd15fe8ff630f74c3c74ec1cbce7697780f165a6fcf8a9f74f7ee01d53d3af79
                            • Instruction ID: 98320f0ae8b6720e3b6d9d74574a2ceb670996fd74052e76469ec6b1987fa065
                            • Opcode Fuzzy Hash: bd15fe8ff630f74c3c74ec1cbce7697780f165a6fcf8a9f74f7ee01d53d3af79
                            • Instruction Fuzzy Hash: ADF0DA30909660AFC6526F14BD4CE9B7BB4EB45B11720846BF000A56E8D67C68838FAD
                            APIs
                            • IsWindowVisible.USER32(?), ref: 00404D14
                            • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D82
                              • Part of subcall function 00403DEE: SendMessageA.USER32(00010434,00000000,00000000,00000000), ref: 00403E00
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Window$CallMessageProcSendVisible
                            • String ID:
                            • API String ID: 3748168415-3916222277
                            • Opcode ID: 5b39820ff8f773f03edf67c88da1177ce85fd4a60d64262dd42d50fba93a8252
                            • Instruction ID: b09a32081a92bc9a79a32443d7b2594649c1b5fd5233278ba07b417df8349623
                            • Opcode Fuzzy Hash: 5b39820ff8f773f03edf67c88da1177ce85fd4a60d64262dd42d50fba93a8252
                            • Instruction Fuzzy Hash: D1118CB1500608FBEF21AF629C41A9B3B29EF85365F00843BFA08791E1C77D8D519B69
                            APIs
                              • Part of subcall function 004059F0: lstrcpynA.KERNEL32(?,?,00000400,0040314C,Mount and blade warband versio Setup,NSIS Error), ref: 004059FD
                              • Part of subcall function 00405577: CharNextA.USER32()S@,?,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,004055DB,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,?,?,00000000,00405329,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 00405585
                              • Part of subcall function 00405577: CharNextA.USER32(00000000), ref: 0040558A
                              • Part of subcall function 00405577: CharNextA.USER32(00000000), ref: 00405599
                            • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,?,?,00000000,00405329,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 00405617
                            • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,00000000,C:\Users\user\AppData\Local\Temp\nshD690.tmp,C:\Users\user\AppData\Local\Temp\nshD690.tmp,?,?,00000000,00405329,?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000), ref: 00405627
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                            • String ID: C:\Users\user\AppData\Local\Temp\nshD690.tmp
                            • API String ID: 3248276644-1590289044
                            • Opcode ID: e62e85958521931daf907b6ee03321bf38f784738d0a6598cd20e6736ca23316
                            • Instruction ID: d8531eff54492fae1d1b397b17b2d185736321b01167f469de158e395d615a3e
                            • Opcode Fuzzy Hash: e62e85958521931daf907b6ee03321bf38f784738d0a6598cd20e6736ca23316
                            • Instruction Fuzzy Hash: 1EF0C835119D5027C62632395C09BAF0646CE873687580A3BF855B22D6DA3C8943DE6E
                            APIs
                            • lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
                            • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nshD690.tmp\ButtonEvent.dll,00000000,?,?,00000000,00000011), ref: 004024FB
                            Strings
                            • C:\Users\user\AppData\Local\Temp\nshD690.tmp\ButtonEvent.dll, xrefs: 004024CA, 004024EF
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: FileWritelstrlen
                            • String ID: C:\Users\user\AppData\Local\Temp\nshD690.tmp\ButtonEvent.dll
                            • API String ID: 427699356-271703358
                            • Opcode ID: 6fd38ce29710039434eee7cce7a5715362e5abd9f688fb83b9262d15ea12c72a
                            • Instruction ID: 1d98fa99eea3a1a616edd465b6dea10be8af393ee252082501488cb5feb669af
                            • Opcode Fuzzy Hash: 6fd38ce29710039434eee7cce7a5715362e5abd9f688fb83b9262d15ea12c72a
                            • Instruction Fuzzy Hash: E0F0E9B2A04241FFDB00FBA09E49AAF3358DB00348F14443BB246F50C2D6FC49419B6D
                            APIs
                            • FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\7Y18r(199).exe",00000000,00000000,0040347C,004032CF,00000000), ref: 004034BE
                            • GlobalFree.KERNEL32(00B3EA78), ref: 004034C5
                            Strings
                            • "C:\Users\user\Desktop\7Y18r(199).exe", xrefs: 004034B6
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: Free$GlobalLibrary
                            • String ID: "C:\Users\user\Desktop\7Y18r(199).exe"
                            • API String ID: 1100898210-3002677813
                            • Opcode ID: 7d973b026f89a749e9d327b389494374123d6ef0d80c577f250b9175207848b8
                            • Instruction ID: a746e40cbda2423a8574b3332e73c2cc94ca5bfe626277793211dcf4f29bdea7
                            • Opcode Fuzzy Hash: 7d973b026f89a749e9d327b389494374123d6ef0d80c577f250b9175207848b8
                            • Instruction Fuzzy Hash: 9FE08C328008219BC6221F85AD0476A7A686F85B22F05842BE8007B2A087B82C42CBE8
                            APIs
                            • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\7Y18r(199).exe,C:\Users\user\Desktop\7Y18r(199).exe,80000000,00000003), ref: 00405530
                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\7Y18r(199).exe,C:\Users\user\Desktop\7Y18r(199).exe,80000000,00000003), ref: 0040553E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: CharPrevlstrlen
                            • String ID: C:\Users\user\Desktop
                            • API String ID: 2709904686-3125694417
                            • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                            • Instruction ID: e6ed743aa513a71839d9ca51915a8badfc097c3d1f2b829187c73afd3cd0d239
                            • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                            • Instruction Fuzzy Hash: 25D0C7B3919EB06EF30356149C04B9F7A49DF17705F194462E540A61D5C2785D418FFE
                            APIs
                            • lstrlenA.KERNEL32(00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405643
                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040565C
                            • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 0040566A
                            • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405673
                            Memory Dump Source
                            • Source File: 00000000.00000002.3357962289.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3357942440.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3357981131.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358003440.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3358382659.00000000007B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_7Y18r(199).jbxd
                            Similarity
                            • API ID: lstrlen$CharNextlstrcmpi
                            • String ID:
                            • API String ID: 190613189-0
                            • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                            • Instruction ID: 609bff5e62adcd4a62841177b0e089267a8c05f8bacb5303162b42a917934155
                            • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                            • Instruction Fuzzy Hash: 97F05C36209C919FC2025B344C04E2F6F98EF92318B54097AF444F3140D3369C119BBF