Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
Analysis ID:1520710
MD5:09646b466d4203f0a605120c10248654
SHA1:e1f6e1bec33b598963a6e017d41e28b72a6e9bbd
SHA256:7110772ac28b158130afc68ae0f00bdca6832cc826f7f2fbf38fd373feb16b2f
Tags:exeGuLoader
Infos:

Detection

GuLoader
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4457010077.00000000069E2000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeReversingLabs: Detection: 50%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
    Source: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_0040687E FindFirstFileW,FindClose,0_2_0040687E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C2D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
    Source: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_004056E5 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056E5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_00406C3F0_2_00406C3F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_6F941BFF0_2_6F941BFF
    Source: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe, 00000000.00000000.2008225620.000000000044C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenygifte.exe4 vs SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
    Source: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeBinary or memory string: OriginalFilenamenygifte.exe4 vs SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
    Source: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal64.troj.evad.winEXE@1/9@0/0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_00404991 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404991
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_004021AF CoCreateInstance,0_2_004021AF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeFile created: C:\Users\user\polaritetsJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeFile created: C:\Users\user\AppData\Local\Temp\nsr12B.tmpJump to behavior
    Source: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeReversingLabs: Detection: 50%
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.4457010077.00000000069E2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_6F941BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6F941BFF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_6F9430C0 push eax; ret 0_2_6F9430EE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeFile created: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeRDTSC instruction interceptor: First address: 702C00A second address: 702C00A instructions: 0x00000000 rdtsc 0x00000002 cmp edi, 6691C563h 0x00000008 cmp ebx, ecx 0x0000000a jc 00007F18847DDF8Fh 0x0000000c cmp dh, ch 0x0000000e inc ebp 0x0000000f cmp bh, FFFFFFC3h 0x00000012 inc ebx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_0040687E FindFirstFileW,FindClose,0_2_0040687E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C2D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeAPI call chain: ExitProcess graph end nodegraph_0-4910
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeAPI call chain: ExitProcess graph end nodegraph_0-4915
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_6F941BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6F941BFF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Access Token Manipulation    		LSASS Memory2
    File and Directory Discovery    		Remote Desktop Protocol1
    Clipboard Data    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    DLL Side-Loading    		Security Account Manager13
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe50%ReversingLabsWin32.Trojan.GuLoader

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.Win32.Malware-gen.4932.17674.exefalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1520710
    Start date and time:2024-09-27 18:49:04 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 22s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:5
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
    Detection:MAL
    Classification:mal64.troj.evad.winEXE@1/9@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 53
    • Number of non-executed functions: 32
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • VT rate limit hit for: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dllD#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
      D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeGet hashmaliciousGuLoaderBrowse
        UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
          UMOWA_PD.BAT.exeGet hashmaliciousGuLoaderBrowse
            Payment_Advice.1.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
              Payment_Advice..exeGet hashmaliciousFormBook, GuLoaderBrowse
                Payment_Advice..exeGet hashmaliciousGuLoaderBrowse
                  Payment_Advice.1.bat.exeGet hashmaliciousGuLoaderBrowse
                    Payment_Advice..exeGet hashmaliciousGuLoaderBrowse
                      Payment_Advice..exeGet hashmaliciousGuLoaderBrowse

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):12288
                        Entropy (8bit):5.805604762622714
                        Encrypted:false
                        SSDEEP:192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
                        MD5:4ADD245D4BA34B04F213409BFE504C07
                        SHA1:EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
                        SHA-256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
                        SHA-512:1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Joe Sandbox View:
                        • Filename: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, Detection: malicious, Browse
                        • Filename: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, Detection: malicious, Browse
                        • Filename: UMOWA_PD.BAT.exe, Detection: malicious, Browse
                        • Filename: UMOWA_PD.BAT.exe, Detection: malicious, Browse
                        • Filename: Payment_Advice.1.bat.exe, Detection: malicious, Browse
                        • Filename: Payment_Advice..exe, Detection: malicious, Browse
                        • Filename: Payment_Advice..exe, Detection: malicious, Browse
                        • Filename: Payment_Advice.1.bat.exe, Detection: malicious, Browse
                        • Filename: Payment_Advice..exe, Detection: malicious, Browse
                        • Filename: Payment_Advice..exe, Detection: malicious, Browse
                        Reputation:moderate, very likely benign file
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\polaritets\Klipbok.Vid

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):146048
                        Entropy (8bit):4.6065779762897
                        Encrypted:false
                        SSDEEP:1536:LL9Fdl//kBP5+LtQdILRCc2U02fKGNMYqCAKNN06YV1e4iHHgGtyH3aYV0fo:3Fl++Ltt2GNxqCdNW6i18rtyH3ao
                        MD5:5AF6DF202041C4BFCCFFFC8A316C9A1A
                        SHA1:D9F6883DAE12C9E3DFA4A60B5CC4A231481A38B5
                        SHA-256:72820F9E966138202338EE85EF716A4352A9624FA5F4E42900C8B08C2FC39865
                        SHA-512:BB04146B10189062AA39507952BA1588FA20B21D9B817F889D42BAC22E54F810D1099F63484F309D4A51532FB34DDFF93101197224FC189F1FDA79105001125E
                        Malicious:false
                        Reputation:low
                        Preview:.....YYY..................7......zzz.2.]]]].jj.....S...............HH.(...........9...........;;;;.....u......U.................//.o.E.............R.VV..................HH..............a......?.....r....D...<<<<..............sssss...................C..........................w..................c.........U.......---............^..,,...................TTT.,,,,.................j....VV..(......................................P....^......ZZ.ddd.....................:....''.......2..-...,.........8..b.................o..............222222......q.......#................................!!.....99.....zzz.............l..............|.............!!!...........L...D...x......=====......##........................s..Y.a........].................UU..?.........XXX.44.................J......L.........www................................S.....BB.............a...........b...........p....uu.....&...............::::.......-.........||................1..U............""........NNN.....a.l.....................

                        C:\Users\user\polaritets\Muskel.Nit

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):337530
                        Entropy (8bit):7.652545988590635
                        Encrypted:false
                        SSDEEP:6144:PF4NYyYBqXrQZimSkrb1nbm7WbwuZO/NoeWUejQfeT+0hvTT8LOdhkvwx:PFAYE00mSupSgO1duQ2vvH8LOd+wx
                        MD5:B9511C05839C7DE7AA19DC47A1E0A224
                        SHA1:BC9DDA4E870DAEE63244689DD42AB4E34BB676AD
                        SHA-256:DCE2C8C92DB5C0E6CBE667BA1FA4DF04465099C45478CD84ED93B5DCDBEB91C8
                        SHA-512:CFEA992238154FBD6C29C788CF79987E863E93ECC04A814F6B94F91E1DA5908EC337FE3786D1488E0DB2A23A71B1F487F606D760E1D223D5FDAC4D2BA1D01E54
                        Malicious:false
                        Reputation:low
                        Preview:.................UU.....PP.........4....8.........77.,,,.E...............................j."......jj...~.....F..........[[........................y..J.........................OOO.....o..........6.....................B...d..........UUUU...............UU.lll...f....C}.K.L.f.m.....Y....rX...8......Rs..lh...k.t...p.x..Z[..I.4.D..........A..s....0.V... N.e.C..a.U......9.u...7.]...&...@..h.\.....).f...f.r.....C.....d.n...iq..G..T..b.+-%>.......(6...`..w.._..;..?..1.,..z.3.o`.v.. .....@<..{..Q.~.!...A...O|~v.."F...gy.].#..Wc.Uk..J........}.K.L.f.m.f...f.c....3....Y....rX...8......Rs..lh...k.t...p.x..Z[..I4.......@4.D...s....0.V... N.e.C..a.U......9.u...7.]...&...@..h.\.....z.#...f....1..).......d.n...iq..G..T..b.+-%>.......(6...`....f....u...w.._..;..?..1.,..z.3.o`.<..{ ...f....:.Q.~.!...A...O|~v.."F...gy.].#..Wc.Uk..J........}.K.L.f.m...^!f......B.....Y....rX...8......Rs..lh...k.t...p.x..Z[..I.4.D...s.......f.a....".V... N.e.C..a.U......9.u...7.]..f

                        C:\Users\user\polaritets\Observationsposters.tor

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):97664
                        Entropy (8bit):1.2371741628878217
                        Encrypted:false
                        SSDEEP:768:XEFQJPKWWG5ARWTJqBshVmdboj6UJY3VBCwYw2ZDRnv+mRQN:XUE/m2O3N
                        MD5:2B4D5FD79400969869ED030F4803BE99
                        SHA1:163C23302E2DA2B2265A7CD7ED08BE16A3853DCA
                        SHA-256:49C47AAA67085C8B38D02DC0F1F792E83FA17D41CE16927888C9085F530E9DB4
                        SHA-512:7EE103CCCC54B148E7AD62F37FF4ACFC4438436C6F75D15E5248CB19643348C70F2B63062712817002CE4D173E51A7A0C8B3851FCD0FC0D6E1302838909B1C2D
                        Malicious:false
                        Reputation:low
                        Preview:...........4................................................K..............................................W.......................................N........................................................@...5..................o............................................)............................................................~....=.................................................................................2................................................5.........................!....................................f.....k....%..................................................................................H...............%.@....................................(...........$.................V..........................................................6..6...........................................................................|....\................................................_........................y...................................................................6..

                        C:\Users\user\polaritets\drupes.ret

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):244138
                        Entropy (8bit):1.252663089946015
                        Encrypted:false
                        SSDEEP:768:cv49C5wBVa5O2Fx8p7KLOTSo3NTuAG15VTvfAX+H7v+uQVsfpqSC26Pn6DD/SNsg:JBQxurv96jREO3X2r
                        MD5:BBD77A921062C9B6CBF4BEDFF50E1514
                        SHA1:C25712C5F69E016A364E8898B59E7229E3C5E7A4
                        SHA-256:E2882B3589FF6D9FA79AC2D88FC8DE8FD94BA046E8B9796203A4916C73731EAD
                        SHA-512:9BDFC20EFFD587EC19B524E36D392F4863C8242C8D4C8C7F81164A0E0DF84C5BF1633400873D0F68C40079113F9F2568706642334FCFDCCE4C6E0B1D7D5FB660
                        Malicious:false
                        Reputation:low
                        Preview:....'........................`............Z......`.................................$..................S........J.........................................................................................................................................................................-........................N....E.......................y.........................................A..........k.............................2...............................%.........................................P.........................................e........................w.....................p.........................o.......................................F........)........................................~................................................................u.....................................................<...............................}.9......................^.................c.................A..............O.........................................................................|.

                        C:\Users\user\polaritets\quodlibetic.fes

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):438128
                        Entropy (8bit):1.2562406175237242
                        Encrypted:false
                        SSDEEP:1536:zN/79C7p5KmH/e6grFLDiN8w27kdDZK5M9aR:hyp5K4e6kFLoMV
                        MD5:E883CEF7CF2793E15A52C9BAC1CDE472
                        SHA1:1D4973110569354FA072BA3AFF0BD21EA0DF109A
                        SHA-256:2FF67336CFEEE418E565B0C79855927FC0CD0B1E9F2F40A59F1CB7EF2328635A
                        SHA-512:372BE015C3FA19C0EEAA981803900CA088B92188187A69697EEE808068F8033225BFD2927E2DB54EABEECAC05A421DC6CCCABFE19F39788B4F6D4E6F80CE04A5
                        Malicious:false
                        Reputation:low
                        Preview:......q......y........................".........................................-....................................................n#............................Jj.........................................................................w.........................$................................................................i.............j.....K...................*.........................................=.........i..........0........~............................[......./.........,........Y.................~..............................................!.......w....................t....................F.......`........................................c.......................j................................................................................................".......................................<..............{..?.J............v........................................................................................................+..................+..................

                        C:\Users\user\polaritets\roere.hid

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):15722
                        Entropy (8bit):1.1774803541140593
                        Encrypted:false
                        SSDEEP:96:QlmaSsDp47EcNFpMw8GM4Zq+AUUnPMN61WN1:QbSc47/lv8n4Zq+AUQmy4
                        MD5:A8FD81B22FDC76D0AAE4ABF40CC1E8F4
                        SHA1:ECA25609E68636E12C3AB63D7E9F1B7717CE450A
                        SHA-256:13148F74A847C0F474385F1E62C01A5065700A472BF689D7299D3F420A7CC45D
                        SHA-512:7E0CE6444E0F402278704066AE74F442684B80959CB90CFABA6A3BBCA1EB754EEBCDE11A61FE17D8DE1F708F035BDC2C7825BF9E8F92D761CE0E78BA68544C6B
                        Malicious:false
                        Preview:.............L..........................M...................................................................{.........................H.....................................................................................................................................................................................................................................9......8.....'...............}..........................F......................A......aO..........k.....................................................................................P..................................j.......'..:..................................n..............................................~......t.....2...............................................................................{u................................'.................................#.......................................................................t.......j...............r.................................................................

                        C:\Users\user\polaritets\socialmedicin.sej

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):38361
                        Entropy (8bit):1.2166387306020765
                        Encrypted:false
                        SSDEEP:384:X+F+sq/qAweG+1AI4KbEElQxRqKJOPOXALDW3uYBspm5NfXDZ9:X6M/l17oEnYjP
                        MD5:2BF0CAC964058C5B0D73930FC7412775
                        SHA1:003BEC59CB10BDD8B5B760C14DB899637E85AFBE
                        SHA-256:5A823D12E477927D5133F5B4DE1A5BCB0973FDBBDC4C966C821928CB439FC97A
                        SHA-512:303CF2DE6CFC652A10E543E0F6484097042234C786624F1B67668CA254B03DE2CCF4D7EB0FB6E13172F605B1B4B742D8694CF3549952523753C5DDE741975564
                        Malicious:false
                        Preview:......4......;................g....................................V..................s................................................t........................]...L.........................j...........`.....L..................?........o.............................Oq........................................................................F..............................................................V..................................................C.........../.......{................................................................?...............g.............R....4................................w(........................................c..p.................a....................mt...&..............................X........................Z.......................D.................<.......................h..........b..........X........................................................................m...................0...............F............................w.............r.......

                        C:\Users\user\polaritets\toader.txt

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):434
                        Entropy (8bit):4.305884836882498
                        Encrypted:false
                        SSDEEP:12:mBX7vwwJDXCuNQLIU/0vkxuYAz8/p7QTrYSCmDEIHlwq+:mBXUWEzR7ylCeEUw
                        MD5:3F6632F26EBA2C111F54C97312D4C4EA
                        SHA1:8D3FB7505058C8C5CB22133C77213D6B37CDD5F9
                        SHA-256:CE8824C6205F36A17C4476BF02839F065009CD15E88970E653CE5F6A89BD9954
                        SHA-512:EED0879B222E9F074C109B2FA8548F441AD1A4C1CEF8EDB3BAE6D05308E2916061F2A2835E9252A2EDE27608435E40E8C52849B9DD8D38A5FBBEC995628D28E7
                        Malicious:false
                        Preview:kumquat equilibrious invector occludes vesteuroperen knippelfines,laparosplenotomy subagents skatkisternes sovehjertet angiospermous abastard caprate efterbyrdens exercised organisationsliniens puberties..ansvarhavendes unhumidified fordjelsesproces forureningsomraades,nondivisive famle illicitly lithophone lattins cubit rougens svmmebrillerne..untestamental transect subfestively subserviently hyldevarer.maaske pastoral overlooks,

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                        Entropy (8bit):7.956957743632461
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        File size:559'533 bytes
                        MD5:09646b466d4203f0a605120c10248654
                        SHA1:e1f6e1bec33b598963a6e017d41e28b72a6e9bbd
                        SHA256:7110772ac28b158130afc68ae0f00bdca6832cc826f7f2fbf38fd373feb16b2f
                        SHA512:74414f447846f9a51a381a30ab6d08b66cf68f8fcc2ee42ce0fdf41e4914c4dc2b4ab5bd26d85e71f92e3d0ce7badb274ec68973a74506caca26f60d60d80f24
                        SSDEEP:12288:qX69L27aMq4PfZ6Vt1wFHLesCqew8wmjAjPJbbiEUW34/:qX69Ln4Pfc9whLTCkmUjBqEUW
                        TLSH:13C42343B870D6ABFA651334563683A98AFD7C210291339F2F44BF6EB9289C5D91D343
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...c..d.................f...".....

                        File Icon

                        Icon Hash:9193c9a1858b8db5

                        Static PE Info

                        General

                        Entrypoint:0x4034fc
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x64A0DC63 [Sun Jul 2 02:09:39 2023 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                        Entrypoint Preview

                        Instruction
                        sub esp, 000003F8h
                        push ebp
                        push esi
                        push edi
                        push 00000020h
                        pop edi
                        xor ebp, ebp
                        push 00008001h
                        mov dword ptr [esp+20h], ebp
                        mov dword ptr [esp+18h], 0040A2D8h
                        mov dword ptr [esp+14h], ebp
                        call dword ptr [004080A4h]
                        mov esi, dword ptr [004080A8h]
                        lea eax, dword ptr [esp+34h]
                        push eax
                        mov dword ptr [esp+4Ch], ebp
                        mov dword ptr [esp+0000014Ch], ebp
                        mov dword ptr [esp+00000150h], ebp
                        mov dword ptr [esp+38h], 0000011Ch
                        call esi
                        test eax, eax
                        jne 00007F18848C754Ah
                        lea eax, dword ptr [esp+34h]
                        mov dword ptr [esp+34h], 00000114h
                        push eax
                        call esi
                        mov ax, word ptr [esp+48h]
                        mov ecx, dword ptr [esp+62h]
                        sub ax, 00000053h
                        add ecx, FFFFFFD0h
                        neg ax
                        sbb eax, eax
                        mov byte ptr [esp+0000014Eh], 00000004h
                        not eax
                        and eax, ecx
                        mov word ptr [esp+00000148h], ax
                        cmp dword ptr [esp+38h], 0Ah
                        jnc 00007F18848C7518h
                        and word ptr [esp+42h], 0000h
                        mov eax, dword ptr [esp+40h]
                        movzx ecx, byte ptr [esp+3Ch]
                        mov dword ptr [00429AD8h], eax
                        xor eax, eax
                        mov ah, byte ptr [esp+38h]
                        movzx eax, ax
                        or eax, ecx
                        xor ecx, ecx
                        mov ch, byte ptr [esp+00000148h]
                        movzx ecx, cx
                        shl eax, 10h
                        or eax, ecx
                        movzx ecx, byte ptr [esp+0000004Eh]

                        Rich Headers

                        Programming Language:
                        • [EXP] VC++ 6.0 SP5 build 8804

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c0000x3440.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x65560x6600dd25e171f2e0fe45f2800cc9e162537dFalse0.6652113970588235data6.456753840355455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0xa0000x1fb380x6002bc02714ee74ba781d92e94eeaccb080False0.501953125data4.040639308682379IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .ndata0x2a0000x220000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x4c0000x34400x36005950a4e36f0f510396fb34e6e03b573aFalse0.5579427083333334data5.567094918094419IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x4c2f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.7190831556503199
                        RT_ICON0x4d1a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.7035198555956679
                        RT_ICON0x4da480x668Device independent bitmap graphic, 48 x 96 x 4, image size 1536EnglishUnited States0.33963414634146344
                        RT_ICON0x4e0b00x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.6423410404624278
                        RT_ICON0x4e6180x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.39381720430107525
                        RT_ICON0x4e9000x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5101351351351351
                        RT_DIALOG0x4ea280x100dataEnglishUnited States0.5234375
                        RT_DIALOG0x4eb280x11cdataEnglishUnited States0.6056338028169014
                        RT_DIALOG0x4ec480xc4dataEnglishUnited States0.5918367346938775
                        RT_DIALOG0x4ed100x60dataEnglishUnited States0.7291666666666666
                        RT_GROUP_ICON0x4ed700x5adataEnglishUnited States0.7111111111111111
                        RT_VERSION0x4edd00x248dataEnglishUnited States0.4811643835616438
                        RT_MANIFEST0x4f0180x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                        Imports

                        DLLImport
                        ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                        SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                        ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                        COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                        USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                        GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                        KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:12:49:51
                        Start date:27/09/2024
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"
                        Imagebase:0x400000
                        File size:559'533 bytes
                        MD5 hash:09646B466D4203F0A605120C10248654
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4457010077.00000000069E2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:19.1%
                          Dynamic/Decrypted Code Coverage:13.5%
                          Signature Coverage:16.4%
                          Total number of Nodes:1604
                          Total number of Limit Nodes:40
                          execution_graph 5293 402643 5294 402672 5293->5294 5295 402657 5293->5295 5297 4026a2 5294->5297 5298 402677 5294->5298 5296 402d89 21 API calls 5295->5296 5306 40265e 5296->5306 5299 402dab 21 API calls 5297->5299 5300 402dab 21 API calls 5298->5300 5301 4026a9 lstrlenW 5299->5301 5302 40267e 5300->5302 5301->5306 5310 406543 WideCharToMultiByte 5302->5310 5304 402692 lstrlenA 5304->5306 5305 4026ec 5306->5305 5308 4060f2 5 API calls 5306->5308 5309 4026d6 5306->5309 5307 4060c3 WriteFile 5307->5305 5308->5309 5309->5305 5309->5307 5310->5304 4538 401946 4539 401948 4538->4539 4540 402dab 21 API calls 4539->4540 4541 40194d 4540->4541 4544 405c2d 4541->4544 4583 405ef8 4544->4583 4547 405c55 DeleteFileW 4549 401956 4547->4549 4548 405c6c 4550 405d97 4548->4550 4597 406521 lstrcpynW 4548->4597 4550->4549 4557 40687e 2 API calls 4550->4557 4552 405c92 4553 405ca5 4552->4553 4554 405c98 lstrcatW 4552->4554 4598 405e3c lstrlenW 4553->4598 4555 405cab 4554->4555 4558 405cbb lstrcatW 4555->4558 4560 405cc6 lstrlenW FindFirstFileW 4555->4560 4559 405db1 4557->4559 4558->4560 4559->4549 4561 405db5 4559->4561 4562 405d8c 4560->4562 4581 405ce8 4560->4581 4615 405df0 lstrlenW CharPrevW 4561->4615 4562->4550 4566 405d6f FindNextFileW 4569 405d85 FindClose 4566->4569 4566->4581 4567 405be5 5 API calls 4568 405dc7 4567->4568 4570 405de1 4568->4570 4571 405dcb 4568->4571 4569->4562 4573 4055a6 28 API calls 4570->4573 4571->4549 4574 4055a6 28 API calls 4571->4574 4573->4549 4576 405dd8 4574->4576 4575 405c2d 64 API calls 4575->4581 4578 4062e1 40 API calls 4576->4578 4577 4055a6 28 API calls 4577->4566 4579 405ddf 4578->4579 4579->4549 4580 4055a6 28 API calls 4580->4581 4581->4566 4581->4575 4581->4577 4581->4580 4602 406521 lstrcpynW 4581->4602 4603 405be5 4581->4603 4611 4062e1 MoveFileExW 4581->4611 4618 406521 lstrcpynW 4583->4618 4585 405f09 4619 405e9b CharNextW CharNextW 4585->4619 4588 405c4d 4588->4547 4588->4548 4589 4067cf 5 API calls 4595 405f1f 4589->4595 4590 405f50 lstrlenW 4591 405f5b 4590->4591 4590->4595 4593 405df0 3 API calls 4591->4593 4592 40687e 2 API calls 4592->4595 4594 405f60 GetFileAttributesW 4593->4594 4594->4588 4595->4588 4595->4590 4595->4592 4596 405e3c 2 API calls 4595->4596 4596->4590 4597->4552 4599 405e4a 4598->4599 4600 405e50 CharPrevW 4599->4600 4601 405e5c 4599->4601 4600->4599 4600->4601 4601->4555 4602->4581 4625 405fec GetFileAttributesW 4603->4625 4606 405c12 4606->4581 4607 405c00 RemoveDirectoryW 4609 405c0e 4607->4609 4608 405c08 DeleteFileW 4608->4609 4609->4606 4610 405c1e SetFileAttributesW 4609->4610 4610->4606 4612 406302 4611->4612 4613 4062f5 4611->4613 4612->4581 4628 406167 4613->4628 4616 405dbb 4615->4616 4617 405e0c lstrcatW 4615->4617 4616->4567 4617->4616 4618->4585 4620 405eb8 4619->4620 4622 405eca 4619->4622 4620->4622 4623 405ec5 CharNextW 4620->4623 4621 405eee 4621->4588 4621->4589 4622->4621 4624 405e1d CharNextW 4622->4624 4623->4621 4624->4622 4626 405bf1 4625->4626 4627 405ffe SetFileAttributesW 4625->4627 4626->4606 4626->4607 4626->4608 4627->4626 4629 406197 4628->4629 4630 4061bd GetShortPathNameW 4628->4630 4655 406011 GetFileAttributesW CreateFileW 4629->4655 4631 4061d2 4630->4631 4632 4062dc 4630->4632 4631->4632 4634 4061da wsprintfA 4631->4634 4632->4612 4636 40655e 21 API calls 4634->4636 4635 4061a1 CloseHandle GetShortPathNameW 4635->4632 4637 4061b5 4635->4637 4638 406202 4636->4638 4637->4630 4637->4632 4656 406011 GetFileAttributesW CreateFileW 4638->4656 4640 40620f 4640->4632 4641 40621e GetFileSize GlobalAlloc 4640->4641 4642 406240 4641->4642 4643 4062d5 CloseHandle 4641->4643 4657 406094 ReadFile 4642->4657 4643->4632 4648 406273 4650 405f76 4 API calls 4648->4650 4649 40625f lstrcpyA 4651 406281 4649->4651 4650->4651 4652 4062b8 SetFilePointer 4651->4652 4664 4060c3 WriteFile 4652->4664 4655->4635 4656->4640 4658 4060b2 4657->4658 4658->4643 4659 405f76 lstrlenA 4658->4659 4660 405fb7 lstrlenA 4659->4660 4661 405f90 lstrcmpiA 4660->4661 4662 405fbf 4660->4662 4661->4662 4663 405fae CharNextA 4661->4663 4662->4648 4662->4649 4663->4660 4665 4060e1 GlobalFree 4664->4665 4665->4643 4666 4015c6 4667 402dab 21 API calls 4666->4667 4668 4015cd 4667->4668 4669 405e9b 4 API calls 4668->4669 4674 4015d6 4669->4674 4670 401636 4672 401668 4670->4672 4673 40163b 4670->4673 4671 405e1d CharNextW 4671->4674 4677 401423 28 API calls 4672->4677 4691 401423 4673->4691 4674->4670 4674->4671 4683 40161c GetFileAttributesW 4674->4683 4685 405aec 4674->4685 4688 405a75 CreateDirectoryW 4674->4688 4695 405acf CreateDirectoryW 4674->4695 4682 401660 4677->4682 4681 40164f SetCurrentDirectoryW 4681->4682 4683->4674 4686 406915 5 API calls 4685->4686 4687 405af3 4686->4687 4687->4674 4689 405ac5 GetLastError 4688->4689 4690 405ac1 4688->4690 4689->4690 4690->4674 4692 4055a6 28 API calls 4691->4692 4693 401431 4692->4693 4694 406521 lstrcpynW 4693->4694 4694->4681 4696 405ae3 GetLastError 4695->4696 4697 405adf 4695->4697 4696->4697 4697->4674 5311 401c48 5312 402d89 21 API calls 5311->5312 5313 401c4f 5312->5313 5314 402d89 21 API calls 5313->5314 5315 401c5c 5314->5315 5316 401c71 5315->5316 5317 402dab 21 API calls 5315->5317 5320 402dab 21 API calls 5316->5320 5323 401c81 5316->5323 5317->5316 5318 401cd8 5322 402dab 21 API calls 5318->5322 5319 401c8c 5321 402d89 21 API calls 5319->5321 5320->5323 5324 401c91 5321->5324 5325 401cdd 5322->5325 5323->5318 5323->5319 5326 402d89 21 API calls 5324->5326 5327 402dab 21 API calls 5325->5327 5328 401c9d 5326->5328 5329 401ce6 FindWindowExW 5327->5329 5330 401cc8 SendMessageW 5328->5330 5331 401caa SendMessageTimeoutW 5328->5331 5332 401d08 5329->5332 5330->5332 5331->5332 5340 4028c9 5341 4028cf 5340->5341 5342 4028d7 FindClose 5341->5342 5343 402c2f 5341->5343 5342->5343 5344 40494a 5345 404980 5344->5345 5346 40495a 5344->5346 5348 404507 8 API calls 5345->5348 5347 4044a0 22 API calls 5346->5347 5349 404967 SetDlgItemTextW 5347->5349 5350 40498c 5348->5350 5349->5345 5354 4016d1 5355 402dab 21 API calls 5354->5355 5356 4016d7 GetFullPathNameW 5355->5356 5357 4016f1 5356->5357 5363 401713 5356->5363 5360 40687e 2 API calls 5357->5360 5357->5363 5358 401728 GetShortPathNameW 5359 402c2f 5358->5359 5361 401703 5360->5361 5361->5363 5364 406521 lstrcpynW 5361->5364 5363->5358 5363->5359 5364->5363 5365 401e53 GetDC 5366 402d89 21 API calls 5365->5366 5367 401e65 GetDeviceCaps MulDiv ReleaseDC 5366->5367 5368 402d89 21 API calls 5367->5368 5369 401e96 5368->5369 5370 40655e 21 API calls 5369->5370 5371 401ed3 CreateFontIndirectW 5370->5371 5372 40263d 5371->5372 5373 6f941000 5376 6f94101b 5373->5376 5383 6f9415b6 5376->5383 5378 6f941020 5379 6f941024 5378->5379 5380 6f941027 GlobalAlloc 5378->5380 5381 6f9415dd 3 API calls 5379->5381 5380->5379 5382 6f941019 5381->5382 5385 6f9415bc 5383->5385 5384 6f9415c2 5384->5378 5385->5384 5386 6f9415ce GlobalFree 5385->5386 5386->5378 5387 402955 5388 402dab 21 API calls 5387->5388 5389 402961 5388->5389 5390 402977 5389->5390 5391 402dab 21 API calls 5389->5391 5392 405fec 2 API calls 5390->5392 5391->5390 5393 40297d 5392->5393 5415 406011 GetFileAttributesW CreateFileW 5393->5415 5395 40298a 5396 402a40 5395->5396 5397 4029a5 GlobalAlloc 5395->5397 5398 402a28 5395->5398 5399 402a47 DeleteFileW 5396->5399 5400 402a5a 5396->5400 5397->5398 5401 4029be 5397->5401 5402 4032b9 39 API calls 5398->5402 5399->5400 5416 4034b4 SetFilePointer 5401->5416 5404 402a35 CloseHandle 5402->5404 5404->5396 5405 4029c4 5406 40349e ReadFile 5405->5406 5407 4029cd GlobalAlloc 5406->5407 5408 402a11 5407->5408 5409 4029dd 5407->5409 5411 4060c3 WriteFile 5408->5411 5410 4032b9 39 API calls 5409->5410 5414 4029ea 5410->5414 5412 402a1d GlobalFree 5411->5412 5412->5398 5413 402a08 GlobalFree 5413->5408 5414->5413 5415->5395 5416->5405 5417 4045d6 lstrcpynW lstrlenW 4824 4014d7 4825 402d89 21 API calls 4824->4825 4826 4014dd Sleep 4825->4826 4828 402c2f 4826->4828 5418 6f94170d 5419 6f9415b6 GlobalFree 5418->5419 5422 6f941725 5419->5422 5420 6f94176b GlobalFree 5421 6f941740 5421->5420 5422->5420 5422->5421 5423 6f941757 VirtualFree 5422->5423 5423->5420 5424 40195b 5425 402dab 21 API calls 5424->5425 5426 401962 lstrlenW 5425->5426 5427 40263d 5426->5427 5099 4020dd 5100 4021a1 5099->5100 5101 4020ef 5099->5101 5103 401423 28 API calls 5100->5103 5102 402dab 21 API calls 5101->5102 5104 4020f6 5102->5104 5109 4022fb 5103->5109 5105 402dab 21 API calls 5104->5105 5106 4020ff 5105->5106 5107 402115 LoadLibraryExW 5106->5107 5108 402107 GetModuleHandleW 5106->5108 5107->5100 5110 402126 5107->5110 5108->5107 5108->5110 5122 406984 5110->5122 5113 402170 5117 4055a6 28 API calls 5113->5117 5114 402137 5115 402156 5114->5115 5116 40213f 5114->5116 5127 6f941817 5115->5127 5118 401423 28 API calls 5116->5118 5119 402147 5117->5119 5118->5119 5119->5109 5120 402193 FreeLibrary 5119->5120 5120->5109 5169 406543 WideCharToMultiByte 5122->5169 5124 4069a1 5125 4069a8 GetProcAddress 5124->5125 5126 402131 5124->5126 5125->5126 5126->5113 5126->5114 5128 6f94184a 5127->5128 5170 6f941bff 5128->5170 5130 6f941851 5131 6f941976 5130->5131 5132 6f941862 5130->5132 5133 6f941869 5130->5133 5131->5119 5220 6f94243e 5132->5220 5204 6f942480 5133->5204 5138 6f94188e 5139 6f9418cd 5138->5139 5140 6f9418af 5138->5140 5144 6f9418d3 5139->5144 5145 6f94191e 5139->5145 5233 6f942655 5140->5233 5142 6f94187f 5143 6f941885 5142->5143 5148 6f941890 5142->5148 5143->5138 5214 6f942b98 5143->5214 5252 6f941666 5144->5252 5152 6f942655 10 API calls 5145->5152 5146 6f941898 5146->5138 5230 6f942e23 5146->5230 5147 6f9418b5 5244 6f941654 5147->5244 5224 6f942810 5148->5224 5156 6f94190f 5152->5156 5160 6f941965 5156->5160 5258 6f942618 5156->5258 5158 6f941896 5158->5138 5159 6f942655 10 API calls 5159->5156 5160->5131 5164 6f94196f GlobalFree 5160->5164 5164->5131 5166 6f941951 5166->5160 5262 6f9415dd wsprintfW 5166->5262 5167 6f94194a FreeLibrary 5167->5166 5169->5124 5265 6f9412bb GlobalAlloc 5170->5265 5172 6f941c26 5266 6f9412bb GlobalAlloc 5172->5266 5174 6f941e6b GlobalFree GlobalFree GlobalFree 5175 6f941e88 5174->5175 5186 6f941ed2 5174->5186 5176 6f94227e 5175->5176 5183 6f941e9d 5175->5183 5175->5186 5178 6f9422a0 GetModuleHandleW 5176->5178 5176->5186 5177 6f941d26 GlobalAlloc 5194 6f941c31 5177->5194 5180 6f9422c6 5178->5180 5181 6f9422b1 LoadLibraryW 5178->5181 5179 6f941d8f GlobalFree 5179->5194 5273 6f9416bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5180->5273 5181->5180 5181->5186 5182 6f941d71 lstrcpyW 5185 6f941d7b lstrcpyW 5182->5185 5183->5186 5269 6f9412cc 5183->5269 5185->5194 5186->5130 5187 6f942318 5187->5186 5191 6f942325 lstrlenW 5187->5191 5188 6f942126 5272 6f9412bb GlobalAlloc 5188->5272 5274 6f9416bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5191->5274 5192 6f9422d8 5192->5187 5202 6f942302 GetProcAddress 5192->5202 5194->5174 5194->5177 5194->5179 5194->5182 5194->5185 5194->5186 5194->5188 5195 6f942067 GlobalFree 5194->5195 5196 6f9421ae 5194->5196 5197 6f941dcd 5194->5197 5199 6f9412cc 2 API calls 5194->5199 5195->5194 5196->5186 5201 6f942216 lstrcpyW 5196->5201 5197->5194 5267 6f94162f GlobalSize GlobalAlloc 5197->5267 5198 6f94233f 5198->5186 5199->5194 5201->5186 5202->5187 5203 6f94212f 5203->5130 5209 6f942498 5204->5209 5205 6f9412cc GlobalAlloc lstrcpynW 5205->5209 5207 6f9425c1 GlobalFree 5207->5209 5211 6f94186f 5207->5211 5208 6f942540 GlobalAlloc WideCharToMultiByte 5208->5207 5209->5205 5209->5207 5209->5208 5210 6f94256b GlobalAlloc CLSIDFromString 5209->5210 5213 6f94258a 5209->5213 5276 6f94135a 5209->5276 5210->5207 5211->5138 5211->5142 5211->5146 5213->5207 5280 6f9427a4 5213->5280 5217 6f942baa 5214->5217 5215 6f942c4f VirtualAlloc 5216 6f942c6d 5215->5216 5283 6f942b42 5216->5283 5217->5215 5219 6f942d39 5219->5138 5221 6f942453 5220->5221 5222 6f941868 5221->5222 5223 6f94245e GlobalAlloc 5221->5223 5222->5133 5223->5221 5228 6f942840 5224->5228 5225 6f9428ee 5227 6f9428f4 GlobalSize 5225->5227 5229 6f9428fe 5225->5229 5226 6f9428db GlobalAlloc 5226->5229 5227->5229 5228->5225 5228->5226 5229->5158 5231 6f942e2e 5230->5231 5232 6f942e6e GlobalFree 5231->5232 5287 6f9412bb GlobalAlloc 5233->5287 5235 6f94265f 5236 6f9426d8 MultiByteToWideChar 5235->5236 5237 6f9426fa StringFromGUID2 5235->5237 5238 6f94270b lstrcpynW 5235->5238 5239 6f94271e wsprintfW 5235->5239 5240 6f942742 GlobalFree 5235->5240 5241 6f942777 GlobalFree 5235->5241 5242 6f941312 2 API calls 5235->5242 5288 6f941381 5235->5288 5236->5235 5237->5235 5238->5235 5239->5235 5240->5235 5241->5147 5242->5235 5292 6f9412bb GlobalAlloc 5244->5292 5246 6f941659 5247 6f941666 2 API calls 5246->5247 5248 6f941663 5247->5248 5249 6f941312 5248->5249 5250 6f941355 GlobalFree 5249->5250 5251 6f94131b GlobalAlloc lstrcpynW 5249->5251 5250->5156 5251->5250 5253 6f941672 wsprintfW 5252->5253 5254 6f94169f lstrcpyW 5252->5254 5257 6f9416b8 5253->5257 5254->5257 5257->5159 5259 6f941931 5258->5259 5260 6f942626 5258->5260 5259->5166 5259->5167 5260->5259 5261 6f942642 GlobalFree 5260->5261 5261->5260 5263 6f941312 2 API calls 5262->5263 5264 6f9415fe 5263->5264 5264->5160 5265->5172 5266->5194 5268 6f94164d 5267->5268 5268->5197 5275 6f9412bb GlobalAlloc 5269->5275 5271 6f9412db lstrcpynW 5271->5186 5272->5203 5273->5192 5274->5198 5275->5271 5277 6f941361 5276->5277 5278 6f9412cc 2 API calls 5277->5278 5279 6f94137f 5278->5279 5279->5209 5281 6f9427b2 VirtualAlloc 5280->5281 5282 6f942808 5280->5282 5281->5282 5282->5213 5284 6f942b4d 5283->5284 5285 6f942b52 GetLastError 5284->5285 5286 6f942b5d 5284->5286 5285->5286 5286->5219 5287->5235 5289 6f9413ac 5288->5289 5290 6f94138a 5288->5290 5289->5235 5290->5289 5291 6f941390 lstrcpyW 5290->5291 5291->5289 5292->5246 5428 402b5e 5429 402bb0 5428->5429 5430 402b65 5428->5430 5431 406915 5 API calls 5429->5431 5433 402d89 21 API calls 5430->5433 5439 402bae 5430->5439 5432 402bb7 5431->5432 5434 402dab 21 API calls 5432->5434 5435 402b73 5433->5435 5436 402bc0 5434->5436 5437 402d89 21 API calls 5435->5437 5438 402bc4 IIDFromString 5436->5438 5436->5439 5441 402b7f 5437->5441 5438->5439 5440 402bd3 5438->5440 5440->5439 5446 406521 lstrcpynW 5440->5446 5445 406468 wsprintfW 5441->5445 5444 402bf0 CoTaskMemFree 5444->5439 5445->5439 5446->5444 5454 40465f 5455 404677 5454->5455 5459 404791 5454->5459 5460 4044a0 22 API calls 5455->5460 5456 4047fb 5457 4048c5 5456->5457 5458 404805 GetDlgItem 5456->5458 5465 404507 8 API calls 5457->5465 5461 404886 5458->5461 5462 40481f 5458->5462 5459->5456 5459->5457 5463 4047cc GetDlgItem SendMessageW 5459->5463 5464 4046de 5460->5464 5461->5457 5468 404898 5461->5468 5462->5461 5467 404845 SendMessageW LoadCursorW SetCursor 5462->5467 5487 4044c2 KiUserCallbackDispatcher 5463->5487 5470 4044a0 22 API calls 5464->5470 5466 4048c0 5465->5466 5491 40490e 5467->5491 5472 4048ae 5468->5472 5473 40489e SendMessageW 5468->5473 5475 4046eb CheckDlgButton 5470->5475 5472->5466 5477 4048b4 SendMessageW 5472->5477 5473->5472 5474 4047f6 5488 4048ea 5474->5488 5485 4044c2 KiUserCallbackDispatcher 5475->5485 5477->5466 5480 404709 GetDlgItem 5486 4044d5 SendMessageW 5480->5486 5482 40471f SendMessageW 5483 404745 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5482->5483 5484 40473c GetSysColor 5482->5484 5483->5466 5484->5483 5485->5480 5486->5482 5487->5474 5489 4048f8 5488->5489 5490 4048fd SendMessageW 5488->5490 5489->5490 5490->5456 5494 405b47 ShellExecuteExW 5491->5494 5493 404874 LoadCursorW SetCursor 5493->5461 5494->5493 5495 402a60 5496 402d89 21 API calls 5495->5496 5497 402a66 5496->5497 5498 402aa9 5497->5498 5499 402a8d 5497->5499 5508 402933 5497->5508 5500 402ac3 5498->5500 5501 402ab3 5498->5501 5503 402a92 5499->5503 5504 402aa3 5499->5504 5502 40655e 21 API calls 5500->5502 5505 402d89 21 API calls 5501->5505 5502->5508 5509 406521 lstrcpynW 5503->5509 5510 406468 wsprintfW 5504->5510 5505->5508 5509->5508 5510->5508 4300 401761 4306 402dab 4300->4306 4304 40176f 4305 406040 2 API calls 4304->4305 4305->4304 4307 402db7 4306->4307 4308 40655e 21 API calls 4307->4308 4309 402dd8 4308->4309 4310 401768 4309->4310 4311 4067cf 5 API calls 4309->4311 4312 406040 4310->4312 4311->4310 4313 40604d GetTickCount GetTempFileNameW 4312->4313 4314 406087 4313->4314 4315 406083 4313->4315 4314->4304 4315->4313 4315->4314 5511 401d62 5512 402d89 21 API calls 5511->5512 5513 401d73 SetWindowLongW 5512->5513 5514 402c2f 5513->5514 4425 401ee3 4433 402d89 4425->4433 4427 401ee9 4428 402d89 21 API calls 4427->4428 4429 401ef5 4428->4429 4430 401f01 ShowWindow 4429->4430 4431 401f0c EnableWindow 4429->4431 4432 402c2f 4430->4432 4431->4432 4434 40655e 21 API calls 4433->4434 4435 402d9e 4434->4435 4435->4427 5515 4028e3 5516 4028eb 5515->5516 5517 4028ef FindNextFileW 5516->5517 5519 402901 5516->5519 5518 402948 5517->5518 5517->5519 5521 406521 lstrcpynW 5518->5521 5521->5519 4482 4056e5 4483 405706 GetDlgItem GetDlgItem GetDlgItem 4482->4483 4484 40588f 4482->4484 4528 4044d5 SendMessageW 4483->4528 4486 4058c0 4484->4486 4487 405898 GetDlgItem CreateThread CloseHandle 4484->4487 4488 4058eb 4486->4488 4490 405910 4486->4490 4491 4058d7 ShowWindow ShowWindow 4486->4491 4487->4486 4531 405679 OleInitialize 4487->4531 4492 4058f7 4488->4492 4493 40594b 4488->4493 4489 405776 4494 40577d GetClientRect GetSystemMetrics SendMessageW SendMessageW 4489->4494 4498 404507 8 API calls 4490->4498 4530 4044d5 SendMessageW 4491->4530 4496 405925 ShowWindow 4492->4496 4497 4058ff 4492->4497 4493->4490 4501 405959 SendMessageW 4493->4501 4499 4057eb 4494->4499 4500 4057cf SendMessageW SendMessageW 4494->4500 4504 405945 4496->4504 4505 405937 4496->4505 4502 404479 SendMessageW 4497->4502 4503 40591e 4498->4503 4506 4057f0 SendMessageW 4499->4506 4507 4057fe 4499->4507 4500->4499 4501->4503 4508 405972 CreatePopupMenu 4501->4508 4502->4490 4510 404479 SendMessageW 4504->4510 4509 4055a6 28 API calls 4505->4509 4506->4507 4512 4044a0 22 API calls 4507->4512 4511 40655e 21 API calls 4508->4511 4509->4504 4510->4493 4513 405982 AppendMenuW 4511->4513 4514 40580e 4512->4514 4515 4059b2 TrackPopupMenu 4513->4515 4516 40599f GetWindowRect 4513->4516 4517 405817 ShowWindow 4514->4517 4518 40584b GetDlgItem SendMessageW 4514->4518 4515->4503 4519 4059cd 4515->4519 4516->4515 4520 40583a 4517->4520 4521 40582d ShowWindow 4517->4521 4518->4503 4522 405872 SendMessageW SendMessageW 4518->4522 4523 4059e9 SendMessageW 4519->4523 4529 4044d5 SendMessageW 4520->4529 4521->4520 4522->4503 4523->4523 4524 405a06 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4523->4524 4526 405a2b SendMessageW 4524->4526 4526->4526 4527 405a54 GlobalUnlock SetClipboardData CloseClipboard 4526->4527 4527->4503 4528->4489 4529->4518 4530->4488 4532 4044ec SendMessageW 4531->4532 4533 40569c 4532->4533 4536 4056c3 4533->4536 4537 401389 2 API calls 4533->4537 4534 4044ec SendMessageW 4535 4056d5 OleUninitialize 4534->4535 4536->4534 4537->4533 5522 404ce7 5523 404d13 5522->5523 5524 404cf7 5522->5524 5526 404d46 5523->5526 5527 404d19 SHGetPathFromIDListW 5523->5527 5533 405b65 GetDlgItemTextW 5524->5533 5529 404d30 SendMessageW 5527->5529 5530 404d29 5527->5530 5528 404d04 SendMessageW 5528->5523 5529->5526 5531 40140b 2 API calls 5530->5531 5531->5529 5533->5528 5534 401568 5535 402ba9 5534->5535 5538 406468 wsprintfW 5535->5538 5537 402bae 5538->5537 5539 6f94103d 5540 6f94101b 5 API calls 5539->5540 5541 6f941056 5540->5541 5542 40196d 5543 402d89 21 API calls 5542->5543 5544 401974 5543->5544 5545 402d89 21 API calls 5544->5545 5546 401981 5545->5546 5547 402dab 21 API calls 5546->5547 5548 401998 lstrlenW 5547->5548 5549 4019a9 5548->5549 5552 4019ea 5549->5552 5554 406521 lstrcpynW 5549->5554 5551 4019da 5551->5552 5553 4019df lstrlenW 5551->5553 5553->5552 5554->5551 5555 40166f 5556 402dab 21 API calls 5555->5556 5557 401675 5556->5557 5558 40687e 2 API calls 5557->5558 5559 40167b 5558->5559 5560 402af0 5561 402d89 21 API calls 5560->5561 5563 402af6 5561->5563 5562 402933 5563->5562 5564 40655e 21 API calls 5563->5564 5564->5562 4717 4026f1 4718 402d89 21 API calls 4717->4718 4720 402700 4718->4720 4719 40274a ReadFile 4719->4720 4730 40283d 4719->4730 4720->4719 4721 4027e3 4720->4721 4722 406094 ReadFile 4720->4722 4724 40278a MultiByteToWideChar 4720->4724 4725 40283f 4720->4725 4727 4027b0 SetFilePointer MultiByteToWideChar 4720->4727 4728 402850 4720->4728 4720->4730 4721->4720 4721->4730 4731 4060f2 SetFilePointer 4721->4731 4722->4720 4724->4720 4740 406468 wsprintfW 4725->4740 4727->4720 4729 402871 SetFilePointer 4728->4729 4728->4730 4729->4730 4732 406126 4731->4732 4733 40610e 4731->4733 4732->4721 4734 406094 ReadFile 4733->4734 4735 40611a 4734->4735 4735->4732 4736 406157 SetFilePointer 4735->4736 4737 40612f SetFilePointer 4735->4737 4736->4732 4737->4736 4738 40613a 4737->4738 4739 4060c3 WriteFile 4738->4739 4739->4732 4740->4730 4741 401774 4742 402dab 21 API calls 4741->4742 4743 40177b 4742->4743 4744 4017a3 4743->4744 4745 40179b 4743->4745 4803 406521 lstrcpynW 4744->4803 4802 406521 lstrcpynW 4745->4802 4748 4017a1 4752 4067cf 5 API calls 4748->4752 4749 4017ae 4750 405df0 3 API calls 4749->4750 4751 4017b4 lstrcatW 4750->4751 4751->4748 4770 4017c0 4752->4770 4753 40687e 2 API calls 4753->4770 4754 4017fc 4755 405fec 2 API calls 4754->4755 4755->4770 4757 4017d2 CompareFileTime 4757->4770 4758 401892 4759 4055a6 28 API calls 4758->4759 4761 40189c 4759->4761 4760 401869 4762 4055a6 28 API calls 4760->4762 4769 40187e 4760->4769 4781 4032b9 4761->4781 4762->4769 4763 406521 lstrcpynW 4763->4770 4766 4018c3 SetFileTime 4768 4018d5 CloseHandle 4766->4768 4767 40655e 21 API calls 4767->4770 4768->4769 4771 4018e6 4768->4771 4770->4753 4770->4754 4770->4757 4770->4758 4770->4760 4770->4763 4770->4767 4776 405b81 MessageBoxIndirectW 4770->4776 4780 406011 GetFileAttributesW CreateFileW 4770->4780 4772 4018eb 4771->4772 4773 4018fe 4771->4773 4774 40655e 21 API calls 4772->4774 4775 40655e 21 API calls 4773->4775 4777 4018f3 lstrcatW 4774->4777 4778 401906 4775->4778 4776->4770 4777->4778 4778->4769 4779 405b81 MessageBoxIndirectW 4778->4779 4779->4769 4780->4770 4783 4032d2 4781->4783 4782 4032fd 4804 40349e 4782->4804 4783->4782 4814 4034b4 SetFilePointer 4783->4814 4787 40331a GetTickCount 4798 40332d 4787->4798 4788 40343e 4789 403442 4788->4789 4793 40345a 4788->4793 4791 40349e ReadFile 4789->4791 4790 4018af 4790->4766 4790->4768 4791->4790 4792 40349e ReadFile 4792->4793 4793->4790 4793->4792 4795 4060c3 WriteFile 4793->4795 4794 40349e ReadFile 4794->4798 4795->4793 4797 403393 GetTickCount 4797->4798 4798->4790 4798->4794 4798->4797 4799 4033bc MulDiv wsprintfW 4798->4799 4801 4060c3 WriteFile 4798->4801 4807 406a90 4798->4807 4800 4055a6 28 API calls 4799->4800 4800->4798 4801->4798 4802->4748 4803->4749 4805 406094 ReadFile 4804->4805 4806 403308 4805->4806 4806->4787 4806->4788 4806->4790 4808 406ab5 4807->4808 4809 406abd 4807->4809 4808->4798 4809->4808 4810 406b44 GlobalFree 4809->4810 4811 406b4d GlobalAlloc 4809->4811 4812 406bc4 GlobalAlloc 4809->4812 4813 406bbb GlobalFree 4809->4813 4810->4811 4811->4808 4811->4809 4812->4808 4812->4809 4813->4812 4814->4782 5579 4014f5 SetForegroundWindow 5580 402c2f 5579->5580 5581 401a77 5582 402d89 21 API calls 5581->5582 5583 401a80 5582->5583 5584 402d89 21 API calls 5583->5584 5585 401a25 5584->5585 5586 401578 5587 401591 5586->5587 5588 401588 ShowWindow 5586->5588 5589 402c2f 5587->5589 5590 40159f ShowWindow 5587->5590 5588->5587 5590->5589 5591 4023f9 5592 402dab 21 API calls 5591->5592 5593 402408 5592->5593 5594 402dab 21 API calls 5593->5594 5595 402411 5594->5595 5596 402dab 21 API calls 5595->5596 5597 40241b GetPrivateProfileStringW 5596->5597 5598 401ffb 5599 402dab 21 API calls 5598->5599 5600 402002 5599->5600 5601 40687e 2 API calls 5600->5601 5602 402008 5601->5602 5604 402019 5602->5604 5605 406468 wsprintfW 5602->5605 5605->5604 4864 4034fc SetErrorMode GetVersionExW 4865 403550 GetVersionExW 4864->4865 4866 403588 4864->4866 4865->4866 4867 4035df 4866->4867 4868 406915 5 API calls 4866->4868 4869 4068a5 3 API calls 4867->4869 4868->4867 4870 4035f5 lstrlenA 4869->4870 4870->4867 4871 403605 4870->4871 4872 406915 5 API calls 4871->4872 4873 40360c 4872->4873 4874 406915 5 API calls 4873->4874 4875 403613 4874->4875 4876 406915 5 API calls 4875->4876 4877 40361f #17 OleInitialize SHGetFileInfoW 4876->4877 4953 406521 lstrcpynW 4877->4953 4880 40366e GetCommandLineW 4954 406521 lstrcpynW 4880->4954 4882 403680 4883 405e1d CharNextW 4882->4883 4884 4036a6 CharNextW 4883->4884 4890 4036b8 4884->4890 4885 4037ba 4886 4037ce GetTempPathW 4885->4886 4955 4034cb 4886->4955 4888 4037e6 4891 403840 DeleteFileW 4888->4891 4892 4037ea GetWindowsDirectoryW lstrcatW 4888->4892 4889 405e1d CharNextW 4889->4890 4890->4885 4890->4889 4898 4037bc 4890->4898 4965 403082 GetTickCount GetModuleFileNameW 4891->4965 4894 4034cb 12 API calls 4892->4894 4895 403806 4894->4895 4895->4891 4897 40380a GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4895->4897 4896 403854 4901 4038fb 4896->4901 4905 405e1d CharNextW 4896->4905 4944 40390b 4896->4944 4899 4034cb 12 API calls 4897->4899 5049 406521 lstrcpynW 4898->5049 4903 403838 4899->4903 4993 403bf3 4901->4993 4903->4891 4903->4944 4920 403873 4905->4920 4907 403a59 4909 405b81 MessageBoxIndirectW 4907->4909 4908 403a7d 4910 403b01 ExitProcess 4908->4910 4911 403a85 GetCurrentProcess OpenProcessToken 4908->4911 4915 403a67 ExitProcess 4909->4915 4916 403ad1 4911->4916 4917 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 4911->4917 4912 4038d1 4918 405ef8 18 API calls 4912->4918 4913 403914 4919 405aec 5 API calls 4913->4919 4921 406915 5 API calls 4916->4921 4917->4916 4923 4038dd 4918->4923 4924 403919 lstrlenW 4919->4924 4920->4912 4920->4913 4922 403ad8 4921->4922 4925 403aed ExitWindowsEx 4922->4925 4928 403afa 4922->4928 4923->4944 5050 406521 lstrcpynW 4923->5050 5052 406521 lstrcpynW 4924->5052 4925->4910 4925->4928 4927 403933 4930 40394b 4927->4930 5053 406521 lstrcpynW 4927->5053 4931 40140b 2 API calls 4928->4931 4935 403971 wsprintfW 4930->4935 4931->4910 4932 4038f0 5051 406521 lstrcpynW 4932->5051 4936 40655e 21 API calls 4935->4936 4937 403995 4936->4937 4950 40399d 4937->4950 4938 405a75 2 API calls 4938->4950 4939 405acf 2 API calls 4939->4950 4940 4039e7 SetCurrentDirectoryW 4942 4062e1 40 API calls 4940->4942 4941 4039ad GetFileAttributesW 4943 4039b9 DeleteFileW 4941->4943 4941->4950 4945 4039f6 CopyFileW 4942->4945 4943->4950 5057 403b19 4944->5057 4945->4944 4945->4950 4946 405c2d 71 API calls 4946->4950 4947 4062e1 40 API calls 4947->4950 4948 40655e 21 API calls 4948->4950 4950->4930 4950->4935 4950->4938 4950->4939 4950->4940 4950->4941 4950->4944 4950->4946 4950->4947 4950->4948 4951 403a6f CloseHandle 4950->4951 4952 40687e 2 API calls 4950->4952 5054 405b04 CreateProcessW 4950->5054 4951->4944 4952->4950 4953->4880 4954->4882 4956 4067cf 5 API calls 4955->4956 4958 4034d7 4956->4958 4957 4034e1 4957->4888 4958->4957 4959 405df0 3 API calls 4958->4959 4960 4034e9 4959->4960 4961 405acf 2 API calls 4960->4961 4962 4034ef 4961->4962 4963 406040 2 API calls 4962->4963 4964 4034fa 4963->4964 4964->4888 5064 406011 GetFileAttributesW CreateFileW 4965->5064 4967 4030c2 4986 4030d2 4967->4986 5065 406521 lstrcpynW 4967->5065 4969 4030e8 4970 405e3c 2 API calls 4969->4970 4971 4030ee 4970->4971 5066 406521 lstrcpynW 4971->5066 4973 4030f9 GetFileSize 4974 4031f3 4973->4974 4988 403110 4973->4988 5067 40301e 4974->5067 4976 4031fc 4978 40322c GlobalAlloc 4976->4978 4976->4986 5079 4034b4 SetFilePointer 4976->5079 4977 40349e ReadFile 4977->4988 5078 4034b4 SetFilePointer 4978->5078 4980 40325f 4982 40301e 6 API calls 4980->4982 4982->4986 4983 403215 4987 40349e ReadFile 4983->4987 4984 403247 4985 4032b9 39 API calls 4984->4985 4991 403253 4985->4991 4986->4896 4989 403220 4987->4989 4988->4974 4988->4977 4988->4980 4988->4986 4990 40301e 6 API calls 4988->4990 4989->4978 4989->4986 4990->4988 4991->4986 4991->4991 4992 403290 SetFilePointer 4991->4992 4992->4986 4994 406915 5 API calls 4993->4994 4995 403c07 4994->4995 4996 403c0d 4995->4996 4997 403c1f 4995->4997 5092 406468 wsprintfW 4996->5092 4998 4063ef 3 API calls 4997->4998 4999 403c4f 4998->4999 5001 403c6e lstrcatW 4999->5001 5003 4063ef 3 API calls 4999->5003 5002 403c1d 5001->5002 5084 403ec9 5002->5084 5003->5001 5006 405ef8 18 API calls 5007 403ca0 5006->5007 5008 403d34 5007->5008 5010 4063ef 3 API calls 5007->5010 5009 405ef8 18 API calls 5008->5009 5011 403d3a 5009->5011 5012 403cd2 5010->5012 5013 403d4a LoadImageW 5011->5013 5014 40655e 21 API calls 5011->5014 5012->5008 5017 403cf3 lstrlenW 5012->5017 5022 405e1d CharNextW 5012->5022 5015 403df0 5013->5015 5016 403d71 RegisterClassW 5013->5016 5014->5013 5020 40140b 2 API calls 5015->5020 5018 403da7 SystemParametersInfoW CreateWindowExW 5016->5018 5019 403dfa 5016->5019 5023 403d01 lstrcmpiW 5017->5023 5024 403d27 5017->5024 5018->5015 5019->4944 5021 403df6 5020->5021 5021->5019 5028 403ec9 22 API calls 5021->5028 5026 403cf0 5022->5026 5023->5024 5027 403d11 GetFileAttributesW 5023->5027 5025 405df0 3 API calls 5024->5025 5029 403d2d 5025->5029 5026->5017 5030 403d1d 5027->5030 5032 403e07 5028->5032 5093 406521 lstrcpynW 5029->5093 5030->5024 5031 405e3c 2 API calls 5030->5031 5031->5024 5034 403e13 ShowWindow 5032->5034 5035 403e96 5032->5035 5037 4068a5 3 API calls 5034->5037 5036 405679 5 API calls 5035->5036 5038 403e9c 5036->5038 5039 403e2b 5037->5039 5040 403ea0 5038->5040 5041 403eb8 5038->5041 5042 403e39 GetClassInfoW 5039->5042 5044 4068a5 3 API calls 5039->5044 5040->5019 5047 40140b 2 API calls 5040->5047 5043 40140b 2 API calls 5041->5043 5045 403e63 DialogBoxParamW 5042->5045 5046 403e4d GetClassInfoW RegisterClassW 5042->5046 5043->5019 5044->5042 5048 40140b 2 API calls 5045->5048 5046->5045 5047->5019 5048->5019 5049->4886 5050->4932 5051->4901 5052->4927 5053->4930 5055 405b43 5054->5055 5056 405b37 CloseHandle 5054->5056 5055->4950 5056->5055 5058 403b31 5057->5058 5059 403b23 CloseHandle 5057->5059 5095 403b5e 5058->5095 5059->5058 5062 405c2d 71 API calls 5063 403a4c OleUninitialize 5062->5063 5063->4907 5063->4908 5064->4967 5065->4969 5066->4973 5068 403027 5067->5068 5069 40303f 5067->5069 5070 403030 DestroyWindow 5068->5070 5071 403037 5068->5071 5072 403047 5069->5072 5073 40304f GetTickCount 5069->5073 5070->5071 5071->4976 5080 406951 5072->5080 5075 403080 5073->5075 5076 40305d CreateDialogParamW ShowWindow 5073->5076 5075->4976 5076->5075 5078->4984 5079->4983 5081 40696e PeekMessageW 5080->5081 5082 406964 DispatchMessageW 5081->5082 5083 40304d 5081->5083 5082->5081 5083->4976 5085 403edd 5084->5085 5094 406468 wsprintfW 5085->5094 5087 403f4e 5088 403f82 22 API calls 5087->5088 5090 403f53 5088->5090 5089 403c7e 5089->5006 5090->5089 5091 40655e 21 API calls 5090->5091 5091->5090 5092->5002 5093->5008 5094->5087 5096 403b6c 5095->5096 5097 403b36 5096->5097 5098 403b71 FreeLibrary GlobalFree 5096->5098 5097->5062 5098->5097 5098->5098 5606 401b7c 5607 402dab 21 API calls 5606->5607 5608 401b83 5607->5608 5609 402d89 21 API calls 5608->5609 5610 401b8c wsprintfW 5609->5610 5611 402c2f 5610->5611 5619 401000 5620 401037 BeginPaint GetClientRect 5619->5620 5621 40100c DefWindowProcW 5619->5621 5623 4010f3 5620->5623 5624 401179 5621->5624 5625 401073 CreateBrushIndirect FillRect DeleteObject 5623->5625 5626 4010fc 5623->5626 5625->5623 5627 401102 CreateFontIndirectW 5626->5627 5628 401167 EndPaint 5626->5628 5627->5628 5629 401112 6 API calls 5627->5629 5628->5624 5629->5628 5630 401680 5631 402dab 21 API calls 5630->5631 5632 401687 5631->5632 5633 402dab 21 API calls 5632->5633 5634 401690 5633->5634 5635 402dab 21 API calls 5634->5635 5636 401699 MoveFileW 5635->5636 5637 4016ac 5636->5637 5643 4016a5 5636->5643 5638 40687e 2 API calls 5637->5638 5640 4022fb 5637->5640 5641 4016bb 5638->5641 5639 401423 28 API calls 5639->5640 5641->5640 5642 4062e1 40 API calls 5641->5642 5642->5643 5643->5639 5644 401503 5645 401508 5644->5645 5647 401520 5644->5647 5646 402d89 21 API calls 5645->5646 5646->5647 4453 402304 4454 402dab 21 API calls 4453->4454 4455 40230a 4454->4455 4456 402dab 21 API calls 4455->4456 4457 402313 4456->4457 4458 402dab 21 API calls 4457->4458 4459 40231c 4458->4459 4468 40687e FindFirstFileW 4459->4468 4462 402336 lstrlenW lstrlenW 4463 4055a6 28 API calls 4462->4463 4465 402374 SHFileOperationW 4463->4465 4466 402329 4465->4466 4467 402331 4465->4467 4466->4467 4471 4055a6 4466->4471 4469 406894 FindClose 4468->4469 4470 402325 4468->4470 4469->4470 4470->4462 4470->4466 4472 4055c1 4471->4472 4480 405663 4471->4480 4473 4055dd lstrlenW 4472->4473 4474 40655e 21 API calls 4472->4474 4475 405606 4473->4475 4476 4055eb lstrlenW 4473->4476 4474->4473 4478 405619 4475->4478 4479 40560c SetWindowTextW 4475->4479 4477 4055fd lstrcatW 4476->4477 4476->4480 4477->4475 4478->4480 4481 40561f SendMessageW SendMessageW SendMessageW 4478->4481 4479->4478 4480->4467 4481->4480 5648 401a04 5649 402dab 21 API calls 5648->5649 5650 401a0b 5649->5650 5651 402dab 21 API calls 5650->5651 5652 401a14 5651->5652 5653 401a1b lstrcmpiW 5652->5653 5654 401a2d lstrcmpW 5652->5654 5655 401a21 5653->5655 5654->5655 5656 401d86 5657 401d99 GetDlgItem 5656->5657 5658 401d8c 5656->5658 5660 401d93 5657->5660 5659 402d89 21 API calls 5658->5659 5659->5660 5661 401dda GetClientRect LoadImageW SendMessageW 5660->5661 5662 402dab 21 API calls 5660->5662 5664 401e38 5661->5664 5666 401e44 5661->5666 5662->5661 5665 401e3d DeleteObject 5664->5665 5664->5666 5665->5666 5667 402388 5668 40238f 5667->5668 5671 4023a2 5667->5671 5669 40655e 21 API calls 5668->5669 5670 40239c 5669->5670 5670->5671 5672 405b81 MessageBoxIndirectW 5670->5672 5672->5671 5673 402c0a SendMessageW 5674 402c24 InvalidateRect 5673->5674 5675 402c2f 5673->5675 5674->5675 5683 6f941058 5685 6f941074 5683->5685 5684 6f9410dd 5685->5684 5686 6f9415b6 GlobalFree 5685->5686 5687 6f941092 5685->5687 5686->5687 5688 6f9415b6 GlobalFree 5687->5688 5689 6f9410a2 5688->5689 5690 6f9410b2 5689->5690 5691 6f9410a9 GlobalSize 5689->5691 5692 6f9410b6 GlobalAlloc 5690->5692 5693 6f9410c7 5690->5693 5691->5690 5694 6f9415dd 3 API calls 5692->5694 5695 6f9410d2 GlobalFree 5693->5695 5694->5693 5695->5684 5696 404f0d GetDlgItem GetDlgItem 5697 404f5f 7 API calls 5696->5697 5709 405184 5696->5709 5698 405006 DeleteObject 5697->5698 5699 404ff9 SendMessageW 5697->5699 5700 40500f 5698->5700 5699->5698 5701 405046 5700->5701 5705 40655e 21 API calls 5700->5705 5702 4044a0 22 API calls 5701->5702 5706 40505a 5702->5706 5703 405312 5707 405324 5703->5707 5708 40531c SendMessageW 5703->5708 5704 405266 5704->5703 5712 4052bf SendMessageW 5704->5712 5739 405177 5704->5739 5710 405028 SendMessageW SendMessageW 5705->5710 5711 4044a0 22 API calls 5706->5711 5719 405336 ImageList_Destroy 5707->5719 5720 40533d 5707->5720 5728 40534d 5707->5728 5708->5707 5709->5704 5726 4051f3 5709->5726 5750 404e5b SendMessageW 5709->5750 5710->5700 5727 40506b 5711->5727 5717 4052d4 SendMessageW 5712->5717 5712->5739 5713 405258 SendMessageW 5713->5704 5714 404507 8 API calls 5718 405513 5714->5718 5716 4054c7 5724 4054d9 ShowWindow GetDlgItem ShowWindow 5716->5724 5716->5739 5723 4052e7 5717->5723 5719->5720 5721 405346 GlobalFree 5720->5721 5720->5728 5721->5728 5722 405146 GetWindowLongW SetWindowLongW 5725 40515f 5722->5725 5734 4052f8 SendMessageW 5723->5734 5724->5739 5729 405164 ShowWindow 5725->5729 5730 40517c 5725->5730 5726->5704 5726->5713 5727->5722 5733 4050be SendMessageW 5727->5733 5735 405141 5727->5735 5736 405110 SendMessageW 5727->5736 5737 4050fc SendMessageW 5727->5737 5728->5716 5743 405388 5728->5743 5755 404edb 5728->5755 5748 4044d5 SendMessageW 5729->5748 5749 4044d5 SendMessageW 5730->5749 5733->5727 5734->5703 5735->5722 5735->5725 5736->5727 5737->5727 5739->5714 5740 405492 5741 40549d InvalidateRect 5740->5741 5744 4054a9 5740->5744 5741->5744 5742 4053b6 SendMessageW 5747 4053cc 5742->5747 5743->5742 5743->5747 5744->5716 5764 404e16 5744->5764 5746 405440 SendMessageW SendMessageW 5746->5747 5747->5740 5747->5746 5748->5739 5749->5709 5751 404eba SendMessageW 5750->5751 5752 404e7e GetMessagePos ScreenToClient SendMessageW 5750->5752 5753 404eb2 5751->5753 5752->5753 5754 404eb7 5752->5754 5753->5726 5754->5751 5767 406521 lstrcpynW 5755->5767 5757 404eee 5768 406468 wsprintfW 5757->5768 5759 404ef8 5760 40140b 2 API calls 5759->5760 5761 404f01 5760->5761 5769 406521 lstrcpynW 5761->5769 5763 404f08 5763->5743 5770 404d4d 5764->5770 5766 404e2b 5766->5716 5767->5757 5768->5759 5769->5763 5771 404d66 5770->5771 5772 40655e 21 API calls 5771->5772 5773 404dca 5772->5773 5774 40655e 21 API calls 5773->5774 5775 404dd5 5774->5775 5776 40655e 21 API calls 5775->5776 5777 404deb lstrlenW wsprintfW SetDlgItemTextW 5776->5777 5777->5766 5778 40248f 5779 402dab 21 API calls 5778->5779 5780 4024a1 5779->5780 5781 402dab 21 API calls 5780->5781 5782 4024ab 5781->5782 5795 402e3b 5782->5795 5785 402c2f 5786 4024e3 5787 4024ef 5786->5787 5789 402d89 21 API calls 5786->5789 5790 40250e RegSetValueExW 5787->5790 5792 4032b9 39 API calls 5787->5792 5788 402dab 21 API calls 5791 4024d9 lstrlenW 5788->5791 5789->5787 5793 402524 RegCloseKey 5790->5793 5791->5786 5792->5790 5793->5785 5796 402e56 5795->5796 5799 4063bc 5796->5799 5800 4063cb 5799->5800 5801 4024bb 5800->5801 5802 4063d6 RegCreateKeyExW 5800->5802 5801->5785 5801->5786 5801->5788 5802->5801 5803 404610 lstrlenW 5804 404631 WideCharToMultiByte 5803->5804 5805 40462f 5803->5805 5805->5804 5806 402910 5807 402dab 21 API calls 5806->5807 5808 402917 FindFirstFileW 5807->5808 5809 40292a 5808->5809 5810 40293f 5808->5810 5811 402948 5810->5811 5814 406468 wsprintfW 5810->5814 5815 406521 lstrcpynW 5811->5815 5814->5811 5815->5809 5816 401911 5817 401948 5816->5817 5818 402dab 21 API calls 5817->5818 5819 40194d 5818->5819 5820 405c2d 71 API calls 5819->5820 5821 401956 5820->5821 5822 401491 5823 4055a6 28 API calls 5822->5823 5824 401498 5823->5824 5825 404991 5826 4049bd 5825->5826 5827 4049ce 5825->5827 5886 405b65 GetDlgItemTextW 5826->5886 5829 4049da GetDlgItem 5827->5829 5832 404a39 5827->5832 5831 4049ee 5829->5831 5830 4049c8 5833 4067cf 5 API calls 5830->5833 5834 404a02 SetWindowTextW 5831->5834 5837 405e9b 4 API calls 5831->5837 5839 40655e 21 API calls 5832->5839 5848 404b1d 5832->5848 5884 404ccc 5832->5884 5833->5827 5838 4044a0 22 API calls 5834->5838 5836 404507 8 API calls 5844 404ce0 5836->5844 5845 4049f8 5837->5845 5841 404a1e 5838->5841 5842 404aad SHBrowseForFolderW 5839->5842 5840 404b4d 5843 405ef8 18 API calls 5840->5843 5846 4044a0 22 API calls 5841->5846 5847 404ac5 CoTaskMemFree 5842->5847 5842->5848 5849 404b53 5843->5849 5845->5834 5852 405df0 3 API calls 5845->5852 5850 404a2c 5846->5850 5851 405df0 3 API calls 5847->5851 5848->5884 5888 405b65 GetDlgItemTextW 5848->5888 5889 406521 lstrcpynW 5849->5889 5887 4044d5 SendMessageW 5850->5887 5854 404ad2 5851->5854 5852->5834 5857 404b09 SetDlgItemTextW 5854->5857 5861 40655e 21 API calls 5854->5861 5856 404a32 5859 406915 5 API calls 5856->5859 5857->5848 5858 404b6a 5860 406915 5 API calls 5858->5860 5859->5832 5868 404b71 5860->5868 5862 404af1 lstrcmpiW 5861->5862 5862->5857 5865 404b02 lstrcatW 5862->5865 5863 404bb2 5890 406521 lstrcpynW 5863->5890 5865->5857 5866 404bb9 5867 405e9b 4 API calls 5866->5867 5869 404bbf GetDiskFreeSpaceW 5867->5869 5868->5863 5872 405e3c 2 API calls 5868->5872 5874 404c0a 5868->5874 5871 404be3 MulDiv 5869->5871 5869->5874 5871->5874 5872->5868 5873 404c7b 5876 404c9e 5873->5876 5878 40140b 2 API calls 5873->5878 5874->5873 5875 404e16 24 API calls 5874->5875 5877 404c68 5875->5877 5891 4044c2 KiUserCallbackDispatcher 5876->5891 5880 404c7d SetDlgItemTextW 5877->5880 5881 404c6d 5877->5881 5878->5876 5880->5873 5883 404d4d 24 API calls 5881->5883 5882 404cba 5882->5884 5885 4048ea SendMessageW 5882->5885 5883->5873 5884->5836 5885->5884 5886->5830 5887->5856 5888->5840 5889->5858 5890->5866 5891->5882 5892 401914 5893 402dab 21 API calls 5892->5893 5894 40191b 5893->5894 5895 405b81 MessageBoxIndirectW 5894->5895 5896 401924 5895->5896 4815 402896 4816 40289d 4815->4816 4818 402bae 4815->4818 4817 402d89 21 API calls 4816->4817 4819 4028a4 4817->4819 4820 4028b3 SetFilePointer 4819->4820 4820->4818 4821 4028c3 4820->4821 4823 406468 wsprintfW 4821->4823 4823->4818 5897 401f17 5898 402dab 21 API calls 5897->5898 5899 401f1d 5898->5899 5900 402dab 21 API calls 5899->5900 5901 401f26 5900->5901 5902 402dab 21 API calls 5901->5902 5903 401f2f 5902->5903 5904 402dab 21 API calls 5903->5904 5905 401f38 5904->5905 5906 401423 28 API calls 5905->5906 5907 401f3f 5906->5907 5914 405b47 ShellExecuteExW 5907->5914 5909 401f87 5911 402933 5909->5911 5915 4069c0 WaitForSingleObject 5909->5915 5912 401fa4 CloseHandle 5912->5911 5914->5909 5916 4069da 5915->5916 5917 4069ec GetExitCodeProcess 5916->5917 5918 406951 2 API calls 5916->5918 5917->5912 5919 4069e1 WaitForSingleObject 5918->5919 5919->5916 5920 6f942d43 5921 6f942d5b 5920->5921 5922 6f94162f 2 API calls 5921->5922 5923 6f942d76 5922->5923 5924 402f98 5925 402fc3 5924->5925 5926 402faa SetTimer 5924->5926 5927 403018 5925->5927 5928 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5925->5928 5926->5925 5928->5927 5929 40551a 5930 40552a 5929->5930 5931 40553e 5929->5931 5933 405530 5930->5933 5934 405587 5930->5934 5932 405546 IsWindowVisible 5931->5932 5940 40555d 5931->5940 5932->5934 5935 405553 5932->5935 5937 4044ec SendMessageW 5933->5937 5936 40558c CallWindowProcW 5934->5936 5938 404e5b 5 API calls 5935->5938 5939 40553a 5936->5939 5937->5939 5938->5940 5940->5936 5941 404edb 4 API calls 5940->5941 5941->5934 5942 401d1c 5943 402d89 21 API calls 5942->5943 5944 401d22 IsWindow 5943->5944 5945 401a25 5944->5945 5946 40149e 5947 4014ac PostQuitMessage 5946->5947 5948 4023a2 5946->5948 5947->5948 4222 401ba0 4223 401bf1 4222->4223 4229 401bad 4222->4229 4224 401c1b GlobalAlloc 4223->4224 4227 401bf6 4223->4227 4241 40655e 4224->4241 4225 401c36 4226 40655e 21 API calls 4225->4226 4235 4023a2 4225->4235 4230 40239c 4226->4230 4227->4235 4260 406521 lstrcpynW 4227->4260 4229->4225 4232 401bc4 4229->4232 4230->4235 4261 405b81 4230->4261 4258 406521 lstrcpynW 4232->4258 4233 401c08 GlobalFree 4233->4235 4237 401bd3 4259 406521 lstrcpynW 4237->4259 4239 401be2 4265 406521 lstrcpynW 4239->4265 4256 406569 4241->4256 4242 4067c9 4242->4225 4243 4067b0 4243->4242 4288 406521 lstrcpynW 4243->4288 4245 406781 lstrlenW 4245->4256 4248 40667a GetSystemDirectoryW 4248->4256 4249 40655e 15 API calls 4249->4245 4251 406690 GetWindowsDirectoryW 4251->4256 4252 40655e 15 API calls 4252->4256 4253 406722 lstrcatW 4253->4256 4256->4243 4256->4245 4256->4248 4256->4249 4256->4251 4256->4252 4256->4253 4257 4066f2 SHGetPathFromIDListW CoTaskMemFree 4256->4257 4266 4063ef 4256->4266 4271 406915 GetModuleHandleA 4256->4271 4277 4067cf 4256->4277 4286 406468 wsprintfW 4256->4286 4287 406521 lstrcpynW 4256->4287 4257->4256 4258->4237 4259->4239 4260->4233 4262 405b96 4261->4262 4263 405be2 4262->4263 4264 405baa MessageBoxIndirectW 4262->4264 4263->4235 4264->4263 4265->4235 4289 40638e 4266->4289 4269 406423 RegQueryValueExW RegCloseKey 4270 406453 4269->4270 4270->4256 4272 406931 4271->4272 4273 40693b GetProcAddress 4271->4273 4293 4068a5 GetSystemDirectoryW 4272->4293 4275 40694a 4273->4275 4275->4256 4276 406937 4276->4273 4276->4275 4284 4067dc 4277->4284 4278 406852 4279 406857 CharPrevW 4278->4279 4281 406878 4278->4281 4279->4278 4280 406845 CharNextW 4280->4278 4280->4284 4281->4256 4283 406831 CharNextW 4283->4284 4284->4278 4284->4280 4284->4283 4285 406840 CharNextW 4284->4285 4296 405e1d 4284->4296 4285->4280 4286->4256 4287->4256 4288->4242 4290 40639d 4289->4290 4291 4063a1 4290->4291 4292 4063a6 RegOpenKeyExW 4290->4292 4291->4269 4291->4270 4292->4291 4294 4068c7 wsprintfW LoadLibraryExW 4293->4294 4294->4276 4297 405e23 4296->4297 4298 405e39 4297->4298 4299 405e2a CharNextW 4297->4299 4298->4284 4299->4297 5949 6f941774 5950 6f9417a3 5949->5950 5951 6f941bff 22 API calls 5950->5951 5952 6f9417aa 5951->5952 5953 6f9417b1 5952->5953 5954 6f9417bd 5952->5954 5955 6f941312 2 API calls 5953->5955 5956 6f9417e4 5954->5956 5957 6f9417c7 5954->5957 5961 6f9417bb 5955->5961 5959 6f94180e 5956->5959 5960 6f9417ea 5956->5960 5958 6f9415dd 3 API calls 5957->5958 5962 6f9417cc 5958->5962 5964 6f9415dd 3 API calls 5959->5964 5963 6f941654 3 API calls 5960->5963 5965 6f941654 3 API calls 5962->5965 5966 6f9417ef 5963->5966 5964->5961 5967 6f9417d2 5965->5967 5968 6f941312 2 API calls 5966->5968 5969 6f941312 2 API calls 5967->5969 5970 6f9417f5 GlobalFree 5968->5970 5971 6f9417d8 GlobalFree 5969->5971 5970->5961 5972 6f941809 GlobalFree 5970->5972 5971->5961 5972->5961 4316 403fa1 4317 403fb9 4316->4317 4318 40411a 4316->4318 4317->4318 4320 403fc5 4317->4320 4319 40412b GetDlgItem GetDlgItem 4318->4319 4322 40416b 4318->4322 4321 4044a0 22 API calls 4319->4321 4323 403fd0 SetWindowPos 4320->4323 4324 403fe3 4320->4324 4327 404155 SetClassLongW 4321->4327 4328 4041c5 4322->4328 4335 401389 2 API calls 4322->4335 4323->4324 4325 403fec ShowWindow 4324->4325 4326 40402e 4324->4326 4330 404107 4325->4330 4331 40400c GetWindowLongW 4325->4331 4332 404036 DestroyWindow 4326->4332 4333 40404d 4326->4333 4334 40140b 2 API calls 4327->4334 4336 404115 4328->4336 4389 4044ec 4328->4389 4411 404507 4330->4411 4331->4330 4337 404025 ShowWindow 4331->4337 4338 404429 4332->4338 4339 404052 SetWindowLongW 4333->4339 4340 404063 4333->4340 4334->4322 4341 40419d 4335->4341 4337->4326 4338->4336 4347 40445a ShowWindow 4338->4347 4339->4336 4340->4330 4345 40406f GetDlgItem 4340->4345 4341->4328 4346 4041a1 SendMessageW 4341->4346 4343 40140b 2 API calls 4359 4041d7 4343->4359 4344 40442b DestroyWindow EndDialog 4344->4338 4348 404080 SendMessageW IsWindowEnabled 4345->4348 4349 40409d 4345->4349 4346->4336 4347->4336 4348->4336 4348->4349 4351 4040aa 4349->4351 4352 4040f1 SendMessageW 4349->4352 4353 4040bd 4349->4353 4362 4040a2 4349->4362 4350 40655e 21 API calls 4350->4359 4351->4352 4351->4362 4352->4330 4356 4040c5 4353->4356 4357 4040da 4353->4357 4355 4044a0 22 API calls 4355->4359 4405 40140b 4356->4405 4361 40140b 2 API calls 4357->4361 4358 4040d8 4358->4330 4359->4336 4359->4343 4359->4344 4359->4350 4359->4355 4380 40436b DestroyWindow 4359->4380 4392 4044a0 4359->4392 4363 4040e1 4361->4363 4408 404479 4362->4408 4363->4330 4363->4362 4365 404252 GetDlgItem 4366 404267 4365->4366 4367 40426f ShowWindow KiUserCallbackDispatcher 4365->4367 4366->4367 4395 4044c2 KiUserCallbackDispatcher 4367->4395 4369 404299 EnableWindow 4374 4042ad 4369->4374 4370 4042b2 GetSystemMenu EnableMenuItem SendMessageW 4371 4042e2 SendMessageW 4370->4371 4370->4374 4371->4374 4374->4370 4396 4044d5 SendMessageW 4374->4396 4397 403f82 4374->4397 4400 406521 lstrcpynW 4374->4400 4376 404311 lstrlenW 4377 40655e 21 API calls 4376->4377 4378 404327 SetWindowTextW 4377->4378 4401 401389 4378->4401 4380->4338 4381 404385 CreateDialogParamW 4380->4381 4381->4338 4382 4043b8 4381->4382 4383 4044a0 22 API calls 4382->4383 4384 4043c3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4383->4384 4385 401389 2 API calls 4384->4385 4386 404409 4385->4386 4386->4336 4387 404411 ShowWindow 4386->4387 4388 4044ec SendMessageW 4387->4388 4388->4338 4390 404504 4389->4390 4391 4044f5 SendMessageW 4389->4391 4390->4359 4391->4390 4393 40655e 21 API calls 4392->4393 4394 4044ab SetDlgItemTextW 4393->4394 4394->4365 4395->4369 4396->4374 4398 40655e 21 API calls 4397->4398 4399 403f90 SetWindowTextW 4398->4399 4399->4374 4400->4376 4403 401390 4401->4403 4402 4013fe 4402->4359 4403->4402 4404 4013cb MulDiv SendMessageW 4403->4404 4404->4403 4406 401389 2 API calls 4405->4406 4407 401420 4406->4407 4407->4362 4409 404480 4408->4409 4410 404486 SendMessageW 4408->4410 4409->4410 4410->4358 4412 4045ca 4411->4412 4413 40451f GetWindowLongW 4411->4413 4412->4336 4413->4412 4414 404534 4413->4414 4414->4412 4415 404561 GetSysColor 4414->4415 4416 404564 4414->4416 4415->4416 4417 404574 SetBkMode 4416->4417 4418 40456a SetTextColor 4416->4418 4419 404592 4417->4419 4420 40458c GetSysColor 4417->4420 4418->4417 4421 4045a3 4419->4421 4422 404599 SetBkColor 4419->4422 4420->4419 4421->4412 4423 4045b6 DeleteObject 4421->4423 4424 4045bd CreateBrushIndirect 4421->4424 4422->4421 4423->4424 4424->4412 5973 402621 5974 402dab 21 API calls 5973->5974 5975 402628 5974->5975 5978 406011 GetFileAttributesW CreateFileW 5975->5978 5977 402634 5978->5977 4436 4025a3 4448 402deb 4436->4448 4439 402d89 21 API calls 4440 4025b6 4439->4440 4441 402933 4440->4441 4442 4025c5 4440->4442 4443 4025d2 RegEnumKeyW 4442->4443 4444 4025de RegEnumValueW 4442->4444 4446 4025fa RegCloseKey 4443->4446 4445 4025f3 4444->4445 4444->4446 4445->4446 4446->4441 4449 402dab 21 API calls 4448->4449 4450 402e02 4449->4450 4451 40638e RegOpenKeyExW 4450->4451 4452 4025ad 4451->4452 4452->4439 4698 4015a8 4699 402dab 21 API calls 4698->4699 4700 4015af SetFileAttributesW 4699->4700 4701 4015c1 4700->4701 5986 401fa9 5987 402dab 21 API calls 5986->5987 5988 401faf 5987->5988 5989 4055a6 28 API calls 5988->5989 5990 401fb9 5989->5990 5991 405b04 2 API calls 5990->5991 5992 401fbf 5991->5992 5994 4069c0 5 API calls 5992->5994 5995 402933 5992->5995 5998 401fe2 CloseHandle 5992->5998 5996 401fd4 5994->5996 5996->5998 5999 406468 wsprintfW 5996->5999 5998->5995 5999->5998 4702 6f942a7f 4703 6f942acf 4702->4703 4704 6f942a8f VirtualProtect 4702->4704 4704->4703 6000 6f941979 6001 6f94199c 6000->6001 6002 6f9419e3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 6001->6002 6003 6f9419d1 GlobalFree 6001->6003 6004 6f941312 2 API calls 6002->6004 6003->6002 6005 6f941b6e GlobalFree GlobalFree 6004->6005 4705 40252f 4706 402deb 21 API calls 4705->4706 4707 402539 4706->4707 4708 402dab 21 API calls 4707->4708 4709 402542 4708->4709 4710 40254d RegQueryValueExW 4709->4710 4713 402933 4709->4713 4711 402573 RegCloseKey 4710->4711 4712 40256d 4710->4712 4711->4713 4712->4711 4716 406468 wsprintfW 4712->4716 4716->4711 6006 40202f 6007 402dab 21 API calls 6006->6007 6008 402036 6007->6008 6009 406915 5 API calls 6008->6009 6010 402045 6009->6010 6011 402061 GlobalAlloc 6010->6011 6012 4020d1 6010->6012 6011->6012 6013 402075 6011->6013 6014 406915 5 API calls 6013->6014 6015 40207c 6014->6015 6016 406915 5 API calls 6015->6016 6017 402086 6016->6017 6017->6012 6021 406468 wsprintfW 6017->6021 6019 4020bf 6022 406468 wsprintfW 6019->6022 6021->6019 6022->6012 6023 4021af 6024 402dab 21 API calls 6023->6024 6025 4021b6 6024->6025 6026 402dab 21 API calls 6025->6026 6027 4021c0 6026->6027 6028 402dab 21 API calls 6027->6028 6029 4021ca 6028->6029 6030 402dab 21 API calls 6029->6030 6031 4021d4 6030->6031 6032 402dab 21 API calls 6031->6032 6033 4021de 6032->6033 6034 40221d CoCreateInstance 6033->6034 6035 402dab 21 API calls 6033->6035 6038 40223c 6034->6038 6035->6034 6036 401423 28 API calls 6037 4022fb 6036->6037 6038->6036 6038->6037 6039 403bb1 6040 403bbc 6039->6040 6041 403bc3 GlobalAlloc 6040->6041 6042 403bc0 6040->6042 6041->6042 6050 401a35 6051 402dab 21 API calls 6050->6051 6052 401a3e ExpandEnvironmentStringsW 6051->6052 6053 401a52 6052->6053 6055 401a65 6052->6055 6054 401a57 lstrcmpW 6053->6054 6053->6055 6054->6055 6056 6f9410e1 6058 6f941111 6056->6058 6057 6f9412b0 GlobalFree 6058->6057 6059 6f9411d7 GlobalAlloc 6058->6059 6060 6f941240 GlobalFree 6058->6060 6061 6f94135a 2 API calls 6058->6061 6062 6f9412ab 6058->6062 6063 6f941312 2 API calls 6058->6063 6064 6f94129a GlobalFree 6058->6064 6065 6f941381 lstrcpyW 6058->6065 6066 6f94116b GlobalAlloc 6058->6066 6059->6058 6060->6058 6061->6058 6062->6057 6063->6058 6064->6058 6065->6058 6066->6058 6072 4023b7 6073 4023c5 6072->6073 6074 4023bf 6072->6074 6076 402dab 21 API calls 6073->6076 6078 4023d3 6073->6078 6075 402dab 21 API calls 6074->6075 6075->6073 6076->6078 6077 4023e1 6080 402dab 21 API calls 6077->6080 6078->6077 6079 402dab 21 API calls 6078->6079 6079->6077 6081 4023ea WritePrivateProfileStringW 6080->6081 6082 4014b8 6083 4014be 6082->6083 6084 401389 2 API calls 6083->6084 6085 4014c6 6084->6085 4829 402439 4830 402441 4829->4830 4831 40246c 4829->4831 4832 402deb 21 API calls 4830->4832 4833 402dab 21 API calls 4831->4833 4834 402448 4832->4834 4835 402473 4833->4835 4836 402452 4834->4836 4840 402480 4834->4840 4841 402e69 4835->4841 4838 402dab 21 API calls 4836->4838 4839 402459 RegDeleteValueW RegCloseKey 4838->4839 4839->4840 4842 402e76 4841->4842 4843 402e7d 4841->4843 4842->4840 4843->4842 4845 402eae 4843->4845 4846 40638e RegOpenKeyExW 4845->4846 4847 402edc 4846->4847 4848 402f91 4847->4848 4849 402ee6 4847->4849 4848->4842 4850 402eec RegEnumValueW 4849->4850 4859 402f0f 4849->4859 4851 402f76 RegCloseKey 4850->4851 4850->4859 4851->4848 4852 402f4b RegEnumKeyW 4853 402f54 RegCloseKey 4852->4853 4852->4859 4854 406915 5 API calls 4853->4854 4855 402f64 4854->4855 4857 402f86 4855->4857 4858 402f68 RegDeleteKeyW 4855->4858 4856 402eae 6 API calls 4856->4859 4857->4848 4858->4848 4859->4851 4859->4852 4859->4853 4859->4856 4860 40173a 4861 402dab 21 API calls 4860->4861 4862 401741 SearchPathW 4861->4862 4863 40175c 4862->4863 6086 6f9423e9 6087 6f942453 6086->6087 6088 6f94247d 6087->6088 6089 6f94245e GlobalAlloc 6087->6089 6089->6087 6090 401d3d 6091 402d89 21 API calls 6090->6091 6092 401d44 6091->6092 6093 402d89 21 API calls 6092->6093 6094 401d50 GetDlgItem 6093->6094 6095 40263d 6094->6095 6096 406c3f 6102 406ac3 6096->6102 6097 40742e 6098 406b44 GlobalFree 6099 406b4d GlobalAlloc 6098->6099 6099->6097 6099->6102 6100 406bc4 GlobalAlloc 6100->6097 6100->6102 6101 406bbb GlobalFree 6101->6100 6102->6097 6102->6098 6102->6099 6102->6100 6102->6101

                          Executed Functions

                          Function 004034FC Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464stringfilecomCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 4034fc-40354e SetErrorMode GetVersionExW 1 403550-403580 GetVersionExW 0->1 2 403588-40358d 0->2 1->2 3 403595-4035d7 2->3 4 40358f 2->4 5 4035d9-4035e1 call 406915 3->5 6 4035ea 3->6 4->3 5->6 11 4035e3 5->11 8 4035ef-403603 call 4068a5 lstrlenA 6->8 13 403605-403621 call 406915 * 3 8->13 11->6 20 403632-403696 #17 OleInitialize SHGetFileInfoW call 406521 GetCommandLineW call 406521 13->20 21 403623-403629 13->21 28 403698-40369a 20->28 29 40369f-4036b3 call 405e1d CharNextW 20->29 21->20 25 40362b 21->25 25->20 28->29 32 4037ae-4037b4 29->32 33 4036b8-4036be 32->33 34 4037ba 32->34 35 4036c0-4036c5 33->35 36 4036c7-4036ce 33->36 37 4037ce-4037e8 GetTempPathW call 4034cb 34->37 35->35 35->36 38 4036d0-4036d5 36->38 39 4036d6-4036da 36->39 47 403840-40385a DeleteFileW call 403082 37->47 48 4037ea-403808 GetWindowsDirectoryW lstrcatW call 4034cb 37->48 38->39 41 4036e0-4036e6 39->41 42 40379b-4037aa call 405e1d 39->42 45 403700-403739 41->45 46 4036e8-4036ef 41->46 42->32 59 4037ac-4037ad 42->59 53 403756-403790 45->53 54 40373b-403740 45->54 51 4036f1-4036f4 46->51 52 4036f6 46->52 64 403860-403866 47->64 65 403a47-403a57 call 403b19 OleUninitialize 47->65 48->47 62 40380a-40383a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034cb 48->62 51->45 51->52 52->45 57 403792-403796 53->57 58 403798-40379a 53->58 54->53 61 403742-40374a 54->61 57->58 63 4037bc-4037c9 call 406521 57->63 58->42 59->32 66 403751 61->66 67 40374c-40374f 61->67 62->47 62->65 63->37 70 40386c-403877 call 405e1d 64->70 71 4038ff-403906 call 403bf3 64->71 77 403a59-403a69 call 405b81 ExitProcess 65->77 78 403a7d-403a83 65->78 66->53 67->53 67->66 82 4038c5-4038cf 70->82 83 403879-4038ae 70->83 80 40390b-40390f 71->80 84 403b01-403b09 78->84 85 403a85-403a9b GetCurrentProcess OpenProcessToken 78->85 80->65 86 4038d1-4038df call 405ef8 82->86 87 403914-40393a call 405aec lstrlenW call 406521 82->87 91 4038b0-4038b4 83->91 88 403b0b 84->88 89 403b0f-403b13 ExitProcess 84->89 92 403ad1-403adf call 406915 85->92 93 403a9d-403acb LookupPrivilegeValueW AdjustTokenPrivileges 85->93 86->65 105 4038e5-4038fb call 406521 * 2 86->105 110 40394b-403963 87->110 111 40393c-403946 call 406521 87->111 88->89 96 4038b6-4038bb 91->96 97 4038bd-4038c1 91->97 103 403ae1-403aeb 92->103 104 403aed-403af8 ExitWindowsEx 92->104 93->92 96->97 102 4038c3 96->102 97->91 97->102 102->82 103->104 108 403afa-403afc call 40140b 103->108 104->84 104->108 105->71 108->84 116 403968-40396c 110->116 111->110 118 403971-40399b wsprintfW call 40655e 116->118 122 4039a4 call 405acf 118->122 123 40399d-4039a2 call 405a75 118->123 127 4039a9-4039ab 122->127 123->127 128 4039e7-403a06 SetCurrentDirectoryW call 4062e1 CopyFileW 127->128 129 4039ad-4039b7 GetFileAttributesW 127->129 137 403a45 128->137 138 403a08-403a29 call 4062e1 call 40655e call 405b04 128->138 131 4039d8-4039e3 129->131 132 4039b9-4039c2 DeleteFileW 129->132 131->116 134 4039e5 131->134 132->131 133 4039c4-4039d6 call 405c2d 132->133 133->118 133->131 134->65 137->65 146 403a2b-403a35 138->146 147 403a6f-403a7b CloseHandle 138->147 146->137 148 403a37-403a3f call 40687e 146->148 147->137 148->118 148->137
                          APIs
                          • SetErrorMode.KERNELBASE ref: 0040351F
                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040354A
                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040355D
                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 004035F6
                          • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403633
                          • OleInitialize.OLE32(00000000), ref: 0040363A
                          • SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403659
                          • GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040366E
                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036A7
                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037DF
                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037F0
                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FC
                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403818
                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403829
                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403831
                          • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403845
                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040391E
                            • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                          • wsprintfW.USER32 ref: 0040397B
                          • GetFileAttributesW.KERNEL32(892,C:\Users\user\AppData\Local\Temp\), ref: 004039AE
                          • DeleteFileW.KERNEL32(892), ref: 004039BA
                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004039E8
                            • Part of subcall function 004062E1: MoveFileExW.KERNEL32(?,?,00000005,00405DDF,?,00000000,000000F1,?,?,?,?,?), ref: 004062EB
                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,892,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004039FE
                            • Part of subcall function 00405B04: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,892,?), ref: 00405B2D
                            • Part of subcall function 00405B04: CloseHandle.KERNEL32(?,?,?,892,?), ref: 00405B3A
                            • Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(75923420,00425F58,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                            • Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895
                          • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A4C
                          • ExitProcess.KERNEL32 ref: 00403A69
                          • CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,892,00000000), ref: 00403A70
                          • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A8C
                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403A93
                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA8
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403ACB
                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AF0
                          • ExitProcess.KERNEL32 ref: 00403B13
                            • Part of subcall function 00405ACF: CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                          • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"$1033$892$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe$C:\Users\user\polaritets$C:\Users\user\polaritets$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                          • API String ID: 1813718867-2219506024
                          • Opcode ID: 861c3a791dac713e5dc6c418a8dec487fa289242a5d5f99aa186722fda572ff2
                          • Instruction ID: bee44f309595f2ff458e9cecae568de25c9667724a66d0f49069eb89ae1a0629
                          • Opcode Fuzzy Hash: 861c3a791dac713e5dc6c418a8dec487fa289242a5d5f99aa186722fda572ff2
                          • Instruction Fuzzy Hash: FDF10170204301ABD720AF659D05B2B3EE8EB8570AF11483EF581B62D1DB7DCA45CB6E
                          Function 004056E5 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 151 4056e5-405700 152 405706-4057cd GetDlgItem * 3 call 4044d5 call 404e2e GetClientRect GetSystemMetrics SendMessageW * 2 151->152 153 40588f-405896 151->153 171 4057eb-4057ee 152->171 172 4057cf-4057e9 SendMessageW * 2 152->172 155 4058c0-4058cd 153->155 156 405898-4058ba GetDlgItem CreateThread CloseHandle 153->156 157 4058eb-4058f5 155->157 158 4058cf-4058d5 155->158 156->155 162 4058f7-4058fd 157->162 163 40594b-40594f 157->163 160 405910-405919 call 404507 158->160 161 4058d7-4058e6 ShowWindow * 2 call 4044d5 158->161 175 40591e-405922 160->175 161->157 168 405925-405935 ShowWindow 162->168 169 4058ff-40590b call 404479 162->169 163->160 166 405951-405957 163->166 166->160 173 405959-40596c SendMessageW 166->173 176 405945-405946 call 404479 168->176 177 405937-405940 call 4055a6 168->177 169->160 178 4057f0-4057fc SendMessageW 171->178 179 4057fe-405815 call 4044a0 171->179 172->171 180 405972-40599d CreatePopupMenu call 40655e AppendMenuW 173->180 181 405a6e-405a70 173->181 176->163 177->176 178->179 190 405817-40582b ShowWindow 179->190 191 40584b-40586c GetDlgItem SendMessageW 179->191 188 4059b2-4059c7 TrackPopupMenu 180->188 189 40599f-4059af GetWindowRect 180->189 181->175 188->181 192 4059cd-4059e4 188->192 189->188 193 40583a 190->193 194 40582d-405838 ShowWindow 190->194 191->181 195 405872-40588a SendMessageW * 2 191->195 196 4059e9-405a04 SendMessageW 192->196 197 405840-405846 call 4044d5 193->197 194->197 195->181 196->196 198 405a06-405a29 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->191 200 405a2b-405a52 SendMessageW 198->200 200->200 201 405a54-405a68 GlobalUnlock SetClipboardData CloseClipboard 200->201 201->181
                          APIs
                          • GetDlgItem.USER32(?,00000403), ref: 00405743
                          • GetDlgItem.USER32(?,000003EE), ref: 00405752
                          • GetClientRect.USER32(?,?), ref: 0040578F
                          • GetSystemMetrics.USER32(00000002), ref: 00405796
                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B7
                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C8
                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057DB
                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E9
                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057FC
                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040581E
                          • ShowWindow.USER32(?,00000008), ref: 00405832
                          • GetDlgItem.USER32(?,000003EC), ref: 00405853
                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405863
                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040587C
                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405888
                          • GetDlgItem.USER32(?,000003F8), ref: 00405761
                            • Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3
                          • GetDlgItem.USER32(?,000003EC), ref: 004058A5
                          • CreateThread.KERNELBASE(00000000,00000000,Function_00005679,00000000), ref: 004058B3
                          • CloseHandle.KERNELBASE(00000000), ref: 004058BA
                          • ShowWindow.USER32(00000000), ref: 004058DE
                          • ShowWindow.USER32(?,00000008), ref: 004058E3
                          • ShowWindow.USER32(00000008), ref: 0040592D
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405961
                          • CreatePopupMenu.USER32 ref: 00405972
                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405986
                          • GetWindowRect.USER32(?,?), ref: 004059A6
                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059BF
                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F7
                          • OpenClipboard.USER32(00000000), ref: 00405A07
                          • EmptyClipboard.USER32 ref: 00405A0D
                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A19
                          • GlobalLock.KERNEL32(00000000), ref: 00405A23
                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A37
                          • GlobalUnlock.KERNEL32(00000000), ref: 00405A57
                          • SetClipboardData.USER32(0000000D,00000000), ref: 00405A62
                          • CloseClipboard.USER32 ref: 00405A68
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                          • String ID: {
                          • API String ID: 590372296-366298937
                          • Opcode ID: bcd6524ca319c6da9779c5e50c73cceb5f6d9afdf0ecbcca2ead9855fe138ddf
                          • Instruction ID: bfdbfabbc3eccdd340dcac883e36f8678c6b127a6a9b52dc92d7db9eae4071ee
                          • Opcode Fuzzy Hash: bcd6524ca319c6da9779c5e50c73cceb5f6d9afdf0ecbcca2ead9855fe138ddf
                          • Instruction Fuzzy Hash: FBB127B1900618FFDB11AF60DD89AAE7B79FB44354F00813AFA41B61A0CB754A92DF58
                          Function 00405C2D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 509 405c2d-405c53 call 405ef8 512 405c55-405c67 DeleteFileW 509->512 513 405c6c-405c73 509->513 514 405de9-405ded 512->514 515 405c75-405c77 513->515 516 405c86-405c96 call 406521 513->516 517 405d97-405d9c 515->517 518 405c7d-405c80 515->518 522 405ca5-405ca6 call 405e3c 516->522 523 405c98-405ca3 lstrcatW 516->523 517->514 521 405d9e-405da1 517->521 518->516 518->517 524 405da3-405da9 521->524 525 405dab-405db3 call 40687e 521->525 526 405cab-405caf 522->526 523->526 524->514 525->514 533 405db5-405dc9 call 405df0 call 405be5 525->533 529 405cb1-405cb9 526->529 530 405cbb-405cc1 lstrcatW 526->530 529->530 532 405cc6-405ce2 lstrlenW FindFirstFileW 529->532 530->532 534 405ce8-405cf0 532->534 535 405d8c-405d90 532->535 549 405de1-405de4 call 4055a6 533->549 550 405dcb-405dce 533->550 538 405d10-405d24 call 406521 534->538 539 405cf2-405cfa 534->539 535->517 537 405d92 535->537 537->517 551 405d26-405d2e 538->551 552 405d3b-405d46 call 405be5 538->552 542 405cfc-405d04 539->542 543 405d6f-405d7f FindNextFileW 539->543 542->538 548 405d06-405d0e 542->548 543->534 547 405d85-405d86 FindClose 543->547 547->535 548->538 548->543 549->514 550->524 553 405dd0-405ddf call 4055a6 call 4062e1 550->553 551->543 554 405d30-405d39 call 405c2d 551->554 562 405d67-405d6a call 4055a6 552->562 563 405d48-405d4b 552->563 553->514 554->543 562->543 566 405d4d-405d5d call 4055a6 call 4062e1 563->566 567 405d5f-405d65 563->567 566->543 567->543
                          APIs
                          • DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"), ref: 00405C56
                          • lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"), ref: 00405C9E
                          • lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"), ref: 00405CC1
                          • lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"), ref: 00405CC7
                          • FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"), ref: 00405CD7
                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D77
                          • FindClose.KERNEL32(00000000), ref: 00405D86
                          Strings
                          • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe", xrefs: 00405C36
                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C3A
                          • \*.*, xrefs: 00405C98
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                          • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                          • API String ID: 2035342205-3713675717
                          • Opcode ID: 9251ba415d381c0528a68256adb7b13e134a55f337ff098e8b7b00a93e79b23f
                          • Instruction ID: aec485693c4c1533f42b9347a66a6bbcb57ea8568fe9c979ecac7928daa7b7f5
                          • Opcode Fuzzy Hash: 9251ba415d381c0528a68256adb7b13e134a55f337ff098e8b7b00a93e79b23f
                          • Instruction Fuzzy Hash: 8741D230801A14BADB31BB659D4DAAF7678EF41718F14813FF801B11D5D77C8A829EAE
                          Function 0040687E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNELBASE(75923420,00425F58,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                          • FindClose.KERNEL32(00000000), ref: 00406895
                          Strings
                          • C:\Users\user\AppData\Local\Temp\nsd4C7.tmp, xrefs: 0040687E
                          • X_B, xrefs: 0040687F
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp$X_B
                          • API String ID: 2295610775-2664151728
                          • Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                          • Instruction ID: 6d56574ea64d1328abe48e6f64e5cab5a12c2004fb3b9259b4ed260009733db8
                          • Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                          • Instruction Fuzzy Hash: AFD0123250A5205BC6406B386E0C84B7A58AF553717268A36F5AAF21E0CB788C6696AC
                          Function 00406C3F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
                          • Instruction ID: 98dfc50ccd9688b87079ede1b44bfc78bfb7a95d74622a08e623e0ee65e5f8c5
                          • Opcode Fuzzy Hash: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
                          • Instruction Fuzzy Hash: B2F17870D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45
                          Function 00403FA1 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 202 403fa1-403fb3 203 403fb9-403fbf 202->203 204 40411a-404129 202->204 203->204 207 403fc5-403fce 203->207 205 404178-40418d 204->205 206 40412b-404173 GetDlgItem * 2 call 4044a0 SetClassLongW call 40140b 204->206 209 4041cd-4041d2 call 4044ec 205->209 210 40418f-404192 205->210 206->205 211 403fd0-403fdd SetWindowPos 207->211 212 403fe3-403fea 207->212 226 4041d7-4041f2 209->226 216 404194-40419f call 401389 210->216 217 4041c5-4041c7 210->217 211->212 213 403fec-404006 ShowWindow 212->213 214 40402e-404034 212->214 219 404107-404115 call 404507 213->219 220 40400c-40401f GetWindowLongW 213->220 221 404036-404048 DestroyWindow 214->221 222 40404d-404050 214->222 216->217 242 4041a1-4041c0 SendMessageW 216->242 217->209 225 40446d 217->225 232 40446f-404476 219->232 220->219 229 404025-404028 ShowWindow 220->229 230 40444a-404450 221->230 233 404052-40405e SetWindowLongW 222->233 234 404063-404069 222->234 225->232 227 4041f4-4041f6 call 40140b 226->227 228 4041fb-404201 226->228 227->228 239 404207-404212 228->239 240 40442b-404444 DestroyWindow EndDialog 228->240 229->214 230->225 238 404452-404458 230->238 233->232 234->219 241 40406f-40407e GetDlgItem 234->241 238->225 244 40445a-404463 ShowWindow 238->244 239->240 245 404218-404265 call 40655e call 4044a0 * 3 GetDlgItem 239->245 240->230 246 404080-404097 SendMessageW IsWindowEnabled 241->246 247 40409d-4040a0 241->247 242->232 244->225 274 404267-40426c 245->274 275 40426f-4042ab ShowWindow KiUserCallbackDispatcher call 4044c2 EnableWindow 245->275 246->225 246->247 249 4040a2-4040a3 247->249 250 4040a5-4040a8 247->250 252 4040d3-4040d8 call 404479 249->252 253 4040b6-4040bb 250->253 254 4040aa-4040b0 250->254 252->219 255 4040f1-404101 SendMessageW 253->255 256 4040bd-4040c3 253->256 254->255 259 4040b2-4040b4 254->259 255->219 260 4040c5-4040cb call 40140b 256->260 261 4040da-4040e3 call 40140b 256->261 259->252 270 4040d1 260->270 261->219 271 4040e5-4040ef 261->271 270->252 271->270 274->275 278 4042b0 275->278 279 4042ad-4042ae 275->279 280 4042b2-4042e0 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 4042e2-4042f3 SendMessageW 280->281 282 4042f5 280->282 283 4042fb-40433a call 4044d5 call 403f82 call 406521 lstrlenW call 40655e SetWindowTextW call 401389 281->283 282->283 283->226 294 404340-404342 283->294 294->226 295 404348-40434c 294->295 296 40436b-40437f DestroyWindow 295->296 297 40434e-404354 295->297 296->230 299 404385-4043b2 CreateDialogParamW 296->299 297->225 298 40435a-404360 297->298 298->226 300 404366 298->300 299->230 301 4043b8-40440f call 4044a0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 299->301 300->225 301->225 306 404411-404424 ShowWindow call 4044ec 301->306 308 404429 306->308 308->230
                          APIs
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FDD
                          • ShowWindow.USER32(?), ref: 00403FFD
                          • GetWindowLongW.USER32(?,000000F0), ref: 0040400F
                          • ShowWindow.USER32(?,00000004), ref: 00404028
                          • DestroyWindow.USER32 ref: 0040403C
                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404055
                          • GetDlgItem.USER32(?,?), ref: 00404074
                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404088
                          • IsWindowEnabled.USER32(00000000), ref: 0040408F
                          • GetDlgItem.USER32(?,00000001), ref: 0040413A
                          • GetDlgItem.USER32(?,00000002), ref: 00404144
                          • SetClassLongW.USER32(?,000000F2,?), ref: 0040415E
                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041AF
                          • GetDlgItem.USER32(?,00000003), ref: 00404255
                          • ShowWindow.USER32(00000000,?), ref: 00404276
                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404288
                          • EnableWindow.USER32(?,?), ref: 004042A3
                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B9
                          • EnableMenuItem.USER32(00000000), ref: 004042C0
                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D8
                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042EB
                          • lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404315
                          • SetWindowTextW.USER32(?,00422F08), ref: 00404329
                          • ShowWindow.USER32(?,0000000A), ref: 0040445D
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                          • String ID:
                          • API String ID: 121052019-0
                          • Opcode ID: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
                          • Instruction ID: 6cd4652e30ec862c23bd12a6162173760bab2c1fa5186c41ecc3a298f9dddab8
                          • Opcode Fuzzy Hash: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
                          • Instruction Fuzzy Hash: 7FC1C0B1600204ABDB216F21EE49E2B3A69FB94709F41053EF751B51F0CB795882DB2E
                          Function 00403BF3 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 309 403bf3-403c0b call 406915 312 403c0d-403c1d call 406468 309->312 313 403c1f-403c56 call 4063ef 309->313 322 403c79-403ca2 call 403ec9 call 405ef8 312->322 318 403c58-403c69 call 4063ef 313->318 319 403c6e-403c74 lstrcatW 313->319 318->319 319->322 327 403d34-403d3c call 405ef8 322->327 328 403ca8-403cad 322->328 334 403d4a-403d6f LoadImageW 327->334 335 403d3e-403d45 call 40655e 327->335 328->327 329 403cb3-403ccd call 4063ef 328->329 333 403cd2-403cdb 329->333 333->327 336 403cdd-403ce1 333->336 338 403df0-403df8 call 40140b 334->338 339 403d71-403da1 RegisterClassW 334->339 335->334 340 403cf3-403cff lstrlenW 336->340 341 403ce3-403cf0 call 405e1d 336->341 350 403e02-403e0d call 403ec9 338->350 351 403dfa-403dfd 338->351 342 403da7-403deb SystemParametersInfoW CreateWindowExW 339->342 343 403ebf 339->343 348 403d01-403d0f lstrcmpiW 340->348 349 403d27-403d2f call 405df0 call 406521 340->349 341->340 342->338 347 403ec1-403ec8 343->347 348->349 354 403d11-403d1b GetFileAttributesW 348->354 349->327 362 403e13-403e2d ShowWindow call 4068a5 350->362 363 403e96-403e97 call 405679 350->363 351->347 357 403d21-403d22 call 405e3c 354->357 358 403d1d-403d1f 354->358 357->349 358->349 358->357 370 403e39-403e4b GetClassInfoW 362->370 371 403e2f-403e34 call 4068a5 362->371 366 403e9c-403e9e 363->366 368 403ea0-403ea6 366->368 369 403eb8-403eba call 40140b 366->369 368->351 372 403eac-403eb3 call 40140b 368->372 369->343 375 403e63-403e86 DialogBoxParamW call 40140b 370->375 376 403e4d-403e5d GetClassInfoW RegisterClassW 370->376 371->370 372->351 380 403e8b-403e94 call 403b43 375->380 376->375 380->347
                          APIs
                            • Part of subcall function 00406915: GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
                            • Part of subcall function 00406915: GetProcAddress.KERNEL32(00000000,?), ref: 00406942
                          • lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe",00008001), ref: 00403C74
                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\polaritets,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420), ref: 00403CF4
                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\polaritets,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D07
                          • GetFileAttributesW.KERNEL32(Call), ref: 00403D12
                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\polaritets), ref: 00403D5B
                            • Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475
                          • RegisterClassW.USER32(004289C0), ref: 00403D98
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DB0
                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DE5
                          • ShowWindow.USER32(00000005,00000000), ref: 00403E1B
                          • GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E47
                          • GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E54
                          • RegisterClassW.USER32(004289C0), ref: 00403E5D
                          • DialogBoxParamW.USER32(?,00000000,00403FA1,00000000), ref: 00403E7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                          • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\polaritets$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                          • API String ID: 1975747703-3136459882
                          • Opcode ID: 0ef04955f1a6976a10593322067df9edaff6e7f7a832361b73f8beed2d85b6c9
                          • Instruction ID: 6a74b9b34ded998ebd2751605f77428bf44f11e359ee0ac59d58ca77ea789e65
                          • Opcode Fuzzy Hash: 0ef04955f1a6976a10593322067df9edaff6e7f7a832361b73f8beed2d85b6c9
                          • Instruction Fuzzy Hash: 2C61B770200740BAD620AF669D46F2B3A7CEB84B45F81453FF941B61E2CB7D5942CB6D
                          Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 383 403082-4030d0 GetTickCount GetModuleFileNameW call 406011 386 4030d2-4030d7 383->386 387 4030dc-40310a call 406521 call 405e3c call 406521 GetFileSize 383->387 389 4032b2-4032b6 386->389 395 403110 387->395 396 4031f5-403203 call 40301e 387->396 398 403115-40312c 395->398 402 403205-403208 396->402 403 403258-40325d 396->403 400 403130-403139 call 40349e 398->400 401 40312e 398->401 409 40325f-403267 call 40301e 400->409 410 40313f-403146 400->410 401->400 405 40320a-403222 call 4034b4 call 40349e 402->405 406 40322c-403256 GlobalAlloc call 4034b4 call 4032b9 402->406 403->389 405->403 432 403224-40322a 405->432 406->403 430 403269-40327a 406->430 409->403 414 4031c2-4031c6 410->414 415 403148-40315c call 405fcc 410->415 420 4031d0-4031d6 414->420 421 4031c8-4031cf call 40301e 414->421 415->420 429 40315e-403165 415->429 426 4031e5-4031ed 420->426 427 4031d8-4031e2 call 406a02 420->427 421->420 426->398 431 4031f3 426->431 427->426 429->420 436 403167-40316e 429->436 437 403282-403287 430->437 438 40327c 430->438 431->396 432->403 432->406 436->420 439 403170-403177 436->439 440 403288-40328e 437->440 438->437 439->420 441 403179-403180 439->441 440->440 442 403290-4032ab SetFilePointer call 405fcc 440->442 441->420 443 403182-4031a2 441->443 446 4032b0 442->446 443->403 445 4031a8-4031ac 443->445 447 4031b4-4031bc 445->447 448 4031ae-4031b2 445->448 446->389 447->420 449 4031be-4031c0 447->449 448->431 448->447 449->420
                          APIs
                          • GetTickCount.KERNEL32 ref: 00403093
                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,00000400), ref: 004030AF
                            • Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,80000000,00000003), ref: 00406015
                            • Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037
                          • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,80000000,00000003), ref: 004030FB
                          • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231
                          Strings
                          • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe", xrefs: 00403088
                          • Null, xrefs: 00403179
                          • Error launching installer, xrefs: 004030D2
                          • soft, xrefs: 00403170
                          • C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
                          • C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
                          • Inst, xrefs: 00403167
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                          • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                          • API String ID: 2803837635-114436662
                          • Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                          • Instruction ID: 0271efb430f2efbe2fca7880162b12dddab7439e54d706f300c55aed9b32fb97
                          • Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                          • Instruction Fuzzy Hash: 7B51C071A01304ABDB209F65DD85B9E7FACAB09316F10407BF904B62D1D7789E818B5D
                          Function 0040655E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 450 40655e-406567 451 406569-406578 450->451 452 40657a-406594 450->452 451->452 453 4067a4-4067aa 452->453 454 40659a-4065a6 452->454 456 4067b0-4067bd 453->456 457 4065b8-4065c5 453->457 454->453 455 4065ac-4065b3 454->455 455->453 459 4067c9-4067cc 456->459 460 4067bf-4067c4 call 406521 456->460 457->456 458 4065cb-4065d4 457->458 461 406791 458->461 462 4065da-40661d 458->462 460->459 464 406793-40679d 461->464 465 40679f-4067a2 461->465 466 406623-40662f 462->466 467 406735-406739 462->467 464->453 465->453 468 406631 466->468 469 406639-40663b 466->469 470 40673b-406742 467->470 471 40676d-406771 467->471 468->469 476 406675-406678 469->476 477 40663d-40665b call 4063ef 469->477 474 406752-40675e call 406521 470->474 475 406744-406750 call 406468 470->475 472 406781-40678f lstrlenW 471->472 473 406773-40677c call 40655e 471->473 472->453 473->472 486 406763-406769 474->486 475->486 480 40667a-406686 GetSystemDirectoryW 476->480 481 40668b-40668e 476->481 485 406660-406663 477->485 487 406718-40671b 480->487 488 4066a0-4066a4 481->488 489 406690-40669c GetWindowsDirectoryW 481->489 490 406669-406670 call 40655e 485->490 491 40671d-406720 485->491 486->472 492 40676b 486->492 487->491 493 40672d-406733 call 4067cf 487->493 488->487 494 4066a6-4066c4 488->494 489->488 490->487 491->493 496 406722-406728 lstrcatW 491->496 492->493 493->472 498 4066c6-4066cc 494->498 499 4066d8-4066f0 call 406915 494->499 496->493 504 4066d4-4066d6 498->504 507 4066f2-406705 SHGetPathFromIDListW CoTaskMemFree 499->507 508 406707-406710 499->508 504->499 505 406712-406716 504->505 505->487 507->505 507->508 508->494 508->505
                          APIs
                          • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406680
                          • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406696
                          • SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004066F4
                          • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 004066FD
                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406728
                          • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406782
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                          • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                          • API String ID: 4024019347-4183661868
                          • Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                          • Instruction ID: c1bee3e663878f3afad94de22ef935420ccf361ce06c76a1d76179cfc985cdfa
                          • Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                          • Instruction Fuzzy Hash: 266146B1A043019BDB205F28DD80B6B77E4AF84318F65053FF646B32D1DA7D89A18B5E
                          Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 573 401774-401799 call 402dab call 405e67 578 4017a3-4017b5 call 406521 call 405df0 lstrcatW 573->578 579 40179b-4017a1 call 406521 573->579 584 4017ba-4017bb call 4067cf 578->584 579->584 588 4017c0-4017c4 584->588 589 4017c6-4017d0 call 40687e 588->589 590 4017f7-4017fa 588->590 597 4017e2-4017f4 589->597 598 4017d2-4017e0 CompareFileTime 589->598 592 401802-40181e call 406011 590->592 593 4017fc-4017fd call 405fec 590->593 600 401820-401823 592->600 601 401892-4018bb call 4055a6 call 4032b9 592->601 593->592 597->590 598->597 603 401874-40187e call 4055a6 600->603 604 401825-401863 call 406521 * 2 call 40655e call 406521 call 405b81 600->604 614 4018c3-4018cf SetFileTime 601->614 615 4018bd-4018c1 601->615 616 401887-40188d 603->616 604->588 637 401869-40186a 604->637 619 4018d5-4018e0 CloseHandle 614->619 615->614 615->619 617 402c38 616->617 620 402c3a-402c3e 617->620 622 4018e6-4018e9 619->622 623 402c2f-402c32 619->623 625 4018eb-4018fc call 40655e lstrcatW 622->625 626 4018fe-401901 call 40655e 622->626 623->617 632 401906-40239d 625->632 626->632 635 4023a2-4023a7 632->635 636 40239d call 405b81 632->636 635->620 636->635 637->616 638 40186c-40186d 637->638 638->603
                          APIs
                          • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\polaritets,?,?,00000031), ref: 004017B5
                          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\polaritets,?,?,00000031), ref: 004017DA
                            • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                            • Part of subcall function 004055A6: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                            • Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                            • Part of subcall function 004055A6: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
                            • Part of subcall function 004055A6: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll), ref: 00405613
                            • Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                            • Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                            • Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                          • String ID: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp$C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll$C:\Users\user\polaritets$Call
                          • API String ID: 1941528284-1563404136
                          • Opcode ID: 8735ad9560c18e5a7f29f6a8244760e17f86ea249fb7e5f19f194b0f67ebe764
                          • Instruction ID: 1777f765e23ed303a4c4324df0f40fc052c607b9e3f25272d24a03cacca2a4dc
                          • Opcode Fuzzy Hash: 8735ad9560c18e5a7f29f6a8244760e17f86ea249fb7e5f19f194b0f67ebe764
                          • Instruction Fuzzy Hash: 9E41A531900509BACF117BA9DD86DAF3AB5EF45328B20423FF512B10E1DB3C8A52966D
                          Function 004055A6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 639 4055a6-4055bb 640 4055c1-4055d2 639->640 641 405672-405676 639->641 642 4055d4-4055d8 call 40655e 640->642 643 4055dd-4055e9 lstrlenW 640->643 642->643 645 405606-40560a 643->645 646 4055eb-4055fb lstrlenW 643->646 648 405619-40561d 645->648 649 40560c-405613 SetWindowTextW 645->649 646->641 647 4055fd-405601 lstrcatW 646->647 647->645 650 405663-405665 648->650 651 40561f-405661 SendMessageW * 3 648->651 649->648 650->641 652 405667-40566a 650->652 651->650 652->641
                          APIs
                          • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                          • lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                          • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
                          • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll), ref: 00405613
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                          • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll
                          • API String ID: 2531174081-1119359415
                          • Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                          • Instruction ID: deb6953f75989b306d4e6df0e2073f5bc52164b7b2c012b705af3b177d86a23e
                          • Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                          • Instruction Fuzzy Hash: 8F21B375900158BACB119FA5DD84ECFBF75EF45364F50803AF944B22A0C77A4A51CF68
                          Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 653 4026f1-40270a call 402d89 656 402710-402717 653->656 657 402c2f-402c32 653->657 658 402719 656->658 659 40271c-40271f 656->659 660 402c38-402c3e 657->660 658->659 662 402883-40288b 659->662 663 402725-402734 call 406481 659->663 662->657 663->662 666 40273a 663->666 667 402740-402744 666->667 668 4027d9-4027dc 667->668 669 40274a-402765 ReadFile 667->669 670 4027f4-402804 call 406094 668->670 671 4027de-4027e1 668->671 669->662 672 40276b-402770 669->672 670->662 681 402806 670->681 671->670 673 4027e3-4027ee call 4060f2 671->673 672->662 675 402776-402784 672->675 673->662 673->670 678 40278a-40279c MultiByteToWideChar 675->678 679 40283f-40284b call 406468 675->679 678->681 682 40279e-4027a1 678->682 679->660 685 402809-40280c 681->685 686 4027a3-4027ae 682->686 685->679 687 40280e-402813 685->687 686->685 688 4027b0-4027d5 SetFilePointer MultiByteToWideChar 686->688 689 402850-402854 687->689 690 402815-40281a 687->690 688->686 691 4027d7 688->691 692 402871-40287d SetFilePointer 689->692 693 402856-40285a 689->693 690->689 694 40281c-40282f 690->694 691->681 692->662 695 402862-40286f 693->695 696 40285c-402860 693->696 694->662 697 402831-402837 694->697 695->662 696->692 696->695 697->667 698 40283d 697->698 698->662
                          APIs
                          • ReadFile.KERNELBASE(?,?,?,?), ref: 0040275D
                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
                          • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
                            • Part of subcall function 004060F2: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406108
                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: File$Pointer$ByteCharMultiWide$Read
                          • String ID: 9
                          • API String ID: 163830602-2366072709
                          • Opcode ID: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
                          • Instruction ID: 4938fc2aff7960a3a7fedf371d3c64c497049ea43b58312dd80c80f6ae9549af
                          • Opcode Fuzzy Hash: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
                          • Instruction Fuzzy Hash: 5051FB75D0421AABDF249FD4CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58
                          Function 004032B9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 699 4032b9-4032d0 700 4032d2 699->700 701 4032d9-4032e1 699->701 700->701 702 4032e3 701->702 703 4032e8-4032ed 701->703 702->703 704 4032fd-40330a call 40349e 703->704 705 4032ef-4032f8 call 4034b4 703->705 709 403310-403314 704->709 710 403455 704->710 705->704 711 40331a-40333a GetTickCount call 406a70 709->711 712 40343e-403440 709->712 713 403457-403458 710->713 725 403494 711->725 727 403340-403348 711->727 715 403442-403445 712->715 716 403489-40348d 712->716 714 403497-40349b 713->714 718 403447 715->718 719 40344a-403453 call 40349e 715->719 720 40345a-403460 716->720 721 40348f 716->721 718->719 719->710 733 403491 719->733 723 403462 720->723 724 403465-403473 call 40349e 720->724 721->725 723->724 724->710 736 403475-403481 call 4060c3 724->736 725->714 730 40334a 727->730 731 40334d-40335b call 40349e 727->731 730->731 731->710 737 403361-40336a 731->737 733->725 742 403483-403486 736->742 743 40343a-40343c 736->743 739 403370-40338d call 406a90 737->739 745 403393-4033aa GetTickCount 739->745 746 403436-403438 739->746 742->716 743->713 747 4033f5-4033f7 745->747 748 4033ac-4033b4 745->748 746->713 751 4033f9-4033fd 747->751 752 40342a-40342e 747->752 749 4033b6-4033ba 748->749 750 4033bc-4033ed MulDiv wsprintfW call 4055a6 748->750 749->747 749->750 758 4033f2 750->758 755 403412-403418 751->755 756 4033ff-403404 call 4060c3 751->756 752->727 753 403434 752->753 753->725 757 40341e-403422 755->757 761 403409-40340b 756->761 757->739 760 403428 757->760 758->747 760->725 761->743 762 40340d-403410 761->762 762->757
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CountTick$wsprintf
                          • String ID: ... %d%%
                          • API String ID: 551687249-2449383134
                          • Opcode ID: bb69fc25e18161a0849df33240b9b7daf63c30e93ac5b68caaa3da3af3354023
                          • Instruction ID: 25ee467b37f7358b1d8943912f63d539eb3ef7c07a249f5ee2dc3eaa61b9464a
                          • Opcode Fuzzy Hash: bb69fc25e18161a0849df33240b9b7daf63c30e93ac5b68caaa3da3af3354023
                          • Instruction Fuzzy Hash: 5B518E31900219EBCB11DF65DA44BAF3FA8AB40726F14417BF804BB2C1D7789E408BA9
                          Function 004068A5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 763 4068a5-4068c5 GetSystemDirectoryW 764 4068c7 763->764 765 4068c9-4068cb 763->765 764->765 766 4068dc-4068de 765->766 767 4068cd-4068d6 765->767 769 4068df-406912 wsprintfW LoadLibraryExW 766->769 767->766 768 4068d8-4068da 767->768 768->769
                          APIs
                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
                          • wsprintfW.USER32 ref: 004068F7
                          • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040690B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: DirectoryLibraryLoadSystemwsprintf
                          • String ID: %s%S.dll$UXTHEME
                          • API String ID: 2200240437-1106614640
                          • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                          • Instruction ID: d40490b37a95929041f6b14fe17981fa15644a851550e805e000283098582d10
                          • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                          • Instruction Fuzzy Hash: 41F0FC31511119AACF10BB64DD0DF9B375C9B00305F10847AE546F10D0EB789A68CBA8
                          Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 770 402eae-402ed7 call 40638e 772 402edc-402ee0 770->772 773 402f91-402f95 772->773 774 402ee6-402eea 772->774 775 402eec-402f0d RegEnumValueW 774->775 776 402f0f-402f22 774->776 775->776 777 402f76-402f84 RegCloseKey 775->777 778 402f4b-402f52 RegEnumKeyW 776->778 777->773 779 402f24-402f26 778->779 780 402f54-402f66 RegCloseKey call 406915 778->780 779->777 782 402f28-402f3c call 402eae 779->782 785 402f86-402f8c 780->785 786 402f68-402f74 RegDeleteKeyW 780->786 782->780 788 402f3e-402f4a 782->788 785->773 786->773 788->778
                          APIs
                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CloseEnum$DeleteValue
                          • String ID:
                          • API String ID: 1354259210-0
                          • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                          • Instruction ID: 48bf034c557530f45265713f896c64b121a5f1f2f5b25ab6521791cb913d5ed3
                          • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                          • Instruction Fuzzy Hash: 74215A7150010ABFDF119F90CE89EEF7B7DEB54388F110076B949B11A0D7B49E54AA68
                          Function 6F941817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 789 6f941817-6f941856 call 6f941bff 793 6f941976-6f941978 789->793 794 6f94185c-6f941860 789->794 795 6f941862-6f941868 call 6f94243e 794->795 796 6f941869-6f941876 call 6f942480 794->796 795->796 801 6f9418a6-6f9418ad 796->801 802 6f941878-6f94187d 796->802 803 6f9418cd-6f9418d1 801->803 804 6f9418af-6f9418cb call 6f942655 call 6f941654 call 6f941312 GlobalFree 801->804 805 6f94187f-6f941880 802->805 806 6f941898-6f94189b 802->806 810 6f9418d3-6f94191c call 6f941666 call 6f942655 803->810 811 6f94191e-6f941924 call 6f942655 803->811 826 6f941925-6f941929 804->826 808 6f941882-6f941883 805->808 809 6f941888-6f941889 call 6f942b98 805->809 806->801 812 6f94189d-6f94189e call 6f942e23 806->812 814 6f941885-6f941886 808->814 815 6f941890-6f941896 call 6f942810 808->815 821 6f94188e 809->821 810->826 811->826 824 6f9418a3 812->824 814->801 814->809 830 6f9418a5 815->830 821->824 824->830 831 6f941966-6f94196d 826->831 832 6f94192b-6f941939 call 6f942618 826->832 830->801 831->793 837 6f94196f-6f941970 GlobalFree 831->837 839 6f941951-6f941958 832->839 840 6f94193b-6f94193e 832->840 837->793 839->831 842 6f94195a-6f941965 call 6f9415dd 839->842 840->839 841 6f941940-6f941948 840->841 841->839 843 6f94194a-6f94194b FreeLibrary 841->843 842->831 843->839
                          APIs
                            • Part of subcall function 6F941BFF: GlobalFree.KERNEL32(?), ref: 6F941E74
                            • Part of subcall function 6F941BFF: GlobalFree.KERNEL32(?), ref: 6F941E79
                            • Part of subcall function 6F941BFF: GlobalFree.KERNEL32(?), ref: 6F941E7E
                          • GlobalFree.KERNEL32(00000000), ref: 6F9418C5
                          • FreeLibrary.KERNEL32(?), ref: 6F94194B
                          • GlobalFree.KERNEL32(00000000), ref: 6F941970
                            • Part of subcall function 6F94243E: GlobalAlloc.KERNEL32(00000040,?), ref: 6F94246F
                            • Part of subcall function 6F942810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6F941896,00000000), ref: 6F9428E0
                            • Part of subcall function 6F941666: wsprintfW.USER32 ref: 6F941694
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4461641660.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true
                          • Associated: 00000000.00000002.4461624523.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461659490.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461678109.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f940000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Global$Free$Alloc$Librarywsprintf
                          • String ID:
                          • API String ID: 3962662361-3916222277
                          • Opcode ID: dd34521fec7d84f6a3742bd40f8937d6f9f6079e66f447bd48ea97ca9206f392
                          • Instruction ID: 3705d0ebef0c5ea0bc776d855043c9d9cc1b27d5e9ac94a9b4483646cea23db2
                          • Opcode Fuzzy Hash: dd34521fec7d84f6a3742bd40f8937d6f9f6079e66f447bd48ea97ca9206f392
                          • Instruction Fuzzy Hash: 2841B0718043059BEB1A9F74E888BD537ACBF37358F044566EA18DA1C6DB74E0E8CB60
                          Function 00406040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 846 406040-40604c 847 40604d-406081 GetTickCount GetTempFileNameW 846->847 848 406090-406092 847->848 849 406083-406085 847->849 851 40608a-40608d 848->851 849->847 850 406087 849->850 850->851
                          APIs
                          • GetTickCount.KERNEL32 ref: 0040605E
                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004034FA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6), ref: 00406079
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CountFileNameTempTick
                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                          • API String ID: 1716503409-44229769
                          • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                          • Instruction ID: 4304e6ca34acc2e603ac9508cdf3fa98200610ac432ccd05af3fd9fdb7d66135
                          • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                          • Instruction Fuzzy Hash: 58F09676B40204FBDB10CF55ED05F9EB7ACEB95750F11403AEE05F7140E6B099548768
                          Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00405E9B: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"), ref: 00405EA9
                            • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
                            • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6
                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                            • Part of subcall function 00405A75: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AB7
                          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\polaritets,?,00000000,000000F0), ref: 00401652
                          Strings
                          • C:\Users\user\polaritets, xrefs: 00401645
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                          • String ID: C:\Users\user\polaritets
                          • API String ID: 1892508949-4194401724
                          • Opcode ID: 4b68a463cc784b1945903bcff3764fd9da93cf801788bc1ee3673f5490bf8ecc
                          • Instruction ID: ceaefb5432ba9a2b041ab88b04bec91c1a8495824eafa6d8534a6d53eb807851
                          • Opcode Fuzzy Hash: 4b68a463cc784b1945903bcff3764fd9da93cf801788bc1ee3673f5490bf8ecc
                          • Instruction Fuzzy Hash: 2D11D031504604ABCF206FA5CD4099F36B0EF04368B29493FE941B22E1DA3E4E819E8E
                          Function 004063EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Call,?,00000000,00406660,80000002), ref: 00406435
                          • RegCloseKey.KERNELBASE(?), ref: 00406440
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID: Call
                          • API String ID: 3356406503-1824292864
                          • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                          • Instruction ID: 441e6d046e2572fd66e4c77006f0a98464fe89a944563537cf106c849ea921cc
                          • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                          • Instruction Fuzzy Hash: 4F017172500209ABDF218F51CD05EDB3BA9EB54354F01403AFD1992191D738D968DF94
                          Function 00407074 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
                          • Instruction ID: 2d246cc9a99bab59b70d05231fecbcf7b107c6ac3beee636f2a296df3f85dc82
                          • Opcode Fuzzy Hash: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
                          • Instruction Fuzzy Hash: 7DA14571E04228DBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281D7786986DF45
                          Function 00407275 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
                          • Instruction ID: 7b0bebd33542e08950ef610181a47380a5391ae5859bceecccad38cd1577eaed
                          • Opcode Fuzzy Hash: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
                          • Instruction Fuzzy Hash: 90911370E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB291D778A986DF45
                          Function 00406F8B Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
                          • Instruction ID: bb56daa647bdc5b8eebe4baaa8fd529e9884befb34821132b6d53cadc5dab3c5
                          • Opcode Fuzzy Hash: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
                          • Instruction Fuzzy Hash: 84814571E04228DBDF24CFA8C844BADBBB1FF44305F24816AD456BB281D778A986DF05
                          Function 00406A90 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
                          • Instruction ID: 4c059968f2e2b24eb1e5e0c9ef09b3253d11b2009d36a285a9eb138ea7c1b005
                          • Opcode Fuzzy Hash: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
                          • Instruction Fuzzy Hash: 5B815971E04228DBDF24CFA8C8447ADBBB0FF44305F20816AD456BB281D7786986DF45
                          Function 00406EDE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
                          • Instruction ID: d60cf97a253a7e6a69b3ee1887f4eadeccf904993e12f72ad3f9abe973951288
                          • Opcode Fuzzy Hash: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
                          • Instruction Fuzzy Hash: A1711371E04228DBDF24CFA8C844BADBBB1FF44305F15806AD856BB281D778A986DF45
                          Function 00406FFC Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
                          • Instruction ID: 85b777fa610547d2183482adb232412925907ddbdaa1129d6a49a25a13354a82
                          • Opcode Fuzzy Hash: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
                          • Instruction Fuzzy Hash: 9D714671E04228DBDF28CF98C844BADBBB1FF44305F14816AD856BB281D778A986DF45
                          Function 00406F48 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
                          • Instruction ID: 068c41ea6699cb9b24c5d93e390f6e15a746ef4a0ce6273c00671ddd4a3661d6
                          • Opcode Fuzzy Hash: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
                          • Instruction Fuzzy Hash: E0715771E04228DBDF24CF98C844BADBBB1FF44305F15806AD856BB281C778AA86DF45
                          Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108
                            • Part of subcall function 004055A6: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                            • Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                            • Part of subcall function 004055A6: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
                            • Part of subcall function 004055A6: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll), ref: 00405613
                            • Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                            • Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                            • Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                          • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
                          • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                          • String ID:
                          • API String ID: 334405425-0
                          • Opcode ID: d9c937c8948d5d37c50d665afaa08982dd07723c7233c08654f6d387f6d988e5
                          • Instruction ID: a8e1189db69026d3652efcc6ea6e12950466f7228f8283b9583ebcadfcee3162
                          • Opcode Fuzzy Hash: d9c937c8948d5d37c50d665afaa08982dd07723c7233c08654f6d387f6d988e5
                          • Instruction Fuzzy Hash: 8D215031904108BADF11AFA5CE49A9E7AB1BF44359F20413BF105B91E1CBBD89829A5D
                          Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalFree.KERNEL32(00000000), ref: 00401C10
                          • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Global$AllocFree
                          • String ID: Call
                          • API String ID: 3394109436-1824292864
                          • Opcode ID: e33d9b87315d49944383bdaefc5ba1c13c649625d32d96b536ae23307826b8e2
                          • Instruction ID: 4f57f46d507340bd06d3479355973fa93edc06c360faa14cbfff374a5dc28ea7
                          • Opcode Fuzzy Hash: e33d9b87315d49944383bdaefc5ba1c13c649625d32d96b536ae23307826b8e2
                          • Instruction Fuzzy Hash: 5721F673904214EBDB30AFA8DE85A5F72B4AB08324714053FF642B32C4C6B8DC418B9D
                          Function 00402304 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(75923420,00425F58,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                            • Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895
                          • lstrlenW.KERNEL32 ref: 00402344
                          • lstrlenW.KERNEL32(00000000), ref: 0040234F
                          • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402378
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: FileFindlstrlen$CloseFirstOperation
                          • String ID:
                          • API String ID: 1486964399-0
                          • Opcode ID: c92c3ee3ae18d95aa1771da2fabd1cb2010788539e6b4ab8b952707b1b2048dc
                          • Instruction ID: e570f7e88bbeadde5f19d209a5805755c0aba3de4ac721a8bb04e236ab5037c1
                          • Opcode Fuzzy Hash: c92c3ee3ae18d95aa1771da2fabd1cb2010788539e6b4ab8b952707b1b2048dc
                          • Instruction Fuzzy Hash: 93117071D00318AADB10EFF9DD09A9EB6B8AF14308F10443FA401FB2D1D6BCC9418B59
                          Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
                          • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00000000,00000011,00000002), ref: 00402602
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Enum$CloseValue
                          • String ID:
                          • API String ID: 397863658-0
                          • Opcode ID: ba34c4ace152f4771e18115f26e31f873f7731feb8842bd8527d51c3f02d9afa
                          • Instruction ID: fdeb1b79bd1b5feb028a75c257e649ad2cddb418c0fd83a6570d1db0005c2465
                          • Opcode Fuzzy Hash: ba34c4ace152f4771e18115f26e31f873f7731feb8842bd8527d51c3f02d9afa
                          • Instruction Fuzzy Hash: 7D017171904205BFEB149F949E58AAF7678FF40308F10443EF505B61C0DBB84E41976D
                          Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00000000,00000011,00000002), ref: 00402602
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID:
                          • API String ID: 3356406503-0
                          • Opcode ID: 56531dfc69c8a788bac7fcb245dee4885a6b683f52a9ec3ede9407be23b67ed3
                          • Instruction ID: b0e4e1b430255f92fa12a8c2637aeeefdc8d450e0dea4cce8f1fdd2cec8de2f5
                          • Opcode Fuzzy Hash: 56531dfc69c8a788bac7fcb245dee4885a6b683f52a9ec3ede9407be23b67ed3
                          • Instruction Fuzzy Hash: 61116A71900219EBDF14DFA0DA989AEB7B4BF04349F20447FE406B62C0D7B84A45EB5E
                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                          Download Yara Rule
                          APIs
                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                          • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                          • Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
                          • Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                          • Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C
                          Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00402464
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CloseDeleteValue
                          • String ID:
                          • API String ID: 2831762973-0
                          • Opcode ID: 729ecf5bba26eed59db8e40ba0825d20aa39ecfc350fd83ab66bb719c7a4b8e3
                          • Instruction ID: 823524eaaa32c5521ce5516f6f818df3cdafdbc5371ac3c1d9ba599ed9425974
                          • Opcode Fuzzy Hash: 729ecf5bba26eed59db8e40ba0825d20aa39ecfc350fd83ab66bb719c7a4b8e3
                          • Instruction Fuzzy Hash: 46F06232A04520ABDB10BBA89A8DAEE62B5AF54314F11443FE502B71C1CAFC4D02976D
                          Function 00405A75 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • CreateDirectoryW.KERNELBASE(?,?), ref: 00405AB7
                          • GetLastError.KERNEL32 ref: 00405AC5
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CreateDirectoryErrorLast
                          • String ID:
                          • API String ID: 1375471231-0
                          • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                          • Instruction ID: 25953aab165e2e3bb2b5eb59dc1d6ee29197e23c9d0e5a802ce790cbbbfebc39
                          • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                          • Instruction Fuzzy Hash: 33F0F4B1D1060EDADB00DFA4C6497EFBBB4AB04309F04812AD941B6281D7B982488FA9
                          Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(00000000,00000000), ref: 00401F01
                          • EnableWindow.USER32(00000000,00000000), ref: 00401F0C
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Window$EnableShow
                          • String ID:
                          • API String ID: 1136574915-0
                          • Opcode ID: b342668e68410e2d968fedd3eb79c8682b657b25800b9077b5ecd2124e99ac37
                          • Instruction ID: a6cb0e5ea3b461fc76251f348ffd86be0a73501dc920cd99368f231d5504fafc
                          • Opcode Fuzzy Hash: b342668e68410e2d968fedd3eb79c8682b657b25800b9077b5ecd2124e99ac37
                          • Instruction Fuzzy Hash: F2E09A36A082049FE705EBA8AE484AEB3B0EB40325B200A7FE001F11C0CBB94C00866C
                          Function 00406915 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406942
                            • Part of subcall function 004068A5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
                            • Part of subcall function 004068A5: wsprintfW.USER32 ref: 004068F7
                            • Part of subcall function 004068A5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040690B
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                          • String ID:
                          • API String ID: 2547128583-0
                          • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                          • Instruction ID: 5852e889d14e736f2df1098d3b7202b06462132acdc852f75f804bf3a6ff6809
                          • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                          • Instruction Fuzzy Hash: FCE08673604310EBD61056755D04D2773A8AF95A50302483EFD46F2144D738DC32A66A
                          Function 00406011 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,80000000,00000003), ref: 00406015
                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: File$AttributesCreate
                          • String ID:
                          • API String ID: 415043291-0
                          • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                          • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                          • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                          • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                          Function 00405ACF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5
                          • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405AE3
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CreateDirectoryErrorLast
                          • String ID:
                          • API String ID: 1375471231-0
                          • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                          • Instruction ID: c141ebc68f4164d0a3663fa1b1ea49181af819f28e12deb644bc081b11005b13
                          • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                          • Instruction Fuzzy Hash: 5DC08C30300A02DACF000B218F087073950AB00380F19483AA582E00A0CA308044CD2D
                          Function 00402896 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028B4
                            • Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: FilePointerwsprintf
                          • String ID:
                          • API String ID: 327478801-0
                          • Opcode ID: c408762c6ae6a09676534d13277c6868af0c4062816ce02b100207dfef7a20c8
                          • Instruction ID: 3ecce12b6213660a705480fd24811c4b14f3d13bc743ad81d22bf59cde18bc7d
                          • Opcode Fuzzy Hash: c408762c6ae6a09676534d13277c6868af0c4062816ce02b100207dfef7a20c8
                          • Instruction Fuzzy Hash: 8DE06D71904208AFDB01ABA5AA498AEB379EB44344B10483FF101B10C0CA794C119A2D
                          Function 0040173A Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040174E
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: PathSearch
                          • String ID:
                          • API String ID: 2203818243-0
                          • Opcode ID: 96c3c64599610033e1741a12b780745032a27335a1d6010ee521e40a3137f023
                          • Instruction ID: 71d187b5cc8d7de3a3c01a98f906eab562aacc0ad357dac51c0352885440fd59
                          • Opcode Fuzzy Hash: 96c3c64599610033e1741a12b780745032a27335a1d6010ee521e40a3137f023
                          • Instruction Fuzzy Hash: D9E04871204104ABE700DB64DD48EAA7778DB5035CF20453AE511A60D1E6B55905971D
                          Function 004060C3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                          Download Yara Rule
                          APIs
                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060D7
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: FileWrite
                          • String ID:
                          • API String ID: 3934441357-0
                          • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                          • Instruction ID: de33e43015841e90b47a85578f5cc3acb86098a1fa118a6604a55d69533944a7
                          • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                          • Instruction Fuzzy Hash: 41E08C3224022AABCF109E508D00EEB3B6CEB003A0F018433FD26E2090D630E83197A4
                          Function 00406094 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034B1,00000000,00000000,00403308,000000FF,00000004,00000000,00000000,00000000), ref: 004060A8
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                          • Instruction ID: fd87eb1c4e4509ee71b5dc1f82ee1534a3bbef2287d177a98c1a1ef8e7fccbc0
                          • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                          • Instruction Fuzzy Hash: 11E08C3229021AEBDF119E50CC00AEB7BACEB043A0F018436FD22E3180D671E83187A9
                          Function 6F942A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(6F94505C,00000004,00000040,6F94504C), ref: 6F942A9D
                          Memory Dump Source
                          • Source File: 00000000.00000002.4461641660.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true
                          • Associated: 00000000.00000002.4461624523.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461659490.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461678109.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f940000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 131d92b9e20db265b3c46453d70425af78a94c244efbac9fe5cb1cdc865c6135
                          • Instruction ID: 9ca3d51d758339a954ffb92b9c34fb8fdfcd143ccb7308f153718d658280669a
                          • Opcode Fuzzy Hash: 131d92b9e20db265b3c46453d70425af78a94c244efbac9fe5cb1cdc865c6135
                          • Instruction Fuzzy Hash: C4F0A5F8508A84DEEB64EFAC84447093BE0B77B324B14452AE24CD6280E374846CCF91
                          Function 0040638E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040641C,?,?,?,?,Call,?,00000000), ref: 004063B2
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                          • Instruction ID: 99177681843bc7d8b33aa39255ce29306f0e35401c43de39655aaedf71f86506
                          • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                          • Instruction Fuzzy Hash: DAD0173204020DBBDF119E90ED01FAB3B6DAB08350F014826FE06A40A0D776D534ABA8
                          Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 58434a7e7cdfb0d0f19199f5504f69f984a7681d240ae9cdceb23cdc370956f4
                          • Instruction ID: f79479eb79e616cc8aec51f56aa6edc525cb8d4391243906608abe1f76efb7bb
                          • Opcode Fuzzy Hash: 58434a7e7cdfb0d0f19199f5504f69f984a7681d240ae9cdceb23cdc370956f4
                          • Instruction Fuzzy Hash: 3DD05B72B08204DBDB01DBE8EA48A9E73B09B50328F20893BD111F11D0D6B9C945A75D
                          Function 004044A0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • SetDlgItemTextW.USER32(?,?,00000000), ref: 004044BA
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ItemText
                          • String ID:
                          • API String ID: 3367045223-0
                          • Opcode ID: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
                          • Instruction ID: ae2ead1ac10e0797e36fe1c05e7dcabccdaa2022beaf041c85de5a3ae6598913
                          • Opcode Fuzzy Hash: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
                          • Instruction Fuzzy Hash: C9C08C71008200BFD241BB08CC02F1FB3AAEF90325F00C42EB15CA10D2C63595308A26
                          Function 004044EC Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                          • Instruction ID: 5c877ab33ec7e7ab303c696e8a99d36134f19a60efc45403e0926baa73fdbb46
                          • Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                          • Instruction Fuzzy Hash: 9AC09BF57413017BDA209F509D45F1777585790710F15453D7350F50E0CBB4E450D61D
                          Function 004044D5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                          • Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
                          • Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                          • Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08
                          Function 004034B4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034C2
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: FilePointer
                          • String ID:
                          • API String ID: 973152223-0
                          • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                          • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                          • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                          • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                          Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                          Download Yara Rule
                          APIs
                          • KiUserCallbackDispatcher.NTDLL(?,00404299), ref: 004044CC
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CallbackDispatcherUser
                          • String ID:
                          • API String ID: 2492992576-0
                          • Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                          • Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
                          • Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                          • Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19
                          Function 6F942B98 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000), ref: 6F942C57
                          Memory Dump Source
                          • Source File: 00000000.00000002.4461641660.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true
                          • Associated: 00000000.00000002.4461624523.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461659490.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461678109.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f940000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 9c3ecfbf14e0f7a7f8f9ef711ebba9be2c58b742f5a06cdb452c519a33a9a50d
                          • Instruction ID: 5620b80c5d98bd5543558c46193c4369a13da5e66b8f6c7af68bac276ffd2576
                          • Opcode Fuzzy Hash: 9c3ecfbf14e0f7a7f8f9ef711ebba9be2c58b742f5a06cdb452c519a33a9a50d
                          • Instruction Fuzzy Hash: BB4191B55087049FEF24EFA8D945B593778FB76368F208865E808CA5C1D738E498CFA0
                          Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(00000000), ref: 004014EA
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 5065bf49ec89ca03d4d81e0e626b625f4b0a8bbe3ca9100aab93803b3529547f
                          • Instruction ID: a775f6773ee6fca20605c15f6de2f930d7ecc582f877687dc3caa15317c5c1fc
                          • Opcode Fuzzy Hash: 5065bf49ec89ca03d4d81e0e626b625f4b0a8bbe3ca9100aab93803b3529547f
                          • Instruction Fuzzy Hash: 8ED05E73A142008BD710EBB8BE854AF73B8EA403193204C3BD102E1191E6788902461C
                          Function 6F9412BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalAlloc.KERNELBASE(00000040,?,6F9412DB,?,6F94137F,00000019,6F9411CA,-000000A0), ref: 6F9412C5
                          Memory Dump Source
                          • Source File: 00000000.00000002.4461641660.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true
                          • Associated: 00000000.00000002.4461624523.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461659490.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461678109.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f940000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AllocGlobal
                          • String ID:
                          • API String ID: 3761449716-0
                          • Opcode ID: 857916bba3ca9cfb70ac2f59a8c99972c4915ef3092482a8fb7e3a4f98425cf4
                          • Instruction ID: 89cbbd21db5724328d7276cd8f514ae886ad558bc68fc939928b34f094cd7772
                          • Opcode Fuzzy Hash: 857916bba3ca9cfb70ac2f59a8c99972c4915ef3092482a8fb7e3a4f98425cf4
                          • Instruction Fuzzy Hash: 70B002756445009FFF40AF5CED4AF353754F751719F544050BA05D5141D56458388D65

                          Non-executed Functions

                          Function 00404991 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003FB), ref: 004049E0
                          • SetWindowTextW.USER32(00000000,?), ref: 00404A0A
                          • SHBrowseForFolderW.SHELL32(?), ref: 00404ABB
                          • CoTaskMemFree.OLE32(00000000), ref: 00404AC6
                          • lstrcmpiW.KERNEL32(Call,00422F08,00000000,?,?), ref: 00404AF8
                          • lstrcatW.KERNEL32(?,Call), ref: 00404B04
                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B16
                            • Part of subcall function 00405B65: GetDlgItemTextW.USER32(?,?,00000400,00404B4D), ref: 00405B78
                            • Part of subcall function 004067CF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
                            • Part of subcall function 004067CF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
                            • Part of subcall function 004067CF: CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
                            • Part of subcall function 004067CF: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859
                          • GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BD9
                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BF4
                            • Part of subcall function 00404D4D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
                            • Part of subcall function 00404D4D: wsprintfW.USER32 ref: 00404DF7
                            • Part of subcall function 00404D4D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                          • String ID: A$C:\Users\user\polaritets$Call
                          • API String ID: 2624150263-2736332013
                          • Opcode ID: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
                          • Instruction ID: 030197d704291a410dcd06cfc4277a043b64cd4f667f0077e3e502e998d69d3f
                          • Opcode Fuzzy Hash: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
                          • Instruction Fuzzy Hash: CBA1A0B1900208ABDB11AFA5DD45AAF77B8EF84314F11803BF611B62D1D77C9A418B6D
                          Function 6F941BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6F9412BB: GlobalAlloc.KERNELBASE(00000040,?,6F9412DB,?,6F94137F,00000019,6F9411CA,-000000A0), ref: 6F9412C5
                          • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6F941D2D
                          • lstrcpyW.KERNEL32(00000008,?), ref: 6F941D75
                          • lstrcpyW.KERNEL32(00000808,?), ref: 6F941D7F
                          • GlobalFree.KERNEL32(00000000), ref: 6F941D92
                          • GlobalFree.KERNEL32(?), ref: 6F941E74
                          • GlobalFree.KERNEL32(?), ref: 6F941E79
                          • GlobalFree.KERNEL32(?), ref: 6F941E7E
                          • GlobalFree.KERNEL32(00000000), ref: 6F942068
                          • lstrcpyW.KERNEL32(?,?), ref: 6F942222
                          • GetModuleHandleW.KERNEL32(00000008), ref: 6F9422A1
                          • LoadLibraryW.KERNEL32(00000008), ref: 6F9422B2
                          • GetProcAddress.KERNEL32(?,?), ref: 6F94230C
                          • lstrlenW.KERNEL32(00000808), ref: 6F942326
                          Memory Dump Source
                          • Source File: 00000000.00000002.4461641660.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true
                          • Associated: 00000000.00000002.4461624523.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461659490.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461678109.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f940000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                          • String ID:
                          • API String ID: 245916457-0
                          • Opcode ID: b40390cc33322621c2898f5100c4741b350068d233079f7f6de75b7ce3d49f95
                          • Instruction ID: 475bb522d8e4c9375bf130e9e98f2247a29981a73528a91d5fb3377f9667cef6
                          • Opcode Fuzzy Hash: b40390cc33322621c2898f5100c4741b350068d233079f7f6de75b7ce3d49f95
                          • Instruction Fuzzy Hash: C5228B71D04609DADB26CFA8C9802EEB7B8FF2A319F10466AD165E61C0D770EAD5CF50
                          Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                          Strings
                          • C:\Users\user\polaritets, xrefs: 0040226E
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CreateInstance
                          • String ID: C:\Users\user\polaritets
                          • API String ID: 542301482-4194401724
                          • Opcode ID: 18b8905a52bb68317a5b1bf06e2d786d8dd953d3db2333650e4a3939e0f89523
                          • Instruction ID: 8307c529eb9feefa1617cd4f78f27985085e4fae61a1ffd37fb0b3adda41be3b
                          • Opcode Fuzzy Hash: 18b8905a52bb68317a5b1bf06e2d786d8dd953d3db2333650e4a3939e0f89523
                          • Instruction Fuzzy Hash: 00410575A00209AFCB40DFE4C989EAD7BB5FF48308B20456EF505EB2D1DB799982CB54
                          Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: FileFindFirst
                          • String ID:
                          • API String ID: 1974802433-0
                          • Opcode ID: 6ffcda492f923abc76daec6159b81a3f5593eca79e3a3c3abc80d0637868bc28
                          • Instruction ID: a06f58704ac02dcae893024ea8a23b5ac4ca5f5a8623c8e138aed3c50dac2e18
                          • Opcode Fuzzy Hash: 6ffcda492f923abc76daec6159b81a3f5593eca79e3a3c3abc80d0637868bc28
                          • Instruction Fuzzy Hash: 44F05E71A04104AAD711EBE4E9499AEB378EF14314F60057BE101F21D0DBB84D019B2A
                          Function 00404F0D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003F9), ref: 00404F25
                          • GetDlgItem.USER32(?,00000408), ref: 00404F30
                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F7A
                          • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F91
                          • SetWindowLongW.USER32(?,000000FC,0040551A), ref: 00404FAA
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FBE
                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FD0
                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404FE6
                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FF2
                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405004
                          • DeleteObject.GDI32(00000000), ref: 00405007
                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405032
                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040503E
                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D9
                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405109
                            • Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3
                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040511D
                          • GetWindowLongW.USER32(?,000000F0), ref: 0040514B
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405159
                          • ShowWindow.USER32(?,00000005), ref: 00405169
                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405264
                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C9
                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052DE
                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405302
                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405322
                          • ImageList_Destroy.COMCTL32(?), ref: 00405337
                          • GlobalFree.KERNEL32(?), ref: 00405347
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053C0
                          • SendMessageW.USER32(?,00001102,?,?), ref: 00405469
                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405478
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004054A3
                          • ShowWindow.USER32(?,00000000), ref: 004054F1
                          • GetDlgItem.USER32(?,000003FE), ref: 004054FC
                          • ShowWindow.USER32(00000000), ref: 00405503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                          • String ID: $M$N
                          • API String ID: 2564846305-813528018
                          • Opcode ID: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
                          • Instruction ID: 467e9106b9ab4b1e9b2d04e68362d71007c986f05034cc4a0cb7dcf353c6e141
                          • Opcode Fuzzy Hash: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
                          • Instruction Fuzzy Hash: 16029B70A00609EFDB20DF95DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42CF58
                          Function 0040465F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                          Download Yara Rule
                          APIs
                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046FD
                          • GetDlgItem.USER32(?,000003E8), ref: 00404711
                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040472E
                          • GetSysColor.USER32(?), ref: 0040473F
                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040474D
                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040475B
                          • lstrlenW.KERNEL32(?), ref: 00404760
                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040476D
                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404782
                          • GetDlgItem.USER32(?,0000040A), ref: 004047DB
                          • SendMessageW.USER32(00000000), ref: 004047E2
                          • GetDlgItem.USER32(?,000003E8), ref: 0040480D
                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404850
                          • LoadCursorW.USER32(00000000,00007F02), ref: 0040485E
                          • SetCursor.USER32(00000000), ref: 00404861
                          • LoadCursorW.USER32(00000000,00007F00), ref: 0040487A
                          • SetCursor.USER32(00000000), ref: 0040487D
                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048AC
                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048BE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                          • String ID: Call$N
                          • API String ID: 3103080414-3438112850
                          • Opcode ID: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
                          • Instruction ID: fa786ba7610ecb1ae21ae2169d8ef808fc0b2da043ab7544d4c43deaa2774949
                          • Opcode Fuzzy Hash: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
                          • Instruction Fuzzy Hash: 7F61B3B1A00209BFDB10AF64DD85A6A7B79FB84354F00843AFB05B61D0D7B9AD61CF58
                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                          • BeginPaint.USER32(?,?), ref: 00401047
                          • GetClientRect.USER32(?,?), ref: 0040105B
                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                          • DeleteObject.GDI32(?), ref: 004010ED
                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                          • SelectObject.GDI32(00000000,?), ref: 00401140
                          • DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                          • DeleteObject.GDI32(?), ref: 00401165
                          • EndPaint.USER32(?,?), ref: 0040116E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                          • String ID: F
                          • API String ID: 941294808-1304234792
                          • Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                          • Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
                          • Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                          • Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4
                          Function 00406167 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406302,?,?), ref: 004061A2
                          • GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061AB
                            • Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
                            • Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8
                          • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061C8
                          • wsprintfA.USER32 ref: 004061E6
                          • GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406221
                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406230
                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406268
                          • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062BE
                          • GlobalFree.KERNEL32(00000000), ref: 004062CF
                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062D6
                            • Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,80000000,00000003), ref: 00406015
                            • Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                          • String ID: %ls=%ls$[Rename]
                          • API String ID: 2171350718-461813615
                          • Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                          • Instruction ID: d8f03b5b48010a369f687ed07a259b5d04d98e8e290d987932ab0f9f84d7b5e4
                          • Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                          • Instruction Fuzzy Hash: 89313230201325BFD6207B659D48F2B3A6CDF41714F12007EBA02F62C2EA7D98218ABD
                          Function 004067CF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
                          • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
                          • CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
                          • CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859
                          Strings
                          • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe", xrefs: 00406813
                          • *?|<>/":, xrefs: 00406821
                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004067D0
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Char$Next$Prev
                          • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                          • API String ID: 589700163-1963456772
                          • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                          • Instruction ID: 2d41fa7b6770246c30beeceb47eb68b435a53440eacd13368e2f30b8c56315d6
                          • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                          • Instruction Fuzzy Hash: A511935680121296DB303B14CC44ABB66E8AF54794F52C03FE999732C1E77C5C9296BD
                          Function 00404507 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EB), ref: 00404524
                          • GetSysColor.USER32(00000000), ref: 00404562
                          • SetTextColor.GDI32(?,00000000), ref: 0040456E
                          • SetBkMode.GDI32(?,?), ref: 0040457A
                          • GetSysColor.USER32(?), ref: 0040458D
                          • SetBkColor.GDI32(?,?), ref: 0040459D
                          • DeleteObject.GDI32(?), ref: 004045B7
                          • CreateBrushIndirect.GDI32(?), ref: 004045C1
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                          • String ID:
                          • API String ID: 2320649405-0
                          • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                          • Instruction ID: 524417ed32742d4b72cd17798d780815826fd18a7bcb7bb0f1ed1fdd1052d135
                          • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                          • Instruction Fuzzy Hash: B22135B1500705AFCB319F78DD08B577BF5AF81714B048A2DEA96A26E0D738D944CB54
                          Function 00404E5B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E76
                          • GetMessagePos.USER32 ref: 00404E7E
                          • ScreenToClient.USER32(?,?), ref: 00404E98
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EAA
                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ED0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Message$Send$ClientScreen
                          • String ID: f
                          • API String ID: 41195575-1993550816
                          • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                          • Instruction ID: cfceae8db68972c520d490933057d7cb8d8acba3ea2256e028311c612775fba1
                          • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                          • Instruction Fuzzy Hash: A3015E7190021CBADB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A418BA4
                          Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                          Download Yara Rule
                          APIs
                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
                          • MulDiv.KERNEL32(000887A9,00000064,000889AD), ref: 00402FE1
                          • wsprintfW.USER32 ref: 00402FF1
                          • SetWindowTextW.USER32(?,?), ref: 00403001
                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
                          Strings
                          • verifying installer: %d%%, xrefs: 00402FEB
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Text$ItemTimerWindowwsprintf
                          • String ID: verifying installer: %d%%
                          • API String ID: 1451636040-82062127
                          • Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                          • Instruction ID: f83dc0eaaa7e9df2961e53678d13a3899a4bf5fcca0c0537cb294ee04905d4b1
                          • Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                          • Instruction Fuzzy Hash: EF014F71640208BBEF209F60DD49FEE3B69AB44345F108039FA06A51D0DBB99A559F58
                          Function 6F942655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6F9412BB: GlobalAlloc.KERNELBASE(00000040,?,6F9412DB,?,6F94137F,00000019,6F9411CA,-000000A0), ref: 6F9412C5
                          • GlobalFree.KERNEL32(?), ref: 6F942743
                          • GlobalFree.KERNEL32(00000000), ref: 6F942778
                          Memory Dump Source
                          • Source File: 00000000.00000002.4461641660.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true
                          • Associated: 00000000.00000002.4461624523.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461659490.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461678109.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f940000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Global$Free$Alloc
                          • String ID:
                          • API String ID: 1780285237-0
                          • Opcode ID: e2d7eb4daf54340b76b48d855e3a933a364c5a2e2c3d3837d15c88b7e88f3ba0
                          • Instruction ID: 8c8f77ebdeb3c99f347aefa4ed32311be9302ffd09c925c1eefdab642cac8dda
                          • Opcode Fuzzy Hash: e2d7eb4daf54340b76b48d855e3a933a364c5a2e2c3d3837d15c88b7e88f3ba0
                          • Instruction Fuzzy Hash: 4031D071508501DFDB269F68D984C2A77BAFBB73543104629F500C32E0C731F8698F65
                          Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                          • GlobalFree.KERNEL32(?), ref: 00402A0B
                          • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                          • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                          • String ID:
                          • API String ID: 2667972263-0
                          • Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                          • Instruction ID: 66908bbe9354c3b59104e874c770ae4161d9466efedc1f742b63756e9967f80f
                          • Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                          • Instruction Fuzzy Hash: 54319E71900128ABCF21AFA5CE49D9E7E79AF44364F10423AF514762E1CB794C429FA8
                          Function 6F941979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4461641660.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true
                          • Associated: 00000000.00000002.4461624523.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461659490.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461678109.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f940000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: FreeGlobal
                          • String ID:
                          • API String ID: 2979337801-0
                          • Opcode ID: 157c11ff3b8b52870e550dbb44674682f2b0845acfadaa80f87ff7d2ad2bce70
                          • Instruction ID: ade99d5d073da050b70c5bd69b70102fe5fb974dbc9aa1b324dd9e343ad6ad08
                          • Opcode Fuzzy Hash: 157c11ff3b8b52870e550dbb44674682f2b0845acfadaa80f87ff7d2ad2bce70
                          • Instruction Fuzzy Hash: 9E510432D04208AA8B1B9FB8854459E77B9EF73358F00925BD404A7AD8E770F9F587A1
                          Function 6F942480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalFree.KERNEL32(00000000), ref: 6F9425C2
                            • Part of subcall function 6F9412CC: lstrcpynW.KERNEL32(00000000,?,6F94137F,00000019,6F9411CA,-000000A0), ref: 6F9412DC
                          • GlobalAlloc.KERNEL32(00000040), ref: 6F942548
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6F942563
                          Memory Dump Source
                          • Source File: 00000000.00000002.4461641660.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true
                          • Associated: 00000000.00000002.4461624523.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461659490.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461678109.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f940000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                          • String ID:
                          • API String ID: 4216380887-0
                          • Opcode ID: 783441e73674f3889bb79309f1f120d3eb508012c36c06ca5afb57031e5fab27
                          • Instruction ID: 7a679608c89cd92c37844020d24a762c695a172e0fbf6e65d74826752b8d5e80
                          • Opcode Fuzzy Hash: 783441e73674f3889bb79309f1f120d3eb508012c36c06ca5afb57031e5fab27
                          • Instruction Fuzzy Hash: D141ADB0108705DFE724AF29A850A6677A8FBB6324F004A1EE955C75C1E731E594CF61
                          Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,?), ref: 00401D9F
                          • GetClientRect.USER32(?,?), ref: 00401DEA
                          • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                          • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                          • DeleteObject.GDI32(00000000), ref: 00401E3E
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                          • String ID:
                          • API String ID: 1849352358-0
                          • Opcode ID: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
                          • Instruction ID: 002387d4b88dbb62f40c54eb0dee3f9a721ef30fc2dbb8ae50818b7fec09efb0
                          • Opcode Fuzzy Hash: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
                          • Instruction Fuzzy Hash: 0F21F872A00119AFCB15DF98DE45AEEBBB5EB08304F14003AF945F62A0D7789D41DB98
                          Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(?), ref: 00401E56
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                          • ReleaseDC.USER32(?,00000000), ref: 00401E89
                          • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED8
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CapsCreateDeviceFontIndirectRelease
                          • String ID:
                          • API String ID: 3808545654-0
                          • Opcode ID: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
                          • Instruction ID: 1c21784e8a12ec6bf8935da156a17e2c336e66cb5fe6e154f3a2125ab74843e9
                          • Opcode Fuzzy Hash: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
                          • Instruction Fuzzy Hash: 5A018871954240EFE7015BB4AE9ABDD3FB5AF15301F10497AF141B61E2C6B90445DB3C
                          Function 6F9416BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6F9422D8,?,00000808), ref: 6F9416D5
                          • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6F9422D8,?,00000808), ref: 6F9416DC
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6F9422D8,?,00000808), ref: 6F9416F0
                          • GetProcAddress.KERNEL32(6F9422D8,00000000), ref: 6F9416F7
                          • GlobalFree.KERNEL32(00000000), ref: 6F941700
                          Memory Dump Source
                          • Source File: 00000000.00000002.4461641660.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true
                          • Associated: 00000000.00000002.4461624523.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461659490.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461678109.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f940000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                          • String ID:
                          • API String ID: 1148316912-0
                          • Opcode ID: 77f916231b0dcef4013b9e257a220578dee926e213975aac57d7a979dd675a83
                          • Instruction ID: 83e4474c59f627b64138c56ee1ce2e141d829311d5d7bfa00bba435f3d56dac4
                          • Opcode Fuzzy Hash: 77f916231b0dcef4013b9e257a220578dee926e213975aac57d7a979dd675a83
                          • Instruction Fuzzy Hash: C2F0127210A5387BDB202AAA9C4CC9B7F9CEF9B2F9B110215F6189119085624C25DFF1
                          Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessageSend$Timeout
                          • String ID: !
                          • API String ID: 1777923405-2657877971
                          • Opcode ID: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
                          • Instruction ID: dc9a0f57bab323a5eda2152a626e9899419b02716f24503a8b80c8a4184e75e9
                          • Opcode Fuzzy Hash: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
                          • Instruction Fuzzy Hash: E921AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98
                          Function 00404D4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
                          • wsprintfW.USER32 ref: 00404DF7
                          • SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ItemTextlstrlenwsprintf
                          • String ID: %u.%u%s%s
                          • API String ID: 3540041739-3551169577
                          • Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                          • Instruction ID: 33e626053c854acaf0ea976fdeb40ece7b69d158cb37adfcb571004cb6629101
                          • Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                          • Instruction Fuzzy Hash: 2C11EB7360412877DB00666DAC46EAE329DDF85334F250237FA66F31D5EA79C92242E8
                          Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00000023,00000011,00000002), ref: 004024DA
                          • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00000000,00000011,00000002), ref: 0040251A
                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00000000,00000011,00000002), ref: 00402602
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CloseValuelstrlen
                          • String ID: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp
                          • API String ID: 2655323295-1808084002
                          • Opcode ID: 8b31c99460fdf6c2949f4debf72b45d412ee72b0ef63aad6f5470ffe0bc1fffc
                          • Instruction ID: 9515a87f615354861ff9cc8d48f56862c3e7cd04d157db2ad705c0a1b7eb65e0
                          • Opcode Fuzzy Hash: 8b31c99460fdf6c2949f4debf72b45d412ee72b0ef63aad6f5470ffe0bc1fffc
                          • Instruction Fuzzy Hash: 45116D71900118BEEB11EFA5DE59AAEBAB4AF54318F10443FF504B61C1C7B98E419A58
                          Function 00405EF8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                            • Part of subcall function 00405E9B: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"), ref: 00405EA9
                            • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
                            • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6
                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"), ref: 00405F51
                          • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F61
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsd4C7.tmp
                          • API String ID: 3248276644-3045469628
                          • Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                          • Instruction ID: 4f97f4adca9055af25af7ef058e1e83d315c20be799ec2f088cafe79a8eb74c9
                          • Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                          • Instruction Fuzzy Hash: DAF0F435115E5326D622323A2C49AAF1A05CEC2324B55453FF891B22C2DF3C89538DBE
                          Function 00405E9B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                          Download Yara Rule
                          APIs
                          • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,C:\Users\user\AppData\Local\Temp\nsd4C7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe"), ref: 00405EA9
                          • CharNextW.USER32(00000000), ref: 00405EAE
                          • CharNextW.USER32(00000000), ref: 00405EC6
                          Strings
                          • C:\Users\user\AppData\Local\Temp\nsd4C7.tmp, xrefs: 00405E9C
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CharNext
                          • String ID: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp
                          • API String ID: 3213498283-1808084002
                          • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                          • Instruction ID: c4cc3313bff2df52cb6c0caf4e8c88866a305d48728ab5da0ab5d468dade8cef
                          • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                          • Instruction Fuzzy Hash: E4F0F631910F2595DA317764CC44E7766B8EB54351B00803BD282B36C1DBF88A819FEA
                          Function 00405DF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405DF6
                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405E00
                          • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E12
                          Strings
                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DF0
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CharPrevlstrcatlstrlen
                          • String ID: C:\Users\user\AppData\Local\Temp\
                          • API String ID: 2659869361-823278215
                          • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                          • Instruction ID: dcf52917e326d6ada13c2a72ecce68a7b96b6e8782615359caad44c872c99b85
                          • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                          • Instruction Fuzzy Hash: EBD05EB1101634AAC2116B48AC04CDF62AC9E86704381402AF141B20A6C7785D6296ED
                          Function 6F9410E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalAlloc.KERNEL32(00000040,?), ref: 6F941171
                          • GlobalAlloc.KERNEL32(00000040,?), ref: 6F9411E3
                          • GlobalFree.KERNEL32 ref: 6F94124A
                          • GlobalFree.KERNEL32(?), ref: 6F94129B
                          • GlobalFree.KERNEL32(00000000), ref: 6F9412B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.4461641660.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true
                          • Associated: 00000000.00000002.4461624523.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461659490.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000000.00000002.4461678109.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f940000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Global$Free$Alloc
                          • String ID:
                          • API String ID: 1780285237-0
                          • Opcode ID: d1e92ff32e4cffe3f189aeedc9b1f5ab94b41336c5a24f5cece9ab268e0d30fa
                          • Instruction ID: 8b0c581b9118250d87b901aa500b4d6321c1ef656d17d4c6e2a94106abbab908
                          • Opcode Fuzzy Hash: d1e92ff32e4cffe3f189aeedc9b1f5ab94b41336c5a24f5cece9ab268e0d30fa
                          • Instruction Fuzzy Hash: 87517F799047019FEB12DFACD944A6677A8FB3B328B00411AE908DB291E734E9B4CF50
                          Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll), ref: 0040269A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: C:\Users\user\AppData\Local\Temp\nsd4C7.tmp$C:\Users\user\AppData\Local\Temp\nsd4C7.tmp\System.dll
                          • API String ID: 1659193697-3021339512
                          • Opcode ID: 34c7efb81093797c11027e5546ec3e843140785abad449b49019a9492c78efcd
                          • Instruction ID: 24c820640bf83c35ca015f911653a3ecbd9f7363fc1a8715c972f2d02b23d4ac
                          • Opcode Fuzzy Hash: 34c7efb81093797c11027e5546ec3e843140785abad449b49019a9492c78efcd
                          • Instruction Fuzzy Hash: 11113A72A40311BBCB00BBB19E46EAE36709F50748F60443FF402F61C0D6FD4991565E
                          Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
                          • GetTickCount.KERNEL32 ref: 0040304F
                          • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
                          • ShowWindow.USER32(00000000,00000005), ref: 0040307A
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                          • String ID:
                          • API String ID: 2102729457-0
                          • Opcode ID: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
                          • Instruction ID: fc94ebd698381dfc42c8ec832a7b78cf8da54aaf5e1058e2af7a384a9ccf94d3
                          • Opcode Fuzzy Hash: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
                          • Instruction Fuzzy Hash: 0FF05471602621ABC6306F50BD08A9B7E69FB44B53F41087AF045B11A9CB7548828B9C
                          Function 0040551A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 00405549
                          • CallWindowProcW.USER32(?,?,?,?), ref: 0040559A
                            • Part of subcall function 004044EC: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Window$CallMessageProcSendVisible
                          • String ID:
                          • API String ID: 3748168415-3916222277
                          • Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                          • Instruction ID: 85372f17a9103eb01fcdfd8a19690b8d052d76dd043ca16804f8a0d8951f02ed
                          • Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                          • Instruction Fuzzy Hash: 53017171200609BFDF309F51DD80AAB362AFB84750F540437FA047A1D5C7B98D52AE69
                          Function 00403B5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B36,00403A4C,?,?,00000008,0000000A,0000000C), ref: 00403B78
                          • GlobalFree.KERNEL32(00531310), ref: 00403B7F
                          Strings
                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B5E
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Free$GlobalLibrary
                          • String ID: C:\Users\user\AppData\Local\Temp\
                          • API String ID: 1100898210-823278215
                          • Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                          • Instruction ID: 6899552f53244e150386b1952d758f3f927a5bb415edc3c38dc9ad64461d36a3
                          • Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                          • Instruction Fuzzy Hash: 59E08C3250102057CA211F05ED04B1AB7B8AF45B27F06452AE8407B26287B42C838FD8
                          Function 00405E3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,80000000,00000003), ref: 00405E42
                          • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe,80000000,00000003), ref: 00405E52
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CharPrevlstrlen
                          • String ID: C:\Users\user\Desktop
                          • API String ID: 2709904686-1246513382
                          • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                          • Instruction ID: eba18341e72c17137544591cfc51a7e4cac6184970473274e9d14fc4341c5a90
                          • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                          • Instruction Fuzzy Hash: 29D0A7F3400A30DAC3127708EC00D9F77ACEF16700746443AE580A7165D7785D818AEC
                          Function 00405F76 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F9E
                          • CharNextA.USER32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FAF
                          • lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8
                          Memory Dump Source
                          • Source File: 00000000.00000002.4456168207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.4456154209.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456204885.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456225766.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.4456332938.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: lstrlen$CharNextlstrcmpi
                          • String ID:
                          • API String ID: 190613189-0
                          • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                          • Instruction ID: baa81b9806bcf2d0018ef5e19b9a589e3df5f1c452cb3fab7a363fd504aebd5e
                          • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                          • Instruction Fuzzy Hash: 87F0C231105914EFCB029BA5CE00D9EBFA8EF15254B2100BAE840F7250D638DE019BA8