Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yDoZVwXSMG.exe

Overview

General Information

Sample name:yDoZVwXSMG.exe
renamed because original name is a hash value
Original sample name:21922_224871481_da5669cb6c0e24e7679e4cce556acae9d1fabff38df9769fae96837617c38753_au_.exe
Analysis ID:1559721
MD5:a82c9640641c01795da7322ed1b2462f
SHA1:af1c79055759a4c698220a22eff9cef97ac8209e
SHA256:da5669cb6c0e24e7679e4cce556acae9d1fabff38df9769fae96837617c38753
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • yDoZVwXSMG.exe (PID: 5032 cmdline: "C:\Users\user\Desktop\yDoZVwXSMG.exe" MD5: A82C9640641C01795DA7322ED1B2462F)
    • Au_.exe (PID: 3776 cmdline: "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\user\Desktop\ MD5: A82C9640641C01795DA7322ED1B2462F)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: yDoZVwXSMG.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_00406775 FindFirstFileA,FindClose,0_2_00406775
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_00402A84 FindFirstFileA,0_2_00402A84
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_00405B99 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405B99
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_00406775 FindFirstFileA,FindClose,2_2_00406775
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_00405B99 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00405B99
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_00402A84 FindFirstFileA,2_2_00402A84
Source: Au_.exe, Au_.exe, 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmp, Au_.exe, 00000002.00000000.2190560048.000000000040A000.00000008.00000001.01000000.00000004.sdmp, yDoZVwXSMG.exe, Au_.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: yDoZVwXSMG.exe, Au_.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: yDoZVwXSMG.exe, 00000000.00000002.2191564328.00000000028C3000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191258259.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmp, Au_.exe, Au_.exe, 00000002.00000002.3439987828.0000000002828000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000002.00000002.3439724667.000000000057E000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000002.00000002.3440578387.0000000010003000.00000004.00000001.01000000.00000007.sdmp, nsvC710.tmp.0.dr, nsqC8C5.tmp.2.drString found in binary or memory: https://www.gegridsolutions.com/multilin/
Source: yDoZVwXSMG.exe, 00000000.00000002.2191564328.00000000028C3000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191258259.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmp, Au_.exe, 00000002.00000002.3439987828.0000000002828000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000002.00000002.3439724667.000000000057E000.00000004.00000020.00020000.00000000.sdmp, nsvC710.tmp.0.dr, nsqC8C5.tmp.2.drString found in binary or memory: https://www.gegridsolutions.com/multilin/200Set
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_00405683 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405683
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_03A11D4E GetDlgCtrlID,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,SendMessageA,GlobalUnlock,CloseClipboard,CallWindowProcA,2_2_03A11D4E
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_004048DE GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004048DE
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_004036E7 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004036E7
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_004036E7 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,2_2_004036E7
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_00404E7A0_2_00404E7A
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_00406AB60_2_00406AB6
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_00404E7A2_2_00404E7A
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_00406AB62_2_00406AB6
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: String function: 00406747 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: String function: 00406747 appears 58 times
Source: yDoZVwXSMG.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean4.winEXE@3/11@0/0
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_004048DE GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004048DE
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_004022F1 CoCreateInstance,MultiByteToWideChar,0_2_004022F1
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeFile created: C:\Users\user\AppData\Local\Temp\nsfC6FF.tmpJump to behavior
Source: yDoZVwXSMG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeFile read: C:\Users\user\Desktop\yDoZVwXSMG.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\yDoZVwXSMG.exe "C:\Users\user\Desktop\yDoZVwXSMG.exe"
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeProcess created: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\user\Desktop\
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeProcess created: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\user\Desktop\Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeFile written: C:\Users\user\AppData\Local\Temp\nslC943.tmp\ioSpecial.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeAutomated click: Next >
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: yDoZVwXSMG.exeStatic file information: File size 2469638 > 1048576
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_039F4DB4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_039F4DB4
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_039F3F10 push eax; ret 2_2_039F3F3E
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeFile created: C:\Users\user\AppData\Local\Temp\nslC943.tmp\BrandingURL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeFile created: C:\Users\user\AppData\Local\Temp\nslC943.tmp\FindProcDLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeFile created: C:\Users\user\AppData\Local\Temp\nslC943.tmp\LangDLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeFile created: C:\Users\user\AppData\Local\Temp\nslC943.tmp\LogEx.dllJump to dropped file
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeFile created: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeFile created: C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_03A11410 wsprintfA,lstrcpyA,GetPrivateProfileStringA,lstrcpyA,CharNextA,2_2_03A11410
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC943.tmp\BrandingURL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC943.tmp\FindProcDLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC943.tmp\LangDLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC943.tmp\LogEx.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dllJump to dropped file
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_00406775 FindFirstFileA,FindClose,0_2_00406775
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_00402A84 FindFirstFileA,0_2_00402A84
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_00405B99 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405B99
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_00406775 FindFirstFileA,FindClose,2_2_00406775
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_00405B99 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00405B99
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_00402A84 FindFirstFileA,2_2_00402A84
Source: Au_.exe, 00000002.00000002.3439724667.000000000057E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeAPI call chain: ExitProcess graph end nodegraph_0-3581
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeAPI call chain: ExitProcess graph end nodegraph_2-6481
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeAPI call chain: ExitProcess graph end nodegraph_2-6280
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeAPI call chain: ExitProcess graph end nodegraph_2-7616
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exeCode function: 2_2_039F4DB4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_039F4DB4
Source: C:\Users\user\Desktop\yDoZVwXSMG.exeCode function: 0_2_004036E7 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004036E7
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API
1
DLL Side-Loading
1
Process Injection
1
Process Injection
11
Input Capture
1
Security Software Discovery
Remote Services11
Input Capture
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Deobfuscate/Decode Files or Information
LSASS Memory1
Process Discovery
Remote Desktop Protocol1
Archive Collected Data
Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information
Security Account Manager3
File and Directory Discovery
SMB/Windows Admin Shares2
Clipboard Data
SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS3
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nslC943.tmp\BrandingURL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nslC943.tmp\FindProcDLL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nslC943.tmp\LangDLL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nslC943.tmp\LogEx.dll0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://www.gegridsolutions.com/multilin/0%Avira URL Cloudsafe
https://www.gegridsolutions.com/multilin/200Set0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://www.gegridsolutions.com/multilin/200SetyDoZVwXSMG.exe, 00000000.00000002.2191564328.00000000028C3000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191258259.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmp, Au_.exe, 00000002.00000002.3439987828.0000000002828000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000002.00000002.3439724667.000000000057E000.00000004.00000020.00020000.00000000.sdmp, nsvC710.tmp.0.dr, nsqC8C5.tmp.2.drfalse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_ErrorAu_.exe, Au_.exe, 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmp, Au_.exe, 00000002.00000000.2190560048.000000000040A000.00000008.00000001.01000000.00000004.sdmp, yDoZVwXSMG.exe, Au_.exe.0.drfalse
    high
    http://nsis.sf.net/NSIS_ErrorErroryDoZVwXSMG.exe, Au_.exe.0.drfalse
      high
      https://www.gegridsolutions.com/multilin/yDoZVwXSMG.exe, 00000000.00000002.2191564328.00000000028C3000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191258259.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmp, Au_.exe, Au_.exe, 00000002.00000002.3439987828.0000000002828000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000002.00000002.3439724667.000000000057E000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000002.00000002.3440578387.0000000010003000.00000004.00000001.01000000.00000007.sdmp, nsvC710.tmp.0.dr, nsqC8C5.tmp.2.drfalse
      • Avira URL Cloud: safe
      unknown
      No contacted IP infos
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1559721
      Start date and time:2024-11-20 21:14:38 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 5m 11s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:yDoZVwXSMG.exe
      renamed because original name is a hash value
      Original Sample Name:21922_224871481_da5669cb6c0e24e7679e4cce556acae9d1fabff38df9769fae96837617c38753_au_.exe
      Detection:CLEAN
      Classification:clean4.winEXE@3/11@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 72
      • Number of non-executed functions: 108
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.
      • VT rate limit hit for: yDoZVwXSMG.exe
      No simulations
      No context
      No context
      No context
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\Users\user\AppData\Local\Temp\nslC943.tmp\BrandingURL.dllCursor Commander.exeGet hashmaliciousUnknownBrowse
        Advanced.Installer-15.9.exeGet hashmaliciousUnknownBrowse
          29#Uff09.exeGet hashmaliciousUnknownBrowse
            myDHSBbmiQ30XWiQsvEZBgkKPOQqbPoH.exeGet hashmaliciousUnknownBrowse
              2.3.11.210102.exeGet hashmaliciousUnknownBrowse
                2.3.11.210102.exeGet hashmaliciousUnknownBrowse
                  TC-9.22a.2019.3.exeGet hashmaliciousUnknownBrowse
                    C:\Users\user\AppData\Local\Temp\nslC943.tmp\FindProcDLL.dllhttps://icrealtime.com/downloads/2Get hashmaliciousUnknownBrowse
                      https://viture.com/windowsGet hashmaliciousUnknownBrowse
                        https://www.zoominfo.com/pic/kirkham-insurance/354239330Get hashmaliciousUnknownBrowse
                          https://www.zoominfo.com/pic/kirkham-insurance/354239330Get hashmaliciousUnknownBrowse
                            VxJYz09IcUGet hashmaliciousUnknownBrowse
                              ZoomInfoContactContributor.exeGet hashmaliciousUnknownBrowse
                                General_Player_Eng_WIN32_V3.44.0.R.170421.exeGet hashmaliciousUnknownBrowse
                                  v17achbl9y.exeGet hashmaliciousUnknownBrowse
                                    bG4F5qPoGq.exeGet hashmaliciousUnknownBrowse
                                      8Rc1CnrlKH.exeGet hashmaliciousUnknownBrowse
                                        Process:C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):4096
                                        Entropy (8bit):3.904876158695173
                                        Encrypted:false
                                        SSDEEP:48:qnMpjVitCGEuR+BrUtDQbfwz3Aa3MAAZHMAAJb/Jb9W/Boj:zAwDlUSbIz3Aa33AZH3A5BZW/Boj
                                        MD5:71C46B663BAA92AD941388D082AF97E7
                                        SHA1:5A9FCCE065366A526D75CC5DED9AADE7CADD6421
                                        SHA-256:BB2B9C272B8B66BC1B414675C2ACBA7AFAD03FFF66A63BABEE3EE57ED163D19E
                                        SHA-512:5965BD3F5369B9A1ED641C479F7B8A14AF27700D0C27D482AA8EB62ACC42F7B702B5947D82F9791B29BCBA4D46E1409244F0A8DDCE4EC75022B5E27F6D671BCE
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: Cursor Commander.exe, Detection: malicious, Browse
                                        • Filename: Advanced.Installer-15.9.exe, Detection: malicious, Browse
                                        • Filename: 29#Uff09.exe, Detection: malicious, Browse
                                        • Filename: myDHSBbmiQ30XWiQsvEZBgkKPOQqbPoH.exe, Detection: malicious, Browse
                                        • Filename: 2.3.11.210102.exe, Detection: malicious, Browse
                                        • Filename: 2.3.11.210102.exe, Detection: malicious, Browse
                                        • Filename: TC-9.22a.2019.3.exe, Detection: malicious, Browse
                                        Reputation:moderate, very likely benign file
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x...x...x...x...x...g...x..)g...x..)g...x..Rich.x..........................PE..L...KThF...........!................Q........ ...............................P......................................."..W...p ..d............................@....................................................... ..p............................text............................... ..`.rdata..G.... ......................@..@.data...P....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):31744
                                        Entropy (8bit):5.124320488199201
                                        Encrypted:false
                                        SSDEEP:384:1NWlNdqdAnhTKMLE2oIM05fnqCiWg3Yy9kflIinokN:1NWtqdihTKCldkYwkdpnoy
                                        MD5:83CD62EAB980E3D64C131799608C8371
                                        SHA1:5B57A6842A154997E31FAB573C5754B358F5DD1C
                                        SHA-256:A6122E80F1C51DC72770B4F56C7C482F7A9571143FBF83B19C4D141D0CB19294
                                        SHA-512:91CFBCC125600EC341F5571DCF1E4A814CF7673F82CF42F32155BD54791BBF32619F2BB14AE871D7996E9DDECDFCC5DB40CAA0979D6DFBA3E73CFE8E69C163C9
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: , Detection: malicious, Browse
                                        • Filename: , Detection: malicious, Browse
                                        • Filename: , Detection: malicious, Browse
                                        • Filename: , Detection: malicious, Browse
                                        • Filename: VxJYz09IcU, Detection: malicious, Browse
                                        • Filename: ZoomInfoContactContributor.exe, Detection: malicious, Browse
                                        • Filename: General_Player_Eng_WIN32_V3.44.0.R.170421.exe, Detection: malicious, Browse
                                        • Filename: v17achbl9y.exe, Detection: malicious, Browse
                                        • Filename: bG4F5qPoGq.exe, Detection: malicious, Browse
                                        • Filename: 8Rc1CnrlKH.exe, Detection: malicious, Browse
                                        Reputation:moderate, very likely benign file
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........QI,.0'..0'..0'../,..0'../-..0'..,)..0'../4..0'..0&..0'......0'.{.#..0'.Rich.0'.........PE..L...Kc.@...........!.....B...<......E........`......................................................................Ph..K...Hd..<....................................................................................`...............................text...nA.......B.................. ..`.rdata.......`.......F..............@..@.data...(*...p...&...P..............@....reloc..n............v..............@..B........................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):14848
                                        Entropy (8bit):5.54762139570877
                                        Encrypted:false
                                        SSDEEP:192:3Gs+dH4+oQOTgDbzuNfrigyULWsXXZF/01JJijnK72dwF7dBEnbok:3GvdH4qMebzPY2Vijn+BEnbo
                                        MD5:D753362649AECD60FF434ADF171A4E7F
                                        SHA1:3B752AD064E06E21822C8958AE22E9A6BB8CF3D0
                                        SHA-256:8F24C6CF0B06D18F3C07E7BFCA4E92AFCE71834663746CFAA9DDF52A25D5C586
                                        SHA-512:41BF41ADD275867553FA3BD8835CD7E2A2A362A2D5670CCBFAD23700448BAD9FE0F577FB6EE9D4EB81DFC10D463B325B8A873FE5912EB580936D4AD96587AA6D
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:moderate, very likely benign file
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p..q.,.q.,.q.,.q.,@q.,.~C,.q.,\R.,.q.,\R/,.q.,.w.,.q.,.Q.,.q.,Rich.q.,........................PE..L...T:.V...........!.........<.......).......0.......................................................................8..p...81.......p..........................@....................................................0..8............................text...@........................... ..`.rdata.......0....... ..............@..@.data... (...@.......*..............@....rsrc........p.......2..............@..@.reloc...............4..............@..B........................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):5632
                                        Entropy (8bit):3.951555564830228
                                        Encrypted:false
                                        SSDEEP:48:iV6pAvmNC6iMPUptxEZK65x/AmvycNSmwVsOYJyvrpXptp/JvR0Jlof5d2:2811GED5ZTvycNSmwVsTJuftpZR0Sd2
                                        MD5:9384F4007C492D4FA040924F31C00166
                                        SHA1:ABA37FAEF30D7C445584C688A0B5638F5DB31C7B
                                        SHA-256:60A964095AF1BE79F6A99B22212FEFE2D16F5A0AFD7E707D14394E4143E3F4F5
                                        SHA-512:68F158887E24302673227ADFFC688FD3EDABF097D7F5410F983E06C6B9C7344CA1D8A45C7FA05553ADCC5987993DF3A298763477168D4842E554C4EB93B9AAAF
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:moderate, very likely benign file
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................~..........z.....B....Rich..........PE..L......K...........!......................... ...............................`......................................p"..I...` ..P....@..`....................P....................................................... ..`............................text...l........................... ..`.rdata....... ......................@..@.data...l....0......................@....rsrc...`....@......................@..@.reloc..@....P......................@..B................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):45056
                                        Entropy (8bit):4.447330642171801
                                        Encrypted:false
                                        SSDEEP:768:I+mRGgtvKEeTLD4GKx1oj+aYb7+ZDomgfHx:IbG27eTLcGP+N/0o3fR
                                        MD5:1C440EC84001C94327082ACA9BDBD0D1
                                        SHA1:4F35B29E8E1CA44368D15506C28A0873BED1C9F3
                                        SHA-256:F6D21EF2FA853B922C94D66D3ABD9277AD71BC1BE73A8D8418BC06635925A343
                                        SHA-512:32A2C9641D1390295249A52FAB38F8BC8379BE80395A9B27B4E157D37B66A1C1F9F49F940CCD24725C59F9DE9A585690292119E11FAEA3E93D4054D9DB00E93A
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z.H.;...;...;.......;...'...;.......;...$...;...;...;.......;.......;..Rich.;..........................PE..L.....M...........!.....P...`......o........`.......................................................................k..s...8f..<....................................................................................`...............................text...vJ.......P.................. ..`.rdata..#....`.......`..............@..@.data...P1...p...0...p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe
                                        File Type:Generic INItialization configuration [Field 1]
                                        Category:dropped
                                        Size (bytes):649
                                        Entropy (8bit):5.30762609292694
                                        Encrypted:false
                                        SSDEEP:12:lOu8VTsAgQRvAVagFhFa4gNhCfYqfPkmN4gND/hI0F4pVTt8oBdU/U:yTdRvAVacho1OwIBN1ZXaqoAs
                                        MD5:2786600C985A978FC6F62665B5003F8A
                                        SHA1:865CC9D09231D405335CE490E148EE1A0D056EDB
                                        SHA-256:AADBBEBA93D8D2C6EDC84C730AF8C09B8340A57C5657CE27912AD1E5A0A1EF46
                                        SHA-512:58CF08400120577B97A52EE8C77CA3D6FD12C21F933957EA10F6979AF82A519EA455D673848BDCD6A377C94C34E11D415D3EDF47A0DD2888EB34A5BE1D3867D2
                                        Malicious:false
                                        Preview:[Settings]..Rect=1044..NumFields=3..RTL=0..NextButtonText=..CancelEnabled=..State=0..[Field 1]..Type=bitmap..Left=0..Right=109..Top=0..Bottom=193..Flags=RESIZETOFIT..Text=C:\Users\user\AppData\Local\Temp\nslC943.tmp\modern-wizard.bmp..HWND=66634..[Field 2]..Type=label..Left=120..Right=315..Top=10..Text=Welcome to the LogicLinx 3.31 Uninstall Wizard..Bottom=38..HWND=66636..[Field 3]..Type=label..Left=120..Right=315..Top=45..Bottom=185..Text=This wizard will guide you through the uninstallation of LogicLinx 3.31.\r\n\r\nBefore starting the uninstallation, make sure LogicLinx 3.31 is not running.\r\n\r\nClick Next to continue...HWND=66638..
                                        Process:C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe
                                        File Type:PC bitmap, Windows 3.x format, 245 x 468 x 24, image size 344448, resolution 3779 x 3779 px/m, cbSize 344502, bits offset 54
                                        Category:dropped
                                        Size (bytes):344502
                                        Entropy (8bit):7.44895003665144
                                        Encrypted:false
                                        SSDEEP:6144:VPmsu7BOZ6ML8yJ2H1TsLxRtqKGh+F09QyavhNH7jrsTuGVaaaaaaatCaXoIyoBI:VOsu7qjLvMVTsLxrqKGsa9zavXfUVaat
                                        MD5:F975665D00EC6F2A8F77A9508C3BF1EF
                                        SHA1:703F4369F98B031790B993EE776388D1BCECCB96
                                        SHA-256:CAD1C216716927D66A2C0D33929543358FE809CA7C593A9A14E0E688F698AA10
                                        SHA-512:182DD6C3487A83688B8FA14AE986549009FAAEF83A70561004263AEDFF2D6FE3750C1817A0F1A8652D01A94C885E4B1436995B95163F4C08B7FF6DDB07385276
                                        Malicious:false
                                        Preview:BM.A......6...(....................A....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):515691
                                        Entropy (8bit):6.952834018950696
                                        Encrypted:false
                                        SSDEEP:12288:HCIzpOsu7qjLvMVTsLxrqKGsa9zavXfUVaaaaaaatCOoIyoBFV7fDpqd:HfzXjLvMVTsLpaskCXcVaaaaaaatCORW
                                        MD5:3B11E38AA0DDE65ABF4B0096116940AF
                                        SHA1:5609AA4B53583B1F5F2E98E115797ABB8FA2BCE6
                                        SHA-256:9F9A2994289AFC94FDB6DA0C0024840D180D40B98D247905A81EC131BCD23BAF
                                        SHA-512:75759C13DE0BEF6074C0BEC1290D84F706F25B1FD925D861C331062FAF5FBC3A45FDE4E5B003D784355AFFE4C8C1DE4B9D6ACBE384BAE56EDAABF436506D9A6A
                                        Malicious:false
                                        Preview:........,.......l...............@]......2..............................................................."...................c...L...................................................................................................................................................................5...C..._...................................................................k.......................\.......................................j.......................\.......................................................................................................................E.......\...............................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\Desktop\yDoZVwXSMG.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):56848
                                        Entropy (8bit):5.109217127899667
                                        Encrypted:false
                                        SSDEEP:384:hwLFHRN6kkDAYxCZUPPhN8d6EJfIL7IoflpZRT28eVY/DEJS9Q6rI9gGUkJVztGP:KxN6FAfRJALdpZRVenJS91Q77S6qnYg
                                        MD5:60127AB791B30C30BBABBDAFD5396C99
                                        SHA1:0F7A08F5ACB059A98940E30617B4B4525D3C65E2
                                        SHA-256:0CF35BACFE6E3F387FF34B156C6CDE409DC97CB458193E40115D8AA3AF9891FC
                                        SHA-512:EB778FD5A80E8C9A645E476CC7777C27A833CDB7185C94C3DB5CBCE6372DA07661FD8CE6630FA79E69FEDD4F1844E794383FA6532FBD9E2D99A4C34A94EBA252
                                        Malicious:false
                                        Preview:........,.......l...............@]......2..............................................................."...................c...L...................................................................................................................................................................5...C..._...................................................................k.......................\.......................................j.......................\.......................................................................................................................E.......\...............................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\Desktop\yDoZVwXSMG.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:dropped
                                        Size (bytes):2469638
                                        Entropy (8bit):7.980575297576846
                                        Encrypted:false
                                        SSDEEP:49152:ML1blinQ7Xi5JZtKg8+MI1PQoabl4WxLLfmfO7d5GsoAWn0FwdTf:ML1oAXirZm3b1hFW0i
                                        MD5:A82C9640641C01795DA7322ED1B2462F
                                        SHA1:AF1C79055759A4C698220A22EFF9CEF97AC8209E
                                        SHA-256:DA5669CB6C0E24E7679E4CCE556ACAE9D1FABFF38DF9769FAE96837617C38753
                                        SHA-512:5579B91F9A4C714733B3082B17604D8E888434A04750D6716866ACC441662EE5CC01E99DF73D9A1D9901075F36E078467D0874A23BDCB943282D516E9B6E6246
                                        Malicious:false
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9(..XF..XF..XF.*W...XF..XG.rXF.*W...XF.{v..XF..^@..XF.Rich.XF.........................PE..L....:.V.................d...........6............@..........................0.............................................. ........`...............................................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data................z..............@....ndata.......p...........................rsrc........`......................@..@................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\Desktop\yDoZVwXSMG.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0
                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Entropy (8bit):7.980575297576846
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:yDoZVwXSMG.exe
                                        File size:2'469'638 bytes
                                        MD5:a82c9640641c01795da7322ed1b2462f
                                        SHA1:af1c79055759a4c698220a22eff9cef97ac8209e
                                        SHA256:da5669cb6c0e24e7679e4cce556acae9d1fabff38df9769fae96837617c38753
                                        SHA512:5579b91f9a4c714733b3082b17604d8e888434a04750d6716866acc441662ee5cc01e99df73d9a1d9901075f36e078467d0874a23bdcb943282d516e9b6e6246
                                        SSDEEP:49152:ML1blinQ7Xi5JZtKg8+MI1PQoabl4WxLLfmfO7d5GsoAWn0FwdTf:ML1oAXirZm3b1hFW0i
                                        TLSH:53B52346E3109B64CD1406794DB39CFE6D6FB0B29A61041FA68D3FB6CB62E1D487C34A
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9(..XF..XF..XF.*W...XF..XG.rXF.*W...XF..{v..XF..^@..XF.Rich.XF.........................PE..L....:.V.................d.........
                                        Icon Hash:aa9cbcccccc1c4b0
                                        Entrypoint:0x4036e7
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                        Time Stamp:0x56FF3AC3 [Sat Apr 2 03:21:39 2016 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:16cdca0a54bf8076dc7e57fab55dbc5b
                                        Instruction
                                        sub esp, 00000184h
                                        push ebx
                                        push ebp
                                        push esi
                                        push edi
                                        xor ebx, ebx
                                        push 00008001h
                                        mov dword ptr [esp+20h], ebx
                                        mov dword ptr [esp+14h], 0040A7B0h
                                        mov dword ptr [esp+1Ch], ebx
                                        mov byte ptr [esp+18h], 00000020h
                                        call dword ptr [004080B8h]
                                        call dword ptr [004080B4h]
                                        cmp ax, 00000006h
                                        je 00007F9ED0D75993h
                                        push ebx
                                        call 00007F9ED0D78A6Ah
                                        cmp eax, ebx
                                        je 00007F9ED0D75989h
                                        push 00000C00h
                                        call eax
                                        mov esi, 00408288h
                                        push esi
                                        call 00007F9ED0D789E6h
                                        push esi
                                        call dword ptr [004080B0h]
                                        lea esi, dword ptr [esi+eax+01h]
                                        cmp byte ptr [esi], bl
                                        jne 00007F9ED0D7596Dh
                                        push 0000000Dh
                                        call 00007F9ED0D78A3Eh
                                        push 0000000Bh
                                        call 00007F9ED0D78A37h
                                        mov dword ptr [00426404h], eax
                                        call dword ptr [00408034h]
                                        push ebx
                                        call dword ptr [00408278h]
                                        mov dword ptr [004264B8h], eax
                                        push ebx
                                        lea eax, dword ptr [esp+38h]
                                        push 00000160h
                                        push eax
                                        push ebx
                                        push 00420D98h
                                        call dword ptr [0040815Ch]
                                        push 0040A840h
                                        push 00425C00h
                                        call 00007F9ED0D784BDh
                                        call dword ptr [004080ACh]
                                        mov ebp, 0042C000h
                                        push eax
                                        push ebp
                                        call 00007F9ED0D784ABh
                                        push ebx
                                        call dword ptr [00408148h]
                                        Programming Language:
                                        • [EXP] VC++ 6.0 SP5 build 8804
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x84200xa0.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x1cb98.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x288.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x63cd0x640084473a4e5c03ea7b88acbd207137a3edFalse0.668359375data6.455100510182752IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x80000x11e20x120022a909d39528ffc909762b2fdbab6457False0.466796875data5.309380799178768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xa0000x1c4f80xe0089faa5fd30ca437f0aae195560c38849False0.41824776785714285data4.963237061637593IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .ndata0x270000xf0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x360000x1cb980x1cc00bd7fce5ba12105a97791533354aba8d1False0.19535495923913043data6.246001857169698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_BITMAP0x369100x666Device independent bitmap graphic, 96 x 16 x 8, image size 1538, resolution 2868 x 2868 px/m, 15 important colorsEnglishUnited States0.18192918192918192
                                        RT_ICON0x36f780x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.1308411214953271
                                        RT_ICON0x477a00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.2702527161076996
                                        RT_ICON0x4b9c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3780082987551867
                                        RT_ICON0x4df700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.36843339587242024
                                        RT_ICON0x4f0180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.43073770491803276
                                        RT_ICON0x4f9a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.4308510638297872
                                        RT_DIALOG0x4fe080x120dataEnglishUnited States0.5138888888888888
                                        RT_DIALOG0x4ff280x158dataEnglishUnited States0.5290697674418605
                                        RT_DIALOG0x500800x202dataEnglishUnited States0.4085603112840467
                                        RT_DIALOG0x502880xf8dataEnglishUnited States0.6290322580645161
                                        RT_DIALOG0x503800xa0dataEnglishUnited States0.60625
                                        RT_DIALOG0x504200xf4dataEnglishUnited States0.5450819672131147
                                        RT_DIALOG0x505180xeedataEnglishUnited States0.6260504201680672
                                        RT_DIALOG0x506080x10cdataEnglishUnited States0.5111940298507462
                                        RT_DIALOG0x507180x144dataEnglishUnited States0.5216049382716049
                                        RT_DIALOG0x508600x1eedataEnglishUnited States0.3866396761133603
                                        RT_DIALOG0x50a500xe4dataEnglishUnited States0.6359649122807017
                                        RT_DIALOG0x50b380x8cdataEnglishUnited States0.5857142857142857
                                        RT_DIALOG0x50bc80xe0dataEnglishUnited States0.53125
                                        RT_DIALOG0x50ca80xdadataEnglishUnited States0.6376146788990825
                                        RT_DIALOG0x50d880x110dataEnglishUnited States0.5183823529411765
                                        RT_DIALOG0x50e980x148dataEnglishUnited States0.5274390243902439
                                        RT_DIALOG0x50fe00x1f2dataEnglishUnited States0.39759036144578314
                                        RT_DIALOG0x511d80xe8dataEnglishUnited States0.6508620689655172
                                        RT_DIALOG0x512c00x90dataEnglishUnited States0.6041666666666666
                                        RT_DIALOG0x513500xe4dataEnglishUnited States0.543859649122807
                                        RT_DIALOG0x514380xdedataEnglishUnited States0.6486486486486487
                                        RT_DIALOG0x515180x118dataEnglishUnited States0.5321428571428571
                                        RT_DIALOG0x516300x150dataEnglishUnited States0.5386904761904762
                                        RT_DIALOG0x517800x1fadataEnglishUnited States0.40118577075098816
                                        RT_DIALOG0x519800xf0dataEnglishUnited States0.6666666666666666
                                        RT_DIALOG0x51a700x98dataEnglishUnited States0.625
                                        RT_DIALOG0x51b080xecdataEnglishUnited States0.559322033898305
                                        RT_DIALOG0x51bf80xe6dataEnglishUnited States0.6565217391304348
                                        RT_DIALOG0x51ce00x10cdataEnglishUnited States0.5111940298507462
                                        RT_DIALOG0x51df00x144dataEnglishUnited States0.5216049382716049
                                        RT_DIALOG0x51f380x1eedataEnglishUnited States0.38866396761133604
                                        RT_DIALOG0x521280xe4dataEnglishUnited States0.6447368421052632
                                        RT_DIALOG0x522100x8cdataEnglishUnited States0.5928571428571429
                                        RT_DIALOG0x522a00xe0dataEnglishUnited States0.5357142857142857
                                        RT_DIALOG0x523800xdadataEnglishUnited States0.6422018348623854
                                        RT_GROUP_ICON0x524600x5adataEnglishUnited States0.7888888888888889
                                        RT_VERSION0x524c00x314data0.5076142131979695
                                        RT_MANIFEST0x527d80x3beXML 1.0 document, ASCII text, with very long lines (958), with no line terminatorsEnglishUnited States0.5187891440501043
                                        DLLImport
                                        KERNEL32.dllGetShortPathNameA, GetFullPathNameA, MoveFileA, GetLastError, SetCurrentDirectoryA, GetFileAttributesA, SearchPathA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, CompareFileTime, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetTempPathA, GetWindowsDirectoryA, GetProcAddress, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, ReadFile, WriteFile, GetPrivateProfileStringA, WritePrivateProfileStringA, MultiByteToWideChar, FreeLibrary, MulDiv, LoadLibraryExA, GetModuleHandleA
                                        USER32.dllGetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetAsyncKeyState, IsDlgButtonChecked, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SystemParametersInfoA, RegisterClassA, EndDialog, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, wvsprintfA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, SetTimer, OpenClipboard, SetWindowTextA, GetDC, LoadImageA, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, SetClipboardData, EmptyClipboard, DestroyWindow, ExitWindowsEx, SetForegroundWindow, PostQuitMessage, CreateDialogParamA
                                        GDI32.dllSelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
                                        SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                        ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                        COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance
                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States
                                        No network behavior found

                                        Click to jump to process

                                        Click to jump to process

                                        Click to dive into process behavior distribution

                                        Click to jump to process

                                        Target ID:0
                                        Start time:15:15:35
                                        Start date:20/11/2024
                                        Path:C:\Users\user\Desktop\yDoZVwXSMG.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\yDoZVwXSMG.exe"
                                        Imagebase:0x400000
                                        File size:2'469'638 bytes
                                        MD5 hash:A82C9640641C01795DA7322ED1B2462F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        Target ID:2
                                        Start time:15:15:35
                                        Start date:20/11/2024
                                        Path:C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\user\Desktop\
                                        Imagebase:0x400000
                                        File size:2'469'638 bytes
                                        MD5 hash:A82C9640641C01795DA7322ED1B2462F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:false

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:9.2%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:20.8%
                                          Total number of Nodes:1426
                                          Total number of Limit Nodes:13
                                          execution_graph 3818 401b41 3819 402e87 18 API calls 3818->3819 3820 401b48 3819->3820 3821 402e87 18 API calls 3820->3821 3822 401b52 3821->3822 3823 402ea4 18 API calls 3822->3823 3824 401b5b 3823->3824 3825 401b6e lstrlenA 3824->3825 3826 401ba9 3824->3826 3827 401b78 3825->3827 3827->3826 3831 4062cd lstrcpynA 3827->3831 3829 401b92 3829->3826 3830 401b9f lstrlenA 3829->3830 3830->3826 3831->3829 3832 402a41 3833 402d35 3832->3833 3834 402a48 3832->3834 3835 402a4e FindClose 3834->3835 3835->3833 3836 401f42 GetDC GetDeviceCaps 3837 402e87 18 API calls 3836->3837 3838 401f5e MulDiv 3837->3838 3839 402e87 18 API calls 3838->3839 3840 401f73 3839->3840 3841 4062ef 18 API calls 3840->3841 3842 401fac CreateFontIndirectA 3841->3842 3843 4028fe 3842->3843 3844 401bc2 3845 402ea4 18 API calls 3844->3845 3846 401bc9 3845->3846 3847 402ea4 18 API calls 3846->3847 3848 401bd2 3847->3848 3849 401be8 lstrcmpA 3848->3849 3850 401bd9 lstrcmpiA 3848->3850 3851 401bdf 3849->3851 3852 401c54 3849->3852 3850->3851 3851->3849 3851->3852 3853 402ac2 3854 402ea4 18 API calls 3853->3854 3856 402ad0 3854->3856 3855 402ae6 3858 405f85 2 API calls 3855->3858 3856->3855 3857 402ea4 18 API calls 3856->3857 3857->3855 3859 402aec 3858->3859 3881 405fa4 GetFileAttributesA CreateFileA 3859->3881 3861 402af9 3862 402ba2 3861->3862 3863 402b05 GlobalAlloc 3861->3863 3866 406747 9 API calls 3862->3866 3864 402b99 CloseHandle 3863->3864 3865 402b1e 3863->3865 3864->3862 3882 40369f SetFilePointer 3865->3882 3868 402bb2 3866->3868 3870 402bd0 3868->3870 3871 402bbd DeleteFileA 3868->3871 3869 402b24 3872 40366d ReadFile 3869->3872 3871->3870 3873 402b2d GlobalAlloc 3872->3873 3874 402b71 WriteFile GlobalFree 3873->3874 3875 402b3d 3873->3875 3876 4033c6 48 API calls 3874->3876 3877 4033c6 48 API calls 3875->3877 3878 402b96 3876->3878 3880 402b4a 3877->3880 3878->3864 3879 402b68 GlobalFree 3879->3874 3880->3879 3881->3861 3882->3869 3883 401ac6 3884 402ea4 18 API calls 3883->3884 3885 401acd 3884->3885 3886 406747 9 API calls 3885->3886 3887 401add 3886->3887 3888 405b35 MessageBoxIndirectA 3887->3888 3889 401ae9 3888->3889 3890 402147 3891 402ea4 18 API calls 3890->3891 3892 40214e 3891->3892 3893 40680a 5 API calls 3892->3893 3894 40215d 3893->3894 3895 4021dd 3894->3895 3896 402175 GlobalAlloc 3894->3896 3896->3895 3897 402189 3896->3897 3898 40680a 5 API calls 3897->3898 3899 402190 3898->3899 3900 40680a 5 API calls 3899->3900 3901 40219a 3900->3901 3901->3895 3905 40622b wsprintfA 3901->3905 3903 4021d1 3906 40622b wsprintfA 3903->3906 3905->3903 3906->3895 3907 40294c 3908 402e87 18 API calls 3907->3908 3911 402956 3908->3911 3909 4029cc 3910 40298a ReadFile 3910->3909 3910->3911 3911->3909 3911->3910 3912 4029ce 3911->3912 3913 4029de 3911->3913 3916 40622b wsprintfA 3912->3916 3913->3909 3915 4029f4 SetFilePointer 3913->3915 3915->3909 3916->3909 3917 401ecc 3918 402e87 18 API calls 3917->3918 3919 401edc SetWindowLongA 3918->3919 3920 402d35 3919->3920 3921 403fcd 3922 404120 3921->3922 3923 403fe5 3921->3923 3925 404131 GetDlgItem GetDlgItem 3922->3925 3926 404171 3922->3926 3923->3922 3924 403ff1 3923->3924 3927 403ffc SetWindowPos 3924->3927 3928 40400f 3924->3928 4006 4044a0 3925->4006 3930 4041cb 3926->3930 3938 401389 81 API calls 3926->3938 3927->3928 3932 404014 ShowWindow 3928->3932 3933 40402c 3928->3933 3931 4044ec SendMessageA 3930->3931 3939 40411b 3930->3939 3960 4041dd 3931->3960 3932->3933 3935 404034 DestroyWindow 3933->3935 3936 40404e 3933->3936 3934 40415b SetClassLongA 3937 40140b 81 API calls 3934->3937 3988 404429 3935->3988 3940 404053 SetWindowLongA 3936->3940 3941 404064 3936->3941 3937->3926 3942 4041a3 3938->3942 3940->3939 3945 404070 GetDlgItem 3941->3945 3946 4040db 3941->3946 3942->3930 3947 4041a7 SendMessageA 3942->3947 3943 40140b 81 API calls 3943->3960 3944 40442b DestroyWindow EndDialog 3944->3988 3950 4040a0 3945->3950 3951 404083 SendMessageA IsWindowEnabled 3945->3951 3992 404507 3946->3992 3947->3939 3949 40445a ShowWindow 3949->3939 3953 4040ad 3950->3953 3954 4040f4 SendMessageA 3950->3954 3955 4040c0 3950->3955 3963 4040a5 3950->3963 3951->3939 3951->3950 3952 4062ef 18 API calls 3952->3960 3953->3954 3953->3963 3954->3946 3958 4040c8 3955->3958 3959 4040dd 3955->3959 3957 4044a0 19 API calls 3957->3960 3961 40140b 81 API calls 3958->3961 3962 40140b 81 API calls 3959->3962 3960->3939 3960->3943 3960->3944 3960->3952 3960->3957 3964 4044a0 19 API calls 3960->3964 3979 40436b DestroyWindow 3960->3979 3961->3963 3962->3963 3963->3946 3989 404479 3963->3989 3965 404258 GetDlgItem 3964->3965 3966 404275 ShowWindow EnableWindow 3965->3966 3967 40426d 3965->3967 4009 4044c2 EnableWindow 3966->4009 3967->3966 3969 40429f EnableWindow 3972 4042b3 3969->3972 3970 4042b8 GetSystemMenu EnableMenuItem SendMessageA 3971 4042e8 SendMessageA 3970->3971 3970->3972 3971->3972 3972->3970 4010 4044d5 SendMessageA 3972->4010 4011 4062cd lstrcpynA 3972->4011 3975 404316 lstrlenA 3976 4062ef 18 API calls 3975->3976 3977 404327 SetWindowTextA 3976->3977 3978 401389 81 API calls 3977->3978 3978->3960 3980 404385 CreateDialogParamA 3979->3980 3979->3988 3981 4043b8 3980->3981 3980->3988 3982 4044a0 19 API calls 3981->3982 3983 4043c3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3982->3983 3984 401389 81 API calls 3983->3984 3985 404409 3984->3985 3985->3939 3986 404411 ShowWindow 3985->3986 3987 4044ec SendMessageA 3986->3987 3987->3988 3988->3939 3988->3949 3990 404480 3989->3990 3991 404486 SendMessageA 3989->3991 3990->3991 3991->3946 3993 40451f GetWindowLongA 3992->3993 4003 4045a8 3992->4003 3994 404530 3993->3994 3993->4003 3995 404542 3994->3995 3996 40453f GetSysColor 3994->3996 3997 404552 SetBkMode 3995->3997 3998 404548 SetTextColor 3995->3998 3996->3995 3999 404570 3997->3999 4000 40456a GetSysColor 3997->4000 3998->3997 4001 404581 3999->4001 4002 404577 SetBkColor 3999->4002 4000->3999 4001->4003 4004 404594 DeleteObject 4001->4004 4005 40459b CreateBrushIndirect 4001->4005 4002->4001 4003->3939 4004->4005 4005->4003 4007 4062ef 18 API calls 4006->4007 4008 4044ab SetDlgItemTextA 4007->4008 4008->3934 4009->3969 4010->3972 4011->3975 4012 401dd4 4013 402e87 18 API calls 4012->4013 4014 401ddb 4013->4014 4015 402e87 18 API calls 4014->4015 4016 401de5 4015->4016 4017 402ea4 18 API calls 4016->4017 4019 401df5 4016->4019 4017->4019 4018 401e05 4021 401e10 4018->4021 4022 401e54 4018->4022 4019->4018 4020 402ea4 18 API calls 4019->4020 4020->4018 4024 402e87 18 API calls 4021->4024 4023 402ea4 18 API calls 4022->4023 4025 401e59 4023->4025 4026 401e15 4024->4026 4027 402ea4 18 API calls 4025->4027 4028 402e87 18 API calls 4026->4028 4029 401e62 FindWindowExA 4027->4029 4030 401e1e 4028->4030 4033 401e80 4029->4033 4031 401e44 SendMessageA 4030->4031 4032 401e26 SendMessageTimeoutA 4030->4032 4031->4033 4032->4033 4041 402bd6 4042 402c16 4041->4042 4043 402bda 4041->4043 4045 402ea4 18 API calls 4042->4045 4044 406747 9 API calls 4043->4044 4046 402be5 4044->4046 4047 402c05 4045->4047 4048 406747 9 API calls 4046->4048 4049 402bf8 4048->4049 4050 402c00 4049->4050 4051 402c0a 4049->4051 4052 403bf6 5 API calls 4050->4052 4053 4065c8 7 API calls 4051->4053 4052->4047 4053->4047 4054 402a5b 4055 402a5e 4054->4055 4057 402a76 4054->4057 4056 402a6b FindNextFileA 4055->4056 4056->4057 4058 402ab5 4056->4058 4060 4062cd lstrcpynA 4058->4060 4060->4057 4061 4048de 4062 404915 4061->4062 4063 404948 4061->4063 4129 405b19 GetDlgItemTextA 4062->4129 4065 404955 GetDlgItem GetAsyncKeyState 4063->4065 4067 4049e1 4063->4067 4068 40496e GetDlgItem 4065->4068 4074 40498c 4065->4074 4066 404920 4069 40652f 5 API calls 4066->4069 4077 4062ef 18 API calls 4067->4077 4088 404aca 4067->4088 4127 404c6f 4067->4127 4070 4044a0 19 API calls 4068->4070 4071 404926 4069->4071 4073 404981 ShowWindow 4070->4073 4076 403bf6 5 API calls 4071->4076 4073->4074 4079 4049a9 SetWindowTextA 4074->4079 4084 405e54 4 API calls 4074->4084 4075 404507 8 API calls 4080 404c83 4075->4080 4081 40492b GetDlgItem 4076->4081 4082 404a5c SHBrowseForFolderA 4077->4082 4078 404af6 4083 405ea1 18 API calls 4078->4083 4085 4044a0 19 API calls 4079->4085 4086 404939 IsDlgButtonChecked 4081->4086 4081->4127 4087 404a74 CoTaskMemFree 4082->4087 4082->4088 4089 404afc 4083->4089 4090 40499f 4084->4090 4091 4049c7 4085->4091 4086->4063 4092 405dc0 3 API calls 4087->4092 4088->4127 4131 405b19 GetDlgItemTextA 4088->4131 4132 4062cd lstrcpynA 4089->4132 4090->4079 4097 405dc0 3 API calls 4090->4097 4093 4044a0 19 API calls 4091->4093 4094 404a81 4092->4094 4098 4049d2 4093->4098 4099 404ab8 SetDlgItemTextA 4094->4099 4102 4062ef 18 API calls 4094->4102 4096 404b13 4100 40680a 5 API calls 4096->4100 4097->4079 4130 4044d5 SendMessageA 4098->4130 4099->4088 4110 404b1a 4100->4110 4105 404aa0 lstrcmpiA 4102->4105 4103 4049da 4104 40680a 5 API calls 4103->4104 4104->4067 4105->4099 4107 404ab1 lstrcatA 4105->4107 4106 404b56 4133 4062cd lstrcpynA 4106->4133 4107->4099 4109 404b5d 4111 405e54 4 API calls 4109->4111 4110->4106 4115 405e07 2 API calls 4110->4115 4116 404bad 4110->4116 4112 404b63 GetDiskFreeSpaceA 4111->4112 4114 404b86 MulDiv 4112->4114 4112->4116 4114->4116 4115->4110 4117 404c1e 4116->4117 4134 404db5 4116->4134 4118 404c41 4117->4118 4121 40140b 81 API calls 4117->4121 4145 4044c2 EnableWindow 4118->4145 4121->4118 4122 404c20 SetDlgItemTextA 4122->4117 4123 404c10 4137 404cf0 4123->4137 4126 404c5d 4126->4127 4146 404873 4126->4146 4127->4075 4129->4066 4130->4103 4131->4078 4132->4096 4133->4109 4135 404cf0 21 API calls 4134->4135 4136 404c0b 4135->4136 4136->4122 4136->4123 4138 404d06 4137->4138 4139 4062ef 18 API calls 4138->4139 4140 404d6a 4139->4140 4141 4062ef 18 API calls 4140->4141 4142 404d75 4141->4142 4143 4062ef 18 API calls 4142->4143 4144 404d8b lstrlenA wsprintfA SetDlgItemTextA 4143->4144 4144->4117 4145->4126 4147 404881 4146->4147 4148 404886 SendMessageA 4146->4148 4147->4148 4148->4127 4149 4028e2 4150 402ea4 18 API calls 4149->4150 4151 4028e9 4150->4151 4154 405fa4 GetFileAttributesA CreateFileA 4151->4154 4153 4028f5 4154->4153 3372 4036e7 SetErrorMode GetVersion 3373 403725 3372->3373 3374 40371f 3372->3374 3376 40679c 3 API calls 3373->3376 3375 40680a 5 API calls 3374->3375 3375->3373 3377 40373b lstrlenA 3376->3377 3377->3373 3378 40374a 3377->3378 3379 40680a 5 API calls 3378->3379 3380 403751 3379->3380 3381 40680a 5 API calls 3380->3381 3382 403758 #17 OleInitialize SHGetFileInfoA 3381->3382 3463 4062cd lstrcpynA 3382->3463 3384 403795 GetCommandLineA 3464 4062cd lstrcpynA 3384->3464 3386 4037a7 GetModuleHandleA 3387 4037be 3386->3387 3388 405deb CharNextA 3387->3388 3389 4037d2 CharNextA 3388->3389 3394 4037df 3389->3394 3390 40384c 3391 40385f GetTempPathA 3390->3391 3465 4036b6 3391->3465 3393 403875 3395 403879 GetWindowsDirectoryA lstrcatA 3393->3395 3396 40389d DeleteFileA 3393->3396 3394->3390 3397 405deb CharNextA 3394->3397 3401 40384e 3394->3401 3398 4036b6 12 API calls 3395->3398 3475 403120 GetTickCount GetModuleFileNameA 3396->3475 3397->3394 3400 403895 3398->3400 3400->3396 3404 403925 ExitProcess CoUninitialize 3400->3404 3517 4062cd lstrcpynA 3401->3517 3402 4038b1 3402->3404 3405 40390a 3402->3405 3409 405deb CharNextA 3402->3409 3406 403a49 3404->3406 3407 40393a 3404->3407 3520 403c17 3405->3520 3411 403aec ExitProcess 3406->3411 3416 40680a 5 API calls 3406->3416 3579 405b35 3407->3579 3413 4038c8 3409->3413 3412 40391a 3417 4065c8 7 API calls 3412->3417 3420 403950 3413->3420 3421 4038e5 3413->3421 3418 403a5c 3416->3418 3417->3404 3419 40680a 5 API calls 3418->3419 3422 403a65 3419->3422 3505 405abc 3420->3505 3424 405ea1 18 API calls 3421->3424 3425 40680a 5 API calls 3422->3425 3427 4038f0 3424->3427 3428 403a6e 3425->3428 3427->3404 3518 4062cd lstrcpynA 3427->3518 3429 403a8c 3428->3429 3435 403a7c GetCurrentProcess 3428->3435 3432 40680a 5 API calls 3429->3432 3430 403971 lstrcatA lstrcmpiA 3430->3404 3434 40398d 3430->3434 3431 403966 lstrcatA 3431->3430 3436 403ac3 3432->3436 3438 403992 3434->3438 3439 403999 3434->3439 3435->3429 3441 403ad8 ExitWindowsEx 3436->3441 3444 403ae5 3436->3444 3437 4038ff 3519 4062cd lstrcpynA 3437->3519 3508 405a22 CreateDirectoryA 3438->3508 3583 405a9f CreateDirectoryA 3439->3583 3441->3411 3441->3444 3587 40140b 3444->3587 3445 40399e SetCurrentDirectoryA 3448 4039b8 3445->3448 3449 4039ad 3445->3449 3513 4062cd lstrcpynA 3448->3513 3586 4062cd lstrcpynA 3449->3586 3452 4062ef 18 API calls 3453 4039e8 DeleteFileA 3452->3453 3454 4039f5 CopyFileA 3453->3454 3460 4039c6 3453->3460 3454->3460 3455 403a3d 3456 40601b 41 API calls 3455->3456 3458 403a44 3456->3458 3457 40601b 41 API calls 3457->3460 3458->3404 3459 4062ef 18 API calls 3459->3460 3460->3452 3460->3455 3460->3457 3460->3459 3462 403a29 CloseHandle 3460->3462 3514 405ad4 CreateProcessA 3460->3514 3462->3460 3463->3384 3464->3386 3466 40652f 5 API calls 3465->3466 3468 4036c2 3466->3468 3467 4036cc 3467->3393 3468->3467 3469 405dc0 3 API calls 3468->3469 3470 4036d4 3469->3470 3471 405a9f 2 API calls 3470->3471 3472 4036da 3471->3472 3590 405fd3 3472->3590 3594 405fa4 GetFileAttributesA CreateFileA 3475->3594 3477 403163 3504 403170 3477->3504 3595 4062cd lstrcpynA 3477->3595 3479 403186 3480 405e07 2 API calls 3479->3480 3481 40318c 3480->3481 3596 4062cd lstrcpynA 3481->3596 3483 403197 GetFileSize 3484 403298 3483->3484 3486 4031ae 3483->3486 3599 403081 3484->3599 3486->3484 3490 403333 3486->3490 3496 403081 33 API calls 3486->3496 3486->3504 3597 40366d ReadFile 3486->3597 3489 4032db GlobalAlloc 3493 4032f2 3489->3493 3491 403081 33 API calls 3490->3491 3491->3504 3497 405fd3 2 API calls 3493->3497 3494 4032bc 3495 40366d ReadFile 3494->3495 3499 4032c7 3495->3499 3496->3486 3498 403303 CreateFileA 3497->3498 3500 40333d 3498->3500 3498->3504 3499->3489 3499->3504 3615 40369f SetFilePointer 3500->3615 3502 40334b 3616 4033c6 3502->3616 3504->3402 3504->3504 3506 40680a 5 API calls 3505->3506 3507 403955 lstrcatA 3506->3507 3507->3430 3507->3431 3509 405a73 GetLastError 3508->3509 3510 403997 3508->3510 3509->3510 3511 405a82 SetFileSecurityA 3509->3511 3510->3445 3511->3510 3512 405a98 GetLastError 3511->3512 3512->3510 3513->3460 3515 405b03 CloseHandle 3514->3515 3516 405b0f 3514->3516 3515->3516 3516->3460 3517->3391 3518->3437 3519->3405 3521 40680a 5 API calls 3520->3521 3522 403c2b 3521->3522 3523 403c31 3522->3523 3524 403c43 3522->3524 3661 40622b wsprintfA 3523->3661 3525 4061b4 3 API calls 3524->3525 3526 403c64 3525->3526 3528 403c82 lstrcatA 3526->3528 3530 4061b4 3 API calls 3526->3530 3529 403c41 3528->3529 3662 403f00 3529->3662 3530->3528 3533 405ea1 18 API calls 3534 403cb4 3533->3534 3535 403d3d 3534->3535 3537 4061b4 3 API calls 3534->3537 3536 405ea1 18 API calls 3535->3536 3538 403d43 3536->3538 3539 403ce0 3537->3539 3540 403d53 3538->3540 3541 4062ef 18 API calls 3538->3541 3539->3535 3543 403cfc lstrlenA 3539->3543 3548 405deb CharNextA 3539->3548 3542 403d73 LoadImageA 3540->3542 3672 403bf6 3540->3672 3541->3540 3544 403e27 3542->3544 3545 403d9e RegisterClassA 3542->3545 3549 403d30 3543->3549 3550 403d0a lstrcmpiA 3543->3550 3547 40140b 81 API calls 3544->3547 3546 403dda SystemParametersInfoA CreateWindowExA 3545->3546 3578 403e31 3545->3578 3546->3544 3553 403e2d 3547->3553 3554 403cfa 3548->3554 3552 405dc0 3 API calls 3549->3552 3550->3549 3555 403d1a GetFileAttributesA 3550->3555 3557 403d36 3552->3557 3560 403f00 19 API calls 3553->3560 3553->3578 3554->3543 3558 403d26 3555->3558 3556 403d69 3556->3542 3671 4062cd lstrcpynA 3557->3671 3558->3549 3561 405e07 2 API calls 3558->3561 3562 403e3e 3560->3562 3561->3549 3563 403e4a ShowWindow 3562->3563 3564 403ecd 3562->3564 3566 40679c 3 API calls 3563->3566 3677 4055fd OleInitialize 3564->3677 3568 403e62 3566->3568 3567 403ed3 3569 403ed7 3567->3569 3570 403eef 3567->3570 3571 403e70 GetClassInfoA 3568->3571 3573 40679c 3 API calls 3568->3573 3577 40140b 81 API calls 3569->3577 3569->3578 3572 40140b 81 API calls 3570->3572 3574 403e84 GetClassInfoA RegisterClassA 3571->3574 3575 403e9a DialogBoxParamA 3571->3575 3572->3578 3573->3571 3574->3575 3576 40140b 81 API calls 3575->3576 3576->3578 3577->3578 3578->3412 3580 405b4a 3579->3580 3581 403948 ExitProcess 3580->3581 3582 405b5e MessageBoxIndirectA 3580->3582 3582->3581 3584 405ab3 GetLastError 3583->3584 3585 405aaf 3583->3585 3584->3585 3585->3445 3586->3448 3588 401389 81 API calls 3587->3588 3589 401420 3588->3589 3589->3411 3591 405fde GetTickCount GetTempFileNameA 3590->3591 3592 4036e5 3591->3592 3593 40600a 3591->3593 3592->3393 3593->3591 3593->3592 3594->3477 3595->3479 3596->3483 3598 40368e 3597->3598 3598->3486 3600 4030a7 3599->3600 3601 40308f 3599->3601 3602 4030b7 GetTickCount 3600->3602 3603 4030af 3600->3603 3604 403098 DestroyWindow 3601->3604 3605 40309f 3601->3605 3602->3605 3607 4030c5 3602->3607 3633 406846 3603->3633 3604->3605 3605->3489 3605->3504 3614 40369f SetFilePointer 3605->3614 3608 4030fa CreateDialogParamA ShowWindow 3607->3608 3609 4030cd 3607->3609 3608->3605 3609->3605 3637 403065 3609->3637 3611 4030db wsprintfA 3612 40552b 25 API calls 3611->3612 3613 4030f8 3612->3613 3613->3605 3614->3494 3615->3502 3617 4033f3 3616->3617 3618 4033d7 SetFilePointer 3616->3618 3640 4034f1 GetTickCount 3617->3640 3618->3617 3621 403404 ReadFile 3622 403424 3621->3622 3623 4034d6 3621->3623 3622->3623 3624 4034f1 43 API calls 3622->3624 3623->3504 3625 40343b 3624->3625 3625->3623 3627 4034b6 ReadFile 3625->3627 3628 40344b 3625->3628 3627->3623 3628->3623 3629 403466 ReadFile 3628->3629 3632 403463 3628->3632 3629->3623 3629->3632 3630 40347f WriteFile 3631 4034b0 3630->3631 3630->3632 3631->3623 3632->3623 3632->3628 3632->3629 3632->3630 3632->3631 3634 406863 PeekMessageA 3633->3634 3635 406873 3634->3635 3636 406859 DispatchMessageA 3634->3636 3635->3605 3636->3634 3638 403074 3637->3638 3639 403076 MulDiv 3637->3639 3638->3639 3639->3611 3641 403520 3640->3641 3642 40365b 3640->3642 3653 40369f SetFilePointer 3641->3653 3644 403081 33 API calls 3642->3644 3649 4033fc 3644->3649 3645 40352b SetFilePointer 3651 403550 3645->3651 3646 40366d ReadFile 3646->3651 3648 403081 33 API calls 3648->3651 3649->3621 3649->3623 3650 4035e5 WriteFile 3650->3649 3650->3651 3651->3646 3651->3648 3651->3649 3651->3650 3652 40363c SetFilePointer 3651->3652 3654 406907 3651->3654 3652->3642 3653->3645 3655 40692c 3654->3655 3656 406934 3654->3656 3655->3651 3656->3655 3657 4069c4 GlobalAlloc 3656->3657 3658 4069bb GlobalFree 3656->3658 3659 406a32 GlobalFree 3656->3659 3660 406a3b GlobalAlloc 3656->3660 3657->3655 3657->3656 3658->3657 3659->3660 3660->3655 3660->3656 3661->3529 3663 403f14 3662->3663 3685 40622b wsprintfA 3663->3685 3665 403f85 3666 4062ef 18 API calls 3665->3666 3667 403f91 SetWindowTextA 3666->3667 3668 403c92 3667->3668 3669 403fad 3667->3669 3668->3533 3669->3668 3670 4062ef 18 API calls 3669->3670 3670->3669 3671->3535 3686 4062cd lstrcpynA 3672->3686 3674 403c0a 3675 405dc0 3 API calls 3674->3675 3676 403c10 lstrcatA 3675->3676 3676->3556 3687 4044ec 3677->3687 3679 4044ec SendMessageA 3680 40565b OleUninitialize 3679->3680 3680->3567 3681 406747 9 API calls 3682 405620 3681->3682 3682->3681 3684 40564b 3682->3684 3690 401389 3682->3690 3684->3679 3685->3665 3686->3674 3688 404504 3687->3688 3689 4044f5 SendMessageA 3687->3689 3688->3682 3689->3688 3693 401390 3690->3693 3692 4013fe 3692->3682 3693->3692 3694 4013cb MulDiv SendMessageA 3693->3694 3695 401434 3693->3695 3694->3693 3696 401488 3695->3696 3742 40149a 3695->3742 3697 4014e0 3696->3697 3698 401502 3696->3698 3699 401523 3696->3699 3700 4015c3 3696->3700 3701 4014a4 3696->3701 3702 4014c5 3696->3702 3703 401565 3696->3703 3704 40154c 3696->3704 3705 40148f 3696->3705 3706 4015d0 3696->3706 3707 4017f3 3696->3707 3708 401857 3696->3708 3709 401738 3696->3709 3710 401779 3696->3710 3711 4015fc 3696->3711 3712 40163e 3696->3712 3696->3742 3740 406747 9 API calls 3697->3740 3719 402ea4 18 API calls 3698->3719 3809 402e87 3699->3809 3817 40622b wsprintfA 3700->3817 3803 402ea4 3701->3803 3713 4014d4 PostQuitMessage 3702->3713 3702->3742 3739 402e87 18 API calls 3703->3739 3703->3742 3723 406747 9 API calls 3704->3723 3722 406747 9 API calls 3705->3722 3714 4015e6 3706->3714 3715 4015df ShowWindow 3706->3715 3724 402ea4 18 API calls 3707->3724 3717 402ea4 18 API calls 3708->3717 3725 402ea4 18 API calls 3709->3725 3716 402ea4 18 API calls 3710->3716 3718 402ea4 18 API calls 3711->3718 3720 402ea4 18 API calls 3712->3720 3713->3742 3727 4015f3 ShowWindow 3714->3727 3714->3742 3715->3714 3728 401780 3716->3728 3729 40185e SearchPathA 3717->3729 3730 401603 3718->3730 3731 401508 3719->3731 3732 401645 3720->3732 3722->3742 3735 401556 SetForegroundWindow 3723->3735 3736 4017f9 GetFullPathNameA 3724->3736 3737 40173e 3725->3737 3727->3742 3741 402ea4 18 API calls 3728->3741 3729->3742 3743 406747 9 API calls 3730->3743 3744 406747 9 API calls 3731->3744 3745 406747 9 API calls 3732->3745 3734 401529 3746 406747 9 API calls 3734->3746 3735->3742 3747 401810 3736->3747 3748 401831 3736->3748 3749 406775 2 API calls 3737->3749 3739->3742 3751 4014f4 3740->3751 3752 401789 3741->3752 3742->3693 3753 401613 SetFileAttributesA 3743->3753 3754 401513 3744->3754 3755 401655 3745->3755 3756 401536 Sleep 3746->3756 3747->3748 3772 406775 2 API calls 3747->3772 3748->3742 3759 401845 GetShortPathNameA 3748->3759 3757 401746 3749->3757 3750 406747 9 API calls 3758 4014b5 3750->3758 3760 401389 68 API calls 3751->3760 3761 402ea4 18 API calls 3752->3761 3753->3742 3762 401628 3753->3762 3763 40552b 25 API calls 3754->3763 3764 405e54 4 API calls 3755->3764 3756->3742 3766 401760 3757->3766 3767 40174a 3757->3767 3768 40552b 25 API calls 3758->3768 3759->3742 3760->3742 3770 401793 3761->3770 3771 406747 9 API calls 3762->3771 3763->3742 3795 40165e 3764->3795 3769 406747 9 API calls 3766->3769 3773 406747 9 API calls 3767->3773 3768->3742 3769->3742 3774 406747 9 API calls 3770->3774 3771->3742 3776 401821 3772->3776 3777 401758 3773->3777 3778 4017a0 MoveFileA 3774->3778 3775 4016ee 3779 401731 3775->3779 3780 4016f3 3775->3780 3776->3748 3816 4062cd lstrcpynA 3776->3816 3777->3742 3787 406747 9 API calls 3777->3787 3778->3779 3783 4017b7 3778->3783 3785 401423 25 API calls 3779->3785 3812 401423 3780->3812 3781 405deb CharNextA 3781->3795 3783->3777 3788 406775 2 API calls 3783->3788 3785->3742 3787->3742 3793 4017c2 3788->3793 3790 405a9f 2 API calls 3790->3795 3791 401705 SetCurrentDirectoryA 3791->3742 3794 401714 GetLastError 3791->3794 3792 405abc 5 API calls 3792->3795 3793->3777 3797 40601b 41 API calls 3793->3797 3798 406747 9 API calls 3794->3798 3795->3775 3795->3781 3795->3790 3795->3792 3796 4016b8 GetFileAttributesA 3795->3796 3800 405a22 4 API calls 3795->3800 3801 406747 9 API calls 3795->3801 3796->3795 3799 4017cf 3797->3799 3798->3742 3802 401423 25 API calls 3799->3802 3800->3795 3801->3795 3802->3777 3804 402eb0 3803->3804 3805 4062ef 18 API calls 3804->3805 3806 402ed1 3805->3806 3807 4014aa 3806->3807 3808 40652f 5 API calls 3806->3808 3807->3750 3808->3807 3810 4062ef 18 API calls 3809->3810 3811 402e9b 3810->3811 3811->3734 3813 40552b 25 API calls 3812->3813 3814 401431 3813->3814 3815 4062cd lstrcpynA 3814->3815 3815->3791 3816->3748 3817->3742 4155 4045e8 4156 4045fe 4155->4156 4163 40470b 4155->4163 4159 4044a0 19 API calls 4156->4159 4157 40477a 4158 40484e 4157->4158 4160 404784 GetDlgItem 4157->4160 4166 404507 8 API calls 4158->4166 4164 404654 4159->4164 4161 40479a 4160->4161 4162 40480c 4160->4162 4161->4162 4168 4047c0 6 API calls 4161->4168 4162->4158 4169 40481e 4162->4169 4163->4157 4163->4158 4165 40474f GetDlgItem SendMessageA 4163->4165 4167 4044a0 19 API calls 4164->4167 4186 4044c2 EnableWindow 4165->4186 4177 404849 4166->4177 4171 404661 CheckDlgButton 4167->4171 4168->4162 4173 404824 SendMessageA 4169->4173 4174 404835 4169->4174 4184 4044c2 EnableWindow 4171->4184 4173->4174 4174->4177 4178 40483b SendMessageA 4174->4178 4175 404775 4179 404873 SendMessageA 4175->4179 4176 40467f GetDlgItem 4185 4044d5 SendMessageA 4176->4185 4178->4177 4179->4157 4181 404695 SendMessageA 4182 4046b3 GetSysColor 4181->4182 4183 4046bc SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4181->4183 4182->4183 4183->4177 4184->4176 4185->4181 4186->4175 4187 401ee8 GetDlgItem GetClientRect 4188 402ea4 18 API calls 4187->4188 4189 401f18 LoadImageA SendMessageA 4188->4189 4190 402d35 4189->4190 4191 401f36 DeleteObject 4189->4191 4191->4190 4192 402fe9 4193 402ff8 SetTimer 4192->4193 4194 403011 4192->4194 4193->4194 4195 40305f 4194->4195 4196 403065 MulDiv 4194->4196 4197 40301f wsprintfA SetWindowTextA SetDlgItemTextA 4196->4197 4197->4195 4199 4021e9 4200 4022e0 4199->4200 4201 4021fb 4199->4201 4202 401423 25 API calls 4200->4202 4203 402ea4 18 API calls 4201->4203 4220 4022d9 4202->4220 4204 402202 4203->4204 4205 402ea4 18 API calls 4204->4205 4206 40220b 4205->4206 4207 402221 LoadLibraryExA 4206->4207 4208 402213 GetModuleHandleA 4206->4208 4209 402236 GetProcAddress 4207->4209 4210 4022c7 4207->4210 4208->4207 4208->4209 4211 402285 4209->4211 4212 402248 4209->4212 4213 401423 25 API calls 4210->4213 4214 40552b 25 API calls 4211->4214 4217 401423 25 API calls 4212->4217 4221 402258 4212->4221 4215 4022ce 4213->4215 4216 40228f 4214->4216 4219 406747 9 API calls 4215->4219 4218 406747 9 API calls 4216->4218 4217->4221 4218->4221 4219->4220 4221->4220 4222 4022b9 FreeLibrary 4221->4222 4222->4220 4242 40286d 4252 402fae 4242->4252 4244 402877 4245 402e87 18 API calls 4244->4245 4246 402880 4245->4246 4247 4028a3 RegEnumValueA 4246->4247 4248 402897 RegEnumKeyA 4246->4248 4250 402aa2 4246->4250 4249 4028bc RegCloseKey 4247->4249 4247->4250 4248->4249 4249->4250 4253 402ea4 18 API calls 4252->4253 4254 402fc7 4253->4254 4255 402fd5 RegOpenKeyExA 4254->4255 4255->4244 4256 402470 4257 402ea4 18 API calls 4256->4257 4258 402476 4257->4258 4259 402ea4 18 API calls 4258->4259 4260 40247f 4259->4260 4261 402ea4 18 API calls 4260->4261 4262 402488 4261->4262 4263 406747 9 API calls 4262->4263 4264 402497 4263->4264 4265 406775 2 API calls 4264->4265 4266 4024a0 4265->4266 4267 4024b1 lstrlenA lstrlenA 4266->4267 4268 4024a4 4266->4268 4270 40552b 25 API calls 4267->4270 4269 40552b 25 API calls 4268->4269 4272 4024ac 4268->4272 4269->4272 4271 4024ed SHFileOperationA 4270->4271 4271->4268 4271->4272 4273 401bf0 4274 402ea4 18 API calls 4273->4274 4275 401bf9 ExpandEnvironmentStringsA 4274->4275 4276 401c0d 4275->4276 4278 401c20 4275->4278 4277 401c12 lstrcmpA 4276->4277 4276->4278 4277->4278 4279 4022f1 4280 402ea4 18 API calls 4279->4280 4281 4022f8 4280->4281 4282 402ea4 18 API calls 4281->4282 4283 402302 4282->4283 4284 402ea4 18 API calls 4283->4284 4285 40230b 4284->4285 4286 402ea4 18 API calls 4285->4286 4287 402315 4286->4287 4288 402ea4 18 API calls 4287->4288 4290 40231f 4288->4290 4289 402333 4291 406747 9 API calls 4289->4291 4290->4289 4292 402ea4 18 API calls 4290->4292 4293 40235d CoCreateInstance 4291->4293 4292->4289 4296 40237f 4293->4296 4298 402433 4293->4298 4294 401423 25 API calls 4295 402467 4294->4295 4297 402410 MultiByteToWideChar 4296->4297 4296->4298 4297->4298 4298->4294 4298->4295 4306 4025f5 4307 4025fb 4306->4307 4308 402604 4307->4308 4309 402648 4307->4309 4310 402fae 19 API calls 4308->4310 4311 402ea4 18 API calls 4309->4311 4313 40260b 4310->4313 4312 40264f 4311->4312 4314 406747 9 API calls 4312->4314 4315 402ea4 18 API calls 4313->4315 4321 402678 4313->4321 4317 40265f 4314->4317 4316 40261c RegDeleteValueA 4315->4316 4318 406747 9 API calls 4316->4318 4322 402ee4 RegOpenKeyExA 4317->4322 4320 40263c RegCloseKey 4318->4320 4320->4321 4329 402f0f 4322->4329 4331 402f5b 4322->4331 4323 402f35 RegEnumKeyA 4324 402f47 RegCloseKey 4323->4324 4323->4329 4325 40680a 5 API calls 4324->4325 4328 402f57 4325->4328 4326 402f6c RegCloseKey 4326->4331 4327 402ee4 5 API calls 4327->4329 4330 402f87 RegDeleteKeyA 4328->4330 4328->4331 4329->4323 4329->4324 4329->4326 4329->4327 4330->4331 4331->4321 4332 4027f5 4333 402fae 19 API calls 4332->4333 4334 4027ff 4333->4334 4335 402ea4 18 API calls 4334->4335 4336 402808 4335->4336 4337 402812 RegQueryValueExA 4336->4337 4341 402aa2 4336->4341 4338 402832 4337->4338 4339 402838 RegCloseKey 4337->4339 4338->4339 4343 40622b wsprintfA 4338->4343 4339->4341 4343->4339 4344 402076 4345 402ea4 18 API calls 4344->4345 4346 40207c 4345->4346 4347 406747 9 API calls 4346->4347 4348 402089 4347->4348 4349 40552b 25 API calls 4348->4349 4350 402093 4349->4350 4351 405ad4 2 API calls 4350->4351 4352 402099 4351->4352 4353 4020a1 4352->4353 4354 402106 4352->4354 4355 406747 9 API calls 4353->4355 4356 406747 9 API calls 4354->4356 4360 4020ab 4355->4360 4359 4022d9 4356->4359 4357 4020f8 CloseHandle 4357->4359 4358 4020c1 WaitForSingleObject 4358->4360 4361 4020cf GetExitCodeProcess 4358->4361 4360->4357 4360->4358 4362 406846 2 API calls 4360->4362 4363 4020e1 4361->4363 4364 4020ea 4361->4364 4362->4358 4366 40622b wsprintfA 4363->4366 4364->4357 4366->4364 4367 401cf7 4368 402ea4 18 API calls 4367->4368 4369 401cfe 4368->4369 4370 402e87 18 API calls 4369->4370 4371 401d07 wsprintfA 4370->4371 4372 4027ed 4371->4372 4373 404e7a GetDlgItem GetDlgItem 4374 404ece 7 API calls 4373->4374 4388 4050eb 4373->4388 4375 404f74 DeleteObject 4374->4375 4376 404f67 SendMessageA 4374->4376 4377 404f7f 4375->4377 4376->4375 4379 404fb6 4377->4379 4382 4062ef 18 API calls 4377->4382 4378 4051d5 4381 405284 4378->4381 4384 4050de 4378->4384 4391 40522e SendMessageA 4378->4391 4380 4044a0 19 API calls 4379->4380 4383 404fca 4380->4383 4385 405299 4381->4385 4386 40528d SendMessageA 4381->4386 4387 404f98 SendMessageA SendMessageA 4382->4387 4390 4044a0 19 API calls 4383->4390 4392 404507 8 API calls 4384->4392 4394 4052b2 4385->4394 4395 4052ab ImageList_Destroy 4385->4395 4402 4052c2 4385->4402 4386->4385 4387->4377 4388->4378 4405 40515f 4388->4405 4426 404dfa SendMessageA 4388->4426 4406 404fd8 4390->4406 4391->4384 4397 405243 SendMessageA 4391->4397 4398 405474 4392->4398 4393 4051c7 SendMessageA 4393->4378 4399 4052bb GlobalFree 4394->4399 4394->4402 4395->4394 4396 405428 4396->4384 4403 40543a ShowWindow GetDlgItem ShowWindow 4396->4403 4401 405256 4397->4401 4399->4402 4400 4050ac GetWindowLongA SetWindowLongA 4404 4050c5 4400->4404 4413 405267 SendMessageA 4401->4413 4402->4396 4412 40140b 81 API calls 4402->4412 4420 4052f4 4402->4420 4403->4384 4407 4050e3 4404->4407 4408 4050cb ShowWindow 4404->4408 4405->4378 4405->4393 4406->4400 4411 405027 SendMessageA 4406->4411 4414 4050a6 4406->4414 4415 405063 SendMessageA 4406->4415 4416 405074 SendMessageA 4406->4416 4425 4044d5 SendMessageA 4407->4425 4424 4044d5 SendMessageA 4408->4424 4411->4406 4412->4420 4413->4381 4414->4400 4414->4404 4415->4406 4416->4406 4417 4053fe InvalidateRect 4417->4396 4418 405414 4417->4418 4421 404db5 21 API calls 4418->4421 4419 405322 SendMessageA 4423 405338 4419->4423 4420->4419 4420->4423 4421->4396 4422 4053ac SendMessageA SendMessageA 4422->4423 4423->4417 4423->4422 4424->4384 4425->4388 4427 404e59 SendMessageA 4426->4427 4428 404e1d GetMessagePos ScreenToClient SendMessageA 4426->4428 4430 404e51 4427->4430 4429 404e56 4428->4429 4428->4430 4429->4427 4430->4405 4431 401ffa 4432 402ea4 18 API calls 4431->4432 4433 402000 4432->4433 4434 402ea4 18 API calls 4433->4434 4435 402009 4434->4435 4436 402ea4 18 API calls 4435->4436 4437 402012 4436->4437 4438 402ea4 18 API calls 4437->4438 4439 40201b 4438->4439 4440 401423 25 API calls 4439->4440 4441 402022 ShellExecuteA 4440->4441 4442 402061 4441->4442 4443 40204b 4441->4443 4445 406747 9 API calls 4442->4445 4444 406747 9 API calls 4443->4444 4446 402059 4444->4446 4445->4446 4447 40547b 4448 4054a0 4447->4448 4449 405489 4447->4449 4450 4054ae IsWindowVisible 4448->4450 4454 4054c5 4448->4454 4451 40548f 4449->4451 4465 405509 4449->4465 4452 4054bb 4450->4452 4450->4465 4455 4044ec SendMessageA 4451->4455 4457 404dfa 5 API calls 4452->4457 4453 40550f CallWindowProcA 4456 405499 4453->4456 4454->4453 4466 4062cd lstrcpynA 4454->4466 4455->4456 4457->4454 4459 4054f4 4467 40622b wsprintfA 4459->4467 4461 4054fb 4462 40140b 81 API calls 4461->4462 4463 405502 4462->4463 4468 4062cd lstrcpynA 4463->4468 4465->4453 4466->4459 4467->4461 4468->4465 4469 40187e 4470 402ea4 18 API calls 4469->4470 4471 401885 4470->4471 4472 405fd3 2 API calls 4471->4472 4473 40188c 4472->4473 4474 401000 4475 401037 BeginPaint GetClientRect 4474->4475 4476 40100c DefWindowProcA 4474->4476 4477 4010f3 4475->4477 4479 401179 4476->4479 4480 401073 CreateBrushIndirect FillRect DeleteObject 4477->4480 4481 4010fc 4477->4481 4480->4477 4482 401102 CreateFontIndirectA 4481->4482 4483 401167 EndPaint 4481->4483 4482->4483 4484 401112 6 API calls 4482->4484 4483->4479 4484->4483 4485 402501 4486 40251c 4485->4486 4487 402509 4485->4487 4488 4062ef 18 API calls 4487->4488 4489 402516 4488->4489 4490 405b35 MessageBoxIndirectA 4489->4490 4490->4486 4498 405683 4499 4056a4 GetDlgItem GetDlgItem GetDlgItem 4498->4499 4500 40584a 4498->4500 4547 4044d5 SendMessageA 4499->4547 4502 405853 GetDlgItem CreateThread CloseHandle 4500->4502 4503 40587b 4500->4503 4502->4503 4505 4058a6 4503->4505 4506 405892 ShowWindow ShowWindow 4503->4506 4507 4058c8 4503->4507 4504 405715 4516 4062ef 18 API calls 4504->4516 4508 405904 4505->4508 4511 4058b7 4505->4511 4512 4058dd ShowWindow 4505->4512 4549 4044d5 SendMessageA 4506->4549 4509 404507 8 API calls 4507->4509 4508->4507 4517 40590f SendMessageA 4508->4517 4513 4058d6 4509->4513 4518 404479 SendMessageA 4511->4518 4514 4058fd 4512->4514 4515 4058ef 4512->4515 4521 404479 SendMessageA 4514->4521 4519 40552b 25 API calls 4515->4519 4520 405734 4516->4520 4517->4513 4522 405928 CreatePopupMenu 4517->4522 4518->4507 4519->4514 4523 406747 9 API calls 4520->4523 4521->4508 4524 4062ef 18 API calls 4522->4524 4525 40573f GetClientRect GetSystemMetrics SendMessageA SendMessageA 4523->4525 4526 405938 AppendMenuA 4524->4526 4527 4057a6 4525->4527 4528 40578a SendMessageA SendMessageA 4525->4528 4529 40594b GetWindowRect 4526->4529 4530 40595e 4526->4530 4532 4057b9 4527->4532 4533 4057ab SendMessageA 4527->4533 4528->4527 4531 405967 TrackPopupMenu 4529->4531 4530->4531 4531->4513 4534 405985 4531->4534 4535 4044a0 19 API calls 4532->4535 4533->4532 4536 4059a1 SendMessageA 4534->4536 4537 4057c9 4535->4537 4536->4536 4538 4059be OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4536->4538 4539 4057d2 ShowWindow 4537->4539 4540 405806 GetDlgItem SendMessageA 4537->4540 4542 4059e0 SendMessageA 4538->4542 4541 4057e8 ShowWindow 4539->4541 4544 4057f5 4539->4544 4540->4513 4543 40582d SendMessageA SendMessageA 4540->4543 4541->4544 4542->4542 4545 405a01 GlobalUnlock SetClipboardData CloseClipboard 4542->4545 4543->4513 4548 4044d5 SendMessageA 4544->4548 4545->4513 4547->4504 4548->4540 4549->4505 3166 403b04 3167 403b15 CloseHandle 3166->3167 3168 403b1f 3166->3168 3167->3168 3169 403b33 3168->3169 3170 403b29 CloseHandle 3168->3170 3175 403b61 3169->3175 3170->3169 3176 403b6f 3175->3176 3177 403b38 3176->3177 3178 403b74 FreeLibrary GlobalFree 3176->3178 3179 405b99 3177->3179 3178->3177 3178->3178 3225 405ea1 3179->3225 3182 405bb6 DeleteFileA 3220 403b44 3182->3220 3183 405bcd 3184 405d2f 3183->3184 3239 4062cd lstrcpynA 3183->3239 3187 405d47 3184->3187 3184->3220 3295 406775 FindFirstFileA 3184->3295 3186 405bf7 3188 405c08 3186->3188 3189 405bfb lstrcatA 3186->3189 3292 406747 lstrlenA wvsprintfA 3187->3292 3240 405e07 lstrlenA 3188->3240 3191 405c0e 3189->3191 3193 405c1c lstrcatA 3191->3193 3196 405c27 lstrlenA FindFirstFileA 3191->3196 3193->3196 3196->3184 3213 405c4b 3196->3213 3200 406747 9 API calls 3201 405d75 3200->3201 3202 405f85 2 API calls 3201->3202 3203 405d7d RemoveDirectoryA 3202->3203 3207 405db3 3203->3207 3208 405d89 3203->3208 3204 405d0e FindNextFileA 3206 405d26 FindClose 3204->3206 3204->3213 3206->3184 3209 40552b 25 API calls 3207->3209 3208->3187 3210 405d8f 3208->3210 3209->3220 3211 406747 9 API calls 3210->3211 3214 405d99 3211->3214 3212 405b99 69 API calls 3212->3213 3213->3204 3213->3212 3221 40552b 25 API calls 3213->3221 3222 406747 9 API calls 3213->3222 3244 405deb 3213->3244 3248 4062cd lstrcpynA 3213->3248 3249 405f85 GetFileAttributesA 3213->3249 3252 40552b 3213->3252 3263 40601b 3213->3263 3216 40552b 25 API calls 3214->3216 3218 405da3 3216->3218 3219 40601b 41 API calls 3218->3219 3219->3220 3221->3204 3222->3213 3301 4062cd lstrcpynA 3225->3301 3227 405eb2 3302 405e54 CharNextA CharNextA 3227->3302 3230 405bad 3230->3182 3230->3183 3232 405ef3 lstrlenA 3233 405efe 3232->3233 3236 405ec8 3232->3236 3235 405dc0 3 API calls 3233->3235 3234 406775 2 API calls 3234->3236 3237 405f03 GetFileAttributesA 3235->3237 3236->3230 3236->3232 3236->3234 3238 405e07 2 API calls 3236->3238 3237->3230 3238->3232 3239->3186 3241 405e14 3240->3241 3242 405e25 3241->3242 3243 405e19 CharPrevA 3241->3243 3242->3191 3243->3241 3243->3242 3245 405df1 3244->3245 3246 405e04 3245->3246 3247 405df7 CharNextA 3245->3247 3246->3213 3247->3245 3248->3213 3250 405cc3 DeleteFileA 3249->3250 3251 405f94 SetFileAttributesA 3249->3251 3250->3213 3251->3250 3254 405546 3252->3254 3262 4055e9 3252->3262 3253 405563 lstrlenA 3256 405571 lstrlenA 3253->3256 3257 40558c 3253->3257 3254->3253 3317 4062ef 3254->3317 3258 405583 lstrcatA 3256->3258 3256->3262 3259 405592 SetWindowTextA 3257->3259 3260 40559f 3257->3260 3258->3257 3259->3260 3261 4055a5 SendMessageA SendMessageA SendMessageA 3260->3261 3260->3262 3261->3262 3262->3213 3344 40680a GetModuleHandleA 3263->3344 3266 40602e MoveFileExA 3267 40603f 3266->3267 3268 406178 3266->3268 3269 406083 GetShortPathNameA 3267->3269 3270 40605d 3267->3270 3268->3213 3269->3268 3271 406098 3269->3271 3350 405fa4 GetFileAttributesA CreateFileA 3270->3350 3271->3268 3273 4060a0 wsprintfA 3271->3273 3275 4062ef 18 API calls 3273->3275 3274 406067 CloseHandle GetShortPathNameA 3274->3268 3276 40607b 3274->3276 3277 4060c8 3275->3277 3276->3268 3276->3269 3351 405fa4 GetFileAttributesA CreateFileA 3277->3351 3279 4060d5 3279->3268 3280 4060e4 GetFileSize GlobalAlloc 3279->3280 3281 406171 CloseHandle 3280->3281 3282 406102 ReadFile 3280->3282 3281->3268 3282->3281 3283 406116 3282->3283 3283->3281 3352 405f19 lstrlenA 3283->3352 3286 406185 3288 405f19 4 API calls 3286->3288 3287 40612b 3357 4062cd lstrcpynA 3287->3357 3290 406139 3288->3290 3291 40614c SetFilePointer WriteFile GlobalFree 3290->3291 3291->3281 3361 4065c8 3292->3361 3296 405d60 3295->3296 3297 40678b FindClose 3295->3297 3296->3220 3298 405dc0 lstrlenA CharPrevA 3296->3298 3297->3296 3299 405d6a 3298->3299 3300 405dda lstrcatA 3298->3300 3299->3200 3300->3299 3301->3227 3303 405e6e 3302->3303 3306 405e7a 3302->3306 3304 405e75 CharNextA 3303->3304 3303->3306 3305 405e97 3304->3305 3305->3230 3308 40652f 3305->3308 3306->3305 3307 405deb CharNextA 3306->3307 3307->3306 3309 40653b 3308->3309 3311 406598 CharNextA 3309->3311 3312 405deb CharNextA 3309->3312 3313 4065a3 3309->3313 3315 406586 CharNextA 3309->3315 3316 406593 CharNextA 3309->3316 3310 4065a7 CharPrevA 3310->3313 3311->3309 3311->3313 3312->3309 3313->3310 3314 4065c2 3313->3314 3314->3236 3315->3309 3316->3311 3322 4062fc 3317->3322 3318 406516 3319 40652b 3318->3319 3343 4062cd lstrcpynA 3318->3343 3319->3253 3321 406394 GetVersion 3325 4063a1 3321->3325 3322->3318 3322->3321 3323 4064ed lstrlenA 3322->3323 3327 4062ef 10 API calls 3322->3327 3331 40652f 5 API calls 3322->3331 3341 40622b wsprintfA 3322->3341 3342 4062cd lstrcpynA 3322->3342 3323->3322 3325->3322 3329 40640c GetSystemDirectoryA 3325->3329 3330 40641f GetWindowsDirectoryA 3325->3330 3332 4062ef 10 API calls 3325->3332 3333 406496 lstrcatA 3325->3333 3334 406453 SHGetSpecialFolderLocation 3325->3334 3336 4061b4 RegOpenKeyExA 3325->3336 3327->3323 3329->3325 3330->3325 3331->3322 3332->3325 3333->3322 3334->3325 3335 40646b SHGetPathFromIDListA CoTaskMemFree 3334->3335 3335->3325 3337 406225 3336->3337 3338 4061e7 RegQueryValueExA 3336->3338 3337->3325 3340 406208 RegCloseKey 3338->3340 3340->3337 3341->3322 3342->3322 3343->3319 3345 406830 GetProcAddress 3344->3345 3346 406826 3344->3346 3349 406026 3345->3349 3358 40679c GetSystemDirectoryA 3346->3358 3348 40682c 3348->3345 3348->3349 3349->3266 3349->3267 3350->3274 3351->3279 3353 405f4f lstrlenA 3352->3353 3354 405f59 3353->3354 3355 405f2d lstrcmpiA 3353->3355 3354->3286 3354->3287 3355->3354 3356 405f46 CharNextA 3355->3356 3356->3353 3357->3290 3359 4067be wsprintfA LoadLibraryExA 3358->3359 3359->3348 3362 4065d3 3361->3362 3365 4065ed 3361->3365 3363 4065e4 3362->3363 3364 4065dd CloseHandle 3362->3364 3363->3220 3364->3363 3365->3363 3366 40662c 3365->3366 3367 406635 lstrcatA lstrlenA WriteFile 3365->3367 3371 405fa4 GetFileAttributesA CreateFileA 3365->3371 3366->3363 3366->3367 3367->3363 3369 406617 3369->3363 3370 406621 SetFilePointer 3369->3370 3370->3366 3371->3369 4550 402904 4551 402909 4550->4551 4552 40291a 4550->4552 4553 402e87 18 API calls 4551->4553 4554 402ea4 18 API calls 4552->4554 4556 402910 4553->4556 4555 402921 lstrlenA 4554->4555 4555->4556 4557 402940 WriteFile 4556->4557 4558 402aa2 4556->4558 4557->4558 4559 402a84 4560 402ea4 18 API calls 4559->4560 4561 402a8b FindFirstFileA 4560->4561 4562 402aae 4561->4562 4563 402a9e 4561->4563 4564 402ab5 4562->4564 4567 40622b wsprintfA 4562->4567 4568 4062cd lstrcpynA 4564->4568 4567->4564 4568->4563 4569 402689 4570 40268f 4569->4570 4571 402ea4 18 API calls 4570->4571 4572 4026a4 4571->4572 4573 402ea4 18 API calls 4572->4573 4574 4026ae 4573->4574 4575 4026b7 RegCreateKeyExA 4574->4575 4576 4026e5 4575->4576 4577 4027dd 4575->4577 4578 402ea4 18 API calls 4576->4578 4597 40272e 4576->4597 4579 406747 9 API calls 4577->4579 4582 4027ed 4577->4582 4581 4026f9 lstrlenA 4578->4581 4579->4582 4580 4027a4 RegSetValueExA 4587 4027ba RegCloseKey 4580->4587 4588 4027bf 4580->4588 4585 402712 4581->4585 4586 402724 4581->4586 4583 402e87 18 API calls 4589 40273e 4583->4589 4584 4033c6 48 API calls 4590 402772 4584->4590 4591 406747 9 API calls 4585->4591 4592 406747 9 API calls 4586->4592 4587->4582 4593 406747 9 API calls 4588->4593 4594 406747 9 API calls 4589->4594 4602 4066c9 4590->4602 4596 40271c 4591->4596 4592->4597 4593->4587 4599 40275a 4594->4599 4596->4580 4597->4583 4597->4599 4599->4580 4599->4584 4601 406747 9 API calls 4601->4596 4603 4066ec 4602->4603 4604 406701 wsprintfA 4603->4604 4607 40672f 4603->4607 4604->4604 4604->4607 4605 402787 4605->4601 4606 406738 lstrcatA 4606->4605 4607->4605 4607->4606 4608 404c8a 4609 404cb6 4608->4609 4610 404c9a 4608->4610 4612 404ce9 4609->4612 4613 404cbc SHGetPathFromIDListA 4609->4613 4619 405b19 GetDlgItemTextA 4610->4619 4615 404cd3 SendMessageA 4613->4615 4616 404ccc 4613->4616 4614 404ca7 SendMessageA 4614->4609 4615->4612 4617 40140b 81 API calls 4616->4617 4617->4615 4619->4614 4627 402d11 SendMessageA 4628 402d35 4627->4628 4629 402d2a InvalidateRect 4627->4629 4629->4628 4630 401e94 4631 402e87 18 API calls 4630->4631 4632 401e9a IsWindow 4631->4632 4633 401771 4632->4633 4634 401ea9 4632->4634 4634->4633 4635 406747 9 API calls 4634->4635 4635->4633 4636 401d15 4637 401d72 4636->4637 4638 401d22 4636->4638 4639 401d76 4637->4639 4640 401da7 GlobalAlloc 4637->4640 4641 401d31 4638->4641 4648 401d45 4638->4648 4642 401d8a 4639->4642 4643 401d7a 4639->4643 4644 4062ef 18 API calls 4640->4644 4645 406747 9 API calls 4641->4645 4662 4062cd lstrcpynA 4642->4662 4646 406747 9 API calls 4643->4646 4649 401d3e 4644->4649 4645->4649 4652 401d84 4646->4652 4660 4062cd lstrcpynA 4648->4660 4649->4652 4653 4062ef 18 API calls 4649->4653 4650 401d94 GlobalFree 4650->4652 4655 402516 4653->4655 4654 401d54 4661 4062cd lstrcpynA 4654->4661 4658 405b35 MessageBoxIndirectA 4655->4658 4657 401d63 4663 4062cd lstrcpynA 4657->4663 4658->4652 4660->4654 4661->4657 4662->4650 4663->4652 4664 402117 4665 402ea4 18 API calls 4664->4665 4666 40211e 4665->4666 4667 406775 2 API calls 4666->4667 4668 402124 4667->4668 4670 402136 4668->4670 4671 40622b wsprintfA 4668->4671 4671->4670 4672 404897 4673 4048a7 4672->4673 4674 4048cd 4672->4674 4675 4044a0 19 API calls 4673->4675 4676 404507 8 API calls 4674->4676 4677 4048b4 SetDlgItemTextA 4675->4677 4678 4048d9 4676->4678 4677->4674 4679 401899 4680 402ea4 18 API calls 4679->4680 4681 4018a0 4680->4681 4682 406747 9 API calls 4681->4682 4683 4018c3 4682->4683 4684 4018d6 4683->4684 4685 4018de 4683->4685 4731 4062cd lstrcpynA 4684->4731 4732 4062cd lstrcpynA 4685->4732 4688 4018dc 4691 40652f 5 API calls 4688->4691 4689 4018e9 4690 405dc0 3 API calls 4689->4690 4692 4018ef lstrcatA 4690->4692 4721 4018fb 4691->4721 4692->4688 4693 406775 2 API calls 4693->4721 4694 405f85 2 API calls 4694->4721 4696 401912 CompareFileTime 4696->4721 4697 401a1b 4699 40552b 25 API calls 4697->4699 4698 4019d7 4700 40552b 25 API calls 4698->4700 4701 401a25 4699->4701 4703 4019ea 4700->4703 4702 4033c6 48 API calls 4701->4702 4704 401a38 4702->4704 4707 406747 9 API calls 4703->4707 4711 401a0f 4703->4711 4705 406747 9 API calls 4704->4705 4706 401a4c 4705->4706 4708 401a5b SetFileTime 4706->4708 4709 401a6d CloseHandle 4706->4709 4707->4711 4708->4709 4709->4711 4712 401a7e 4709->4712 4710 4062ef 18 API calls 4710->4721 4713 401a83 4712->4713 4714 401a96 4712->4714 4716 4062ef 18 API calls 4713->4716 4717 4062ef 18 API calls 4714->4717 4715 4062cd lstrcpynA 4715->4721 4718 401a8b lstrcatA 4716->4718 4720 401a9e 4717->4720 4718->4720 4719 405b35 MessageBoxIndirectA 4719->4721 4722 406747 9 API calls 4720->4722 4721->4693 4721->4694 4721->4696 4721->4697 4721->4698 4721->4710 4721->4715 4721->4719 4723 4019ca 4721->4723 4727 406747 9 API calls 4721->4727 4733 405fa4 GetFileAttributesA CreateFileA 4721->4733 4724 401aa9 4722->4724 4725 401a05 4723->4725 4726 4019cd 4723->4726 4730 405b35 MessageBoxIndirectA 4724->4730 4729 406747 9 API calls 4725->4729 4728 406747 9 API calls 4726->4728 4727->4721 4728->4698 4729->4711 4730->4711 4731->4688 4732->4689 4733->4721 4741 402da1 4742 402df4 4741->4742 4743 402e9b 4742->4743 4744 4062ef 18 API calls 4742->4744 4744->4743 4752 401b2f 4753 402ea4 18 API calls 4752->4753 4754 401b36 lstrlenA 4753->4754 4755 4028fe 4754->4755 4756 401c30 4757 402e87 18 API calls 4756->4757 4758 401c36 4757->4758 4759 402e87 18 API calls 4758->4759 4760 401771 4759->4760 4761 402531 4776 4062cd lstrcpynA 4761->4776 4763 40254a 4777 4062cd lstrcpynA 4763->4777 4765 402556 4766 402561 4765->4766 4767 402ea4 18 API calls 4765->4767 4768 402570 4766->4768 4769 402ea4 18 API calls 4766->4769 4767->4766 4770 402ea4 18 API calls 4768->4770 4773 40257f 4768->4773 4769->4768 4770->4773 4771 402ea4 18 API calls 4772 402589 4771->4772 4774 406747 9 API calls 4772->4774 4773->4771 4775 40259d WritePrivateProfileStringA 4774->4775 4776->4763 4777->4765 4778 4045b4 lstrcpynA lstrlenA 4779 403bb4 4780 403bbf 4779->4780 4781 403bc3 4780->4781 4782 403bc6 GlobalAlloc 4780->4782 4782->4781 4783 4025b5 4784 402ea4 18 API calls 4783->4784 4785 4025c3 4784->4785 4786 402ea4 18 API calls 4785->4786 4787 4025cc 4786->4787 4788 402ea4 18 API calls 4787->4788 4789 4025d6 GetPrivateProfileStringA 4788->4789 4790 401ab6 4791 402ea4 18 API calls 4790->4791 4792 401abc 4791->4792 4793 406747 9 API calls 4792->4793 4794 401b1f 4793->4794 4795 405b99 78 API calls 4794->4795 4796 401b2a 4795->4796 4797 406ab6 4798 40693a 4797->4798 4799 4072a5 4798->4799 4800 4069c4 GlobalAlloc 4798->4800 4801 4069bb GlobalFree 4798->4801 4802 406a32 GlobalFree 4798->4802 4803 406a3b GlobalAlloc 4798->4803 4800->4798 4800->4799 4801->4800 4802->4803 4803->4798 4803->4799 4804 401fbc 4805 402e87 18 API calls 4804->4805 4806 401fc2 4805->4806 4807 402e87 18 API calls 4806->4807 4808 401fcb 4807->4808 4809 406747 9 API calls 4808->4809 4812 401fdc 4808->4812 4809->4812 4810 401fe4 ShowWindow 4813 402d35 4810->4813 4811 401fef EnableWindow 4811->4813 4812->4810 4812->4811

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 4036e7-40371d SetErrorMode GetVersion 1 403730 0->1 2 40371f-403727 call 40680a 0->2 3 403735-403748 call 40679c lstrlenA 1->3 2->1 8 403729 2->8 9 40374a-4037bc call 40680a * 2 #17 OleInitialize SHGetFileInfoA call 4062cd GetCommandLineA call 4062cd GetModuleHandleA 3->9 8->1 18 4037c8-4037dd call 405deb CharNextA 9->18 19 4037be-4037c3 9->19 22 403846-40384a 18->22 19->18 23 40384c 22->23 24 4037df-4037e2 22->24 27 40385f-403877 GetTempPathA call 4036b6 23->27 25 4037e4-4037e8 24->25 26 4037ea-4037f2 24->26 25->25 25->26 28 4037f4-4037f5 26->28 29 4037fa-4037fd 26->29 36 403879-403897 GetWindowsDirectoryA lstrcatA call 4036b6 27->36 37 40389d-4038b7 DeleteFileA call 403120 27->37 28->29 31 403836-403843 call 405deb 29->31 32 4037ff-403803 29->32 31->22 45 403845 31->45 34 403815-40381b 32->34 35 403805-40380e 32->35 42 40382d-403834 34->42 43 40381d-403826 34->43 35->34 40 403810 35->40 36->37 51 403925-403934 ExitProcess CoUninitialize 36->51 37->51 52 4038b9-4038bf 37->52 40->34 42->31 48 40384e-40385a call 4062cd 42->48 43->42 47 403828 43->47 45->22 47->42 48->27 55 403a49-403a4f 51->55 56 40393a-40394a call 405b35 ExitProcess 51->56 53 4038c1-4038ca call 405deb 52->53 54 40390e-403920 call 403c17 call 4065c8 52->54 69 4038d5-4038d7 53->69 54->51 60 403a55-403a72 call 40680a * 3 55->60 61 403aec-403af4 55->61 84 403a74-403a76 60->84 85 403abc-403aca call 40680a 60->85 64 403af6 61->64 65 403afa-403afe ExitProcess 61->65 64->65 71 4038d9-4038e3 69->71 72 4038cc-4038d2 69->72 75 403950-403964 call 405abc lstrcatA 71->75 76 4038e5-4038f2 call 405ea1 71->76 72->71 74 4038d4 72->74 74->69 86 403971-40398b lstrcatA lstrcmpiA 75->86 87 403966-40396c lstrcatA 75->87 76->51 88 4038f4-40390a call 4062cd * 2 76->88 84->85 89 403a78-403a7a 84->89 99 403ad8-403ae3 ExitWindowsEx 85->99 100 403acc-403ad6 85->100 86->51 92 40398d-403990 86->92 87->86 88->54 89->85 93 403a7c-403a8e GetCurrentProcess 89->93 96 403992 call 405a22 92->96 97 403999 call 405a9f 92->97 93->85 111 403a90-403ab2 93->111 107 403997 96->107 104 40399e-4039ab SetCurrentDirectoryA 97->104 99->61 103 403ae5-403ae7 call 40140b 99->103 100->99 100->103 103->61 109 4039b8-4039d2 call 4062cd 104->109 110 4039ad-4039b3 call 4062cd 104->110 107->104 117 4039d7-4039f3 call 4062ef DeleteFileA 109->117 110->109 111->85 120 403a34-403a3b 117->120 121 4039f5-403a05 CopyFileA 117->121 120->117 122 403a3d-403a44 call 40601b 120->122 121->120 123 403a07-403a20 call 40601b call 4062ef call 405ad4 121->123 122->51 131 403a25-403a27 123->131 131->120 132 403a29-403a30 CloseHandle 131->132 132->120
                                          APIs
                                          • SetErrorMode.KERNELBASE ref: 0040370D
                                          • GetVersion.KERNEL32 ref: 00403713
                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373C
                                          • #17.COMCTL32(0000000B,0000000D), ref: 0040375D
                                          • OleInitialize.OLE32(00000000), ref: 00403764
                                          • SHGetFileInfoA.SHELL32(00420D98,00000000,?,00000160,00000000), ref: 00403780
                                          • GetCommandLineA.KERNEL32(00425C00,NSIS Error), ref: 00403795
                                          • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\yDoZVwXSMG.exe",00000000), ref: 004037A8
                                          • CharNextA.USER32(00000000,"C:\Users\user\Desktop\yDoZVwXSMG.exe",0040A7B0), ref: 004037D3
                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,00000000,00000020), ref: 0040386A
                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp,000003FB), ref: 0040387F
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp,\Temp), ref: 0040388B
                                          • DeleteFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsfC6FF.tmp), ref: 004038A2
                                            • Part of subcall function 0040680A: GetModuleHandleA.KERNEL32(?,?,?,00403751,0000000D), ref: 0040681C
                                            • Part of subcall function 0040680A: GetProcAddress.KERNEL32(00000000,?), ref: 00406837
                                          • ExitProcess.KERNEL32(00000020), ref: 00403925
                                          • CoUninitialize.COMBASE(00000020), ref: 0040392A
                                          • ExitProcess.KERNEL32 ref: 0040394A
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp,~nsu,"C:\Users\user\Desktop\yDoZVwXSMG.exe",00000000,00000020), ref: 0040395D
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp,0040A82C,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,~nsu,"C:\Users\user\Desktop\yDoZVwXSMG.exe",00000000,00000020), ref: 0040396C
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp,.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,~nsu,"C:\Users\user\Desktop\yDoZVwXSMG.exe",00000000,00000020), ref: 00403977
                                          • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\Desktop), ref: 00403983
                                          • SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp), ref: 0040399F
                                          • DeleteFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,?,00427000,?), ref: 004039E9
                                          • CopyFileA.KERNEL32(C:\Users\user\Desktop\yDoZVwXSMG.exe,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,00000001), ref: 004039FD
                                          • CloseHandle.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,00000000), ref: 00403A2A
                                          • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 00403A83
                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403ADB
                                          • ExitProcess.KERNEL32 ref: 00403AFE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: ExitFileProcesslstrcat$Handle$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
                                          • String ID: $ /D=$ _?=$"$"C:\Users\user\Desktop\yDoZVwXSMG.exe"$.tmp$C:\Users\user\AppData\Local\Temp\nsfC6FF.tmp$C:\Users\user\AppData\Local\Temp\~nsuA.tmp$C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe$C:\Users\user\Desktop$C:\Users\user\Desktop$C:\Users\user\Desktop\yDoZVwXSMG.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$~nsu
                                          • API String ID: 1031542678-3182271799
                                          • Opcode ID: 31acf3797f5d253463644cb35ef2ae3e27a5e41f0dfd86ad2bdc06d43a08916d
                                          • Instruction ID: 5ceea3819846a486be4215ca695653b375cf8776205228b8cf71ce6426392153
                                          • Opcode Fuzzy Hash: 31acf3797f5d253463644cb35ef2ae3e27a5e41f0dfd86ad2bdc06d43a08916d
                                          • Instruction Fuzzy Hash: 69B1B271604340ABD7207F619D4AB2B7EACAF4170AF05447FF182B61D2CB7C89458B6E

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 326 406ab6-406abb 327 406b2c-406b4a 326->327 328 406abd-406aec 326->328 329 407122-407137 327->329 330 406af3-406af7 328->330 331 406aee-406af1 328->331 332 407151-407167 329->332 333 407139-40714f 329->333 335 406af9-406afd 330->335 336 406aff 330->336 334 406b03-406b06 331->334 337 40716a-407171 332->337 333->337 338 406b24-406b27 334->338 339 406b08-406b11 334->339 335->334 336->334 341 407173-407177 337->341 342 407198-4071a4 337->342 340 406cf9-406d17 338->340 343 406b13 339->343 344 406b16-406b22 339->344 349 406d19-406d2d 340->349 350 406d2f-406d41 340->350 346 407326-407330 341->346 347 40717d-407195 341->347 351 40693a-406943 342->351 343->344 345 406b8c-406bba 344->345 352 406bd6-406bf0 345->352 353 406bbc-406bd4 345->353 354 40733c-40734f 346->354 347->342 355 406d44-406d4e 349->355 350->355 356 407351 351->356 357 406949 351->357 358 406bf3-406bfd 352->358 353->358 359 407354-407358 354->359 360 406d50 355->360 361 406cf1-406cf7 355->361 356->359 362 406950-406954 357->362 363 406a90-406ab1 357->363 364 4069f5-4069f9 357->364 365 406a65-406a69 357->365 367 406c03 358->367 368 406b74-406b7a 358->368 369 406e61-406e6e 360->369 370 406ccc-406cd0 360->370 361->340 366 406c95-406c9f 361->366 362->354 377 40695a-406967 362->377 363->329 371 4072a5-4072af 364->371 372 4069ff-406a18 364->372 381 4072b4-4072be 365->381 382 406a6f-406a83 365->382 373 4072e4-4072ee 366->373 374 406ca5-406cc7 366->374 384 4072c0-4072ca 367->384 385 406b59-406b71 367->385 375 406b80-406b86 368->375 376 406c2d-406c33 368->376 369->351 378 406ebd-406ecc 369->378 379 406cd6-406cee 370->379 380 4072d8-4072e2 370->380 371->354 389 406a1b-406a1f 372->389 373->354 374->369 375->345 386 406c91 375->386 376->386 388 406c35-406c53 376->388 377->356 387 40696d-4069b3 377->387 378->329 379->361 380->354 381->354 390 406a86-406a8e 382->390 384->354 385->368 386->366 394 4069b5-4069b9 387->394 395 4069db-4069dd 387->395 391 406c55-406c69 388->391 392 406c6b-406c7d 388->392 389->364 393 406a21-406a27 389->393 390->363 390->365 400 406c80-406c8a 391->400 392->400 401 406a51-406a63 393->401 402 406a29-406a30 393->402 396 4069c4-4069d2 GlobalAlloc 394->396 397 4069bb-4069be GlobalFree 394->397 398 4069eb-4069f3 395->398 399 4069df-4069e9 395->399 396->356 406 4069d8 396->406 397->396 398->389 399->398 399->399 400->376 403 406c8c 400->403 401->390 404 406a32-406a35 GlobalFree 402->404 405 406a3b-406a4b GlobalAlloc 402->405 408 406c12-406c2a 403->408 409 4072cc-4072d6 403->409 404->405 405->356 405->401 406->395 408->376 409->354
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f8c0cb152ca077a17e7f7cfd6049439835df5b56467184ace3d81a746cc5e8b0
                                          • Instruction ID: 2a9aa8917219c7ba8d85c1882f41a63cf1be2f3d7e8fd7c71b64c591a4991728
                                          • Opcode Fuzzy Hash: f8c0cb152ca077a17e7f7cfd6049439835df5b56467184ace3d81a746cc5e8b0
                                          • Instruction Fuzzy Hash: D5F16771D04229CBDF28CFA8C8946ADBBB0FF44305F15816ED856BB281D7386A86DF45

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 133 40601b-40602c call 40680a 136 40602e-406039 MoveFileExA 133->136 137 40603f-40605b 133->137 136->137 138 406178 136->138 139 406083-406092 GetShortPathNameA 137->139 140 40605d-406075 call 405fa4 CloseHandle GetShortPathNameA 137->140 142 40617e-406182 138->142 141 406098-40609a 139->141 139->142 140->142 147 40607b-40607d 140->147 141->142 144 4060a0-4060de wsprintfA call 4062ef call 405fa4 141->144 144->138 151 4060e4-406100 GetFileSize GlobalAlloc 144->151 147->139 147->142 152 406171-406172 CloseHandle 151->152 153 406102-406114 ReadFile 151->153 152->138 153->152 154 406116-40611a 153->154 154->152 155 40611c-406129 call 405f19 154->155 158 406185-406195 call 405f19 155->158 159 40612b-406139 call 4062cd 155->159 164 406197-40619f 158->164 165 40613c 158->165 159->165 167 4061a1-4061aa 164->167 168 4061ac-4061b2 164->168 166 40613e-40616b call 405f65 SetFilePointer WriteFile GlobalFree 165->166 166->152 167->167 167->168 168->166
                                          APIs
                                            • Part of subcall function 0040680A: GetModuleHandleA.KERNEL32(?,?,?,00403751,0000000D), ref: 0040681C
                                            • Part of subcall function 0040680A: GetProcAddress.KERNEL32(00000000,?), ref: 00406837
                                          • MoveFileExA.KERNEL32(00000000,?,00000005,00000002,?,00000000,?,?,00405DAA,?,00000000,000000F1,?), ref: 00406035
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,00405DAA,?,00000000,000000F1,?), ref: 00406068
                                          • GetShortPathNameA.KERNEL32(?,00423F68,00000400), ref: 00406071
                                          • GetShortPathNameA.KERNEL32(00000000,004239E0,00000400), ref: 0040608E
                                          • wsprintfA.USER32 ref: 004060AC
                                          • GetFileSize.KERNEL32(00000000,00000000,004239E0,C0000000,00000004,004239E0,?,?,?,00000000,000000F1,?), ref: 004060E7
                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004060F6
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040610C
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,004235E0,00000000,-0000000A,0040ABD4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00406152
                                          • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00406164
                                          • GlobalFree.KERNEL32(00000000), ref: 0040616B
                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00406172
                                            • Part of subcall function 00405F19: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00406127,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405F20
                                            • Part of subcall function 00405F19: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00406127,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405F50
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModuleMovePointerProcReadSizeWritewsprintf
                                          • String ID: %s=%s$[Rename]$h?B$9B
                                          • API String ID: 1872253872-2390523675
                                          • Opcode ID: 21917f923af837da55185abc71840ce9c4339cf9359ea08ee4b8cb6fcd80affc
                                          • Instruction ID: 6fab4b1a5264387afcbcbc9c20e197d89b1de9b9f4b2b97f427ae02aeeda734e
                                          • Opcode Fuzzy Hash: 21917f923af837da55185abc71840ce9c4339cf9359ea08ee4b8cb6fcd80affc
                                          • Instruction Fuzzy Hash: 884115712007167BD7206B619E49F6B3A7CDF85755F06003AF946FA2C2EA3CD824C6AD

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 171 403120-40316e GetTickCount GetModuleFileNameA call 405fa4 174 403170-403175 171->174 175 40317a-4031a8 call 4062cd call 405e07 call 4062cd GetFileSize 171->175 176 4033bf-4033c3 174->176 183 403298-4032a6 call 403081 175->183 184 4031ae-4031c5 175->184 190 403377-40337c 183->190 191 4032ac-4032af 183->191 186 4031c7 184->186 187 4031c9-4031cf call 40366d 184->187 186->187 192 4031d4-4031d6 187->192 190->176 193 4032b1-4032c2 call 40369f call 40366d 191->193 194 4032db-403327 GlobalAlloc call 4068e7 call 405fd3 CreateFileA 191->194 195 403333-40333b call 403081 192->195 196 4031dc-4031e2 192->196 216 4032c7-4032c9 193->216 220 403329-40332e 194->220 221 40333d-40336d call 40369f call 4033c6 194->221 195->190 200 403262-403266 196->200 201 4031e4-4031fc call 405f65 196->201 204 403268-40326e call 403081 200->204 205 40326f-403275 200->205 201->205 215 4031fe-403205 201->215 204->205 210 403277-403285 call 406879 205->210 211 403288-403292 205->211 210->211 211->183 211->184 215->205 222 403207-40320e 215->222 216->190 223 4032cf-4032d5 216->223 220->176 231 403372-403375 221->231 222->205 224 403210-403217 222->224 223->190 223->194 224->205 226 403219-403220 224->226 226->205 228 403222-403242 226->228 228->190 230 403248-40324c 228->230 232 403254-40325c 230->232 233 40324e-403252 230->233 231->190 234 40337e-40338f 231->234 232->205 235 40325e-403260 232->235 233->183 233->232 236 403391 234->236 237 403397-40339c 234->237 235->205 236->237 238 40339d-4033a3 237->238 238->238 239 4033a5-4033bd call 405f65 238->239 239->176
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00403134
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\yDoZVwXSMG.exe,00000400), ref: 00403150
                                            • Part of subcall function 00405FA4: GetFileAttributesA.KERNELBASE(00000003,00403163,C:\Users\user\Desktop\yDoZVwXSMG.exe,80000000,00000003), ref: 00405FA8
                                            • Part of subcall function 00405FA4: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405FCA
                                          • GetFileSize.KERNEL32(00000000,00000000,0042E000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yDoZVwXSMG.exe,C:\Users\user\Desktop\yDoZVwXSMG.exe,80000000,00000003), ref: 00403199
                                          • GlobalAlloc.KERNELBASE(00000040,?), ref: 004032E0
                                          Strings
                                          • Null, xrefs: 00403219
                                          • C:\Users\user\AppData\Local\Temp\~nsuA.tmp, xrefs: 0040312D, 004032F8
                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403329
                                          • C:\Users\user\Desktop, xrefs: 0040317B, 00403180, 00403186
                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403377
                                          • soft, xrefs: 00403210
                                          • Inst, xrefs: 00403207
                                          • "C:\Users\user\Desktop\yDoZVwXSMG.exe", xrefs: 00403120
                                          • C:\Users\user\Desktop\yDoZVwXSMG.exe, xrefs: 0040313A, 00403149, 0040315D, 0040317A
                                          • Error launching installer, xrefs: 00403170
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                          • String ID: "C:\Users\user\Desktop\yDoZVwXSMG.exe"$C:\Users\user\AppData\Local\Temp\~nsuA.tmp$C:\Users\user\Desktop$C:\Users\user\Desktop\yDoZVwXSMG.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                          • API String ID: 2803837635-2841956730
                                          • Opcode ID: 4cf895d843c1e51e5214ca8c183206d7589522ef64cf37b5abe811079b5ea464
                                          • Instruction ID: 96d146e497d990707c57d5b2e40503737fdf144c81fc00ef777e1dfa3ff37f12
                                          • Opcode Fuzzy Hash: 4cf895d843c1e51e5214ca8c183206d7589522ef64cf37b5abe811079b5ea464
                                          • Instruction Fuzzy Hash: 4661F671A00214ABDB20AF64DD85BAE7FACAB04316F61447FF940B72D1CB3C9A418B5D

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 242 40679c-4067bc GetSystemDirectoryA 243 4067c0-4067c2 242->243 244 4067be 242->244 245 4067d2-4067d4 243->245 246 4067c4-4067cc 243->246 244->243 248 4067d5-406807 wsprintfA LoadLibraryExA 245->248 246->245 247 4067ce-4067d0 246->247 247->248
                                          APIs
                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004067B3
                                          • wsprintfA.USER32 ref: 004067EC
                                          • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406800
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                          • String ID: %s%s.dll$UXTHEME$\
                                          • API String ID: 2200240437-4240819195
                                          • Opcode ID: 47418d738528084b0ee49106b6891bde69050c906b93663faea48a45202ea939
                                          • Instruction ID: 1df609921a5ab3350e05677d7081392002f03ef46e330c3fe87cf6dcec657825
                                          • Opcode Fuzzy Hash: 47418d738528084b0ee49106b6891bde69050c906b93663faea48a45202ea939
                                          • Instruction Fuzzy Hash: 9EF0F6305002196BEB159B64DD0DFEB376CEB08309F14047FA686F21C1EA78D9398B59

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 249 405fd3-405fdd 250 405fde-406008 GetTickCount GetTempFileNameA 249->250 251 406017-406019 250->251 252 40600a-40600c 250->252 254 406011-406014 251->254 252->250 253 40600e 252->253 253->254
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00405FE6
                                          • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00406000
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: CountFileNameTempTick
                                          • String ID: "C:\Users\user\Desktop\yDoZVwXSMG.exe"$C:\Users\user\AppData\Local\Temp\~nsuA.tmp$nsa
                                          • API String ID: 1716503409-1848092218
                                          • Opcode ID: 1ccc6076cc6f692e90f1f6ac9548860c4ee378c8d524266ab38a343d99036947
                                          • Instruction ID: 4ac0bde53fcefe63c64b79b14273c973a9021de8d5de8166d4f532f707e8062d
                                          • Opcode Fuzzy Hash: 1ccc6076cc6f692e90f1f6ac9548860c4ee378c8d524266ab38a343d99036947
                                          • Instruction Fuzzy Hash: 80F0A7363482487AE7108F55DC04BDB7F5DDFD1760F14C03BFA449E280D6B0999897A4

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 255 4033c6-4033d5 256 4033f3-4033fe call 4034f1 255->256 257 4033d7-4033ed SetFilePointer 255->257 260 403404-40341e ReadFile 256->260 261 4034ea-4034ee 256->261 257->256 262 403424-403427 260->262 263 4034e7 260->263 262->263 264 40342d-403440 call 4034f1 262->264 265 4034e9 263->265 264->261 268 403446-403449 264->268 265->261 269 4034b6-4034bc 268->269 270 40344b-40344e 268->270 271 4034c1-4034d4 ReadFile 269->271 272 4034be 269->272 273 4034e2-4034e5 270->273 274 403454 270->274 271->263 275 4034d6-4034df 271->275 272->271 273->261 276 403459-403461 274->276 275->273 277 403463 276->277 278 403466-403478 ReadFile 276->278 277->278 278->263 279 40347a-40347d 278->279 279->263 280 40347f-403494 WriteFile 279->280 281 4034b2-4034b4 280->281 282 403496-403499 280->282 281->265 282->281 283 40349b-4034ae 282->283 283->276 284 4034b0 283->284 284->273
                                          APIs
                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00403372,000000FF,00000000,00000000,?,?), ref: 004033ED
                                          • ReadFile.KERNELBASE(?,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00403372,000000FF,00000000,00000000,?), ref: 0040341A
                                          • ReadFile.KERNEL32(00414980,00004000,?,00000000,?,?,00403372,000000FF,00000000,00000000,?,?), ref: 00403474
                                          • WriteFile.KERNEL32(00000000,00414980,?,000000FF,00000000,?,00403372,000000FF,00000000,00000000,?,?), ref: 0040348C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: File$Read$PointerWrite
                                          • String ID:
                                          • API String ID: 2113905535-0
                                          • Opcode ID: 112533716f36a3d83ab0f8b5c1aa6b6122a43ce20d09c48fb3034a37057bef72
                                          • Instruction ID: fa80a256ba8ad7dbbe951804ed4cdf19961f9577527713a1418254d24a88ff6f
                                          • Opcode Fuzzy Hash: 112533716f36a3d83ab0f8b5c1aa6b6122a43ce20d09c48fb3034a37057bef72
                                          • Instruction Fuzzy Hash: D0314831500209EBCB22CF95DE80AAE7FBCEB41365B24403AF504AA190D7399A90DB69

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 285 4034f1-40351a GetTickCount 286 403520-40354b call 40369f SetFilePointer 285->286 287 40365b-403663 call 403081 285->287 293 403550-403562 286->293 292 403665-40366a 287->292 294 403564 293->294 295 403566-403574 call 40366d 293->295 294->295 298 40357a-403586 295->298 299 40364d-403650 295->299 300 40358c-403592 298->300 299->292 301 403594-40359a 300->301 302 4035bd-4035d9 call 406907 300->302 301->302 303 40359c-4035bc call 403081 301->303 307 403656 302->307 308 4035db-4035e3 302->308 303->302 312 403658-403659 307->312 310 4035e5-4035fb WriteFile 308->310 311 403617-40361d 308->311 313 403652-403654 310->313 314 4035fd-403601 310->314 311->307 315 40361f-403621 311->315 312->292 313->312 314->313 316 403603-40360f 314->316 315->307 317 403623-403636 315->317 316->300 318 403615 316->318 317->293 319 40363c-40364b SetFilePointer 317->319 318->317 319->287
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00403506
                                            • Part of subcall function 0040369F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040334B,?), ref: 004036AD
                                          • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,004033FC,00000004,00000000,00000000,00000000,?,?,?,00403372,000000FF,00000000), ref: 00403539
                                          • WriteFile.KERNELBASE(0040C980,00412790,00000000,00000000,00414980,00004000,?,00000000,?,004033FC,00000004,00000000,00000000,00000000,?,?), ref: 004035F3
                                          • SetFilePointer.KERNELBASE(0000C0BA,00000000,00000000,00414980,00004000,?,00000000,?,004033FC,00000004,00000000,00000000,00000000,?,?), ref: 00403645
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: File$Pointer$CountTickWrite
                                          • String ID:
                                          • API String ID: 2146148272-0
                                          • Opcode ID: 1d643077d58e843cc00f83a3fa99e53f6c2b0296ddedef6d0ab7d02d506ede07
                                          • Instruction ID: 26932a1e78feeb0b77edab523d175b5838434cf18410dc30452224d4f843c6ae
                                          • Opcode Fuzzy Hash: 1d643077d58e843cc00f83a3fa99e53f6c2b0296ddedef6d0ab7d02d506ede07
                                          • Instruction Fuzzy Hash: EB41CFB2501205EFDB20EF28EE848263BACF785356705463FE841B32A1D7355A468F9D

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 320 405a22-405a6d CreateDirectoryA 321 405a73-405a80 GetLastError 320->321 322 405a6f-405a71 320->322 323 405a9a-405a9c 321->323 324 405a82-405a96 SetFileSecurityA 321->324 322->323 324->322 325 405a98 GetLastError 324->325 325->323
                                          APIs
                                          • CreateDirectoryA.KERNELBASE(0000005C,00000000,00000000), ref: 00405A65
                                          • GetLastError.KERNEL32 ref: 00405A79
                                          • SetFileSecurityA.ADVAPI32(0000005C,80000007,00000001), ref: 00405A8E
                                          • GetLastError.KERNEL32 ref: 00405A98
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                          • String ID:
                                          • API String ID: 3449924974-0
                                          • Opcode ID: b4292ae52da0fc50f84fd512a3e5f3cdca8938f352655cb7b0d8c38ac6c39cdd
                                          • Instruction ID: 8b3c49f02a17c259515d84f04faf51af5275248166455e8be91c75529944b3c1
                                          • Opcode Fuzzy Hash: b4292ae52da0fc50f84fd512a3e5f3cdca8938f352655cb7b0d8c38ac6c39cdd
                                          • Instruction Fuzzy Hash: 77010871D00619DADF009BA0D944BEFBBB8EB04344F00853AD545B6190D77896088F99

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 410 405ad4-405b01 CreateProcessA 411 405b03-405b0c CloseHandle 410->411 412 405b0f-405b10 410->412 411->412
                                          APIs
                                          • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00423DE0,Error launching installer), ref: 00405AF9
                                          • CloseHandle.KERNEL32(?), ref: 00405B06
                                          Strings
                                          • Error launching installer, xrefs: 00405AE7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: CloseCreateHandleProcess
                                          • String ID: Error launching installer
                                          • API String ID: 3712363035-66219284
                                          • Opcode ID: 3b66473eb4771c68d0353ea43fb647f521c8516ae3fc4b703c5bf4ba3abd35a8
                                          • Instruction ID: 1d70755ca8eb642d96ec23e61d28b209352ba4559abde40ea63553acab106949
                                          • Opcode Fuzzy Hash: 3b66473eb4771c68d0353ea43fb647f521c8516ae3fc4b703c5bf4ba3abd35a8
                                          • Instruction Fuzzy Hash: 1DE0ECB4610209ABDB10DF65ED09EAF7BBCEB00345F808435A915E2150E779E514CA68

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 413 406eeb-406ef1 414 406ef3-406ef5 413->414 415 406ef6-406f14 413->415 414->415 416 407122-407137 415->416 417 4071e7-4071f4 415->417 418 407151-407167 416->418 419 407139-40714f 416->419 420 40721e-407222 417->420 421 40716a-407171 418->421 419->421 422 407282-407295 420->422 423 407224-407245 420->423 424 407173-407177 421->424 425 407198 421->425 426 40719e-4071a4 422->426 427 407247-40725c 423->427 428 40725e-407271 423->428 430 407326-407330 424->430 431 40717d-407195 424->431 425->426 435 407351 426->435 436 406949 426->436 429 407274-40727b 427->429 428->429 433 40721b 429->433 434 40727d 429->434 437 40733c-40734f 430->437 431->425 433->420 449 407200-407218 434->449 450 407332 434->450 443 407354-407358 435->443 439 406950-406954 436->439 440 406a90-406ab1 436->440 441 4069f5-4069f9 436->441 442 406a65-406a69 436->442 437->443 439->437 446 40695a-406967 439->446 440->416 444 4072a5-4072af 441->444 445 4069ff-406a18 441->445 447 4072b4-4072be 442->447 448 406a6f-406a83 442->448 444->437 451 406a1b-406a1f 445->451 446->435 452 40696d-4069b3 446->452 447->437 453 406a86-406a8e 448->453 449->433 450->437 451->441 454 406a21-406a27 451->454 455 4069b5-4069b9 452->455 456 4069db-4069dd 452->456 453->440 453->442 457 406a51-406a63 454->457 458 406a29-406a30 454->458 459 4069c4-4069d2 GlobalAlloc 455->459 460 4069bb-4069be GlobalFree 455->460 461 4069eb-4069f3 456->461 462 4069df-4069e9 456->462 457->453 463 406a32-406a35 GlobalFree 458->463 464 406a3b-406a4b GlobalAlloc 458->464 459->435 465 4069d8 459->465 460->459 461->451 462->461 462->462 463->464 464->435 464->457 465->456
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 684942fe2b15b730065f226559e9be9e555d3a3d5e7fc0d9885530a7e2266171
                                          • Instruction ID: 8000226e84d3b017bc6d44c3bedd15163eea413bd8593d328e7b0baad47f3587
                                          • Opcode Fuzzy Hash: 684942fe2b15b730065f226559e9be9e555d3a3d5e7fc0d9885530a7e2266171
                                          • Instruction Fuzzy Hash: 58A15371E04229CBDF28CFA8C8447ADBBB1FB44305F15806ED856BB281D7786A86DF45

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 466 4070ec-4070f0 467 407112-40711f 466->467 468 4070f2-4071f4 466->468 470 407122-407137 467->470 478 40721e-407222 468->478 471 407151-407167 470->471 472 407139-40714f 470->472 474 40716a-407171 471->474 472->474 476 407173-407177 474->476 477 407198 474->477 479 407326-407330 476->479 480 40717d-407195 476->480 481 40719e-4071a4 477->481 482 407282-407295 478->482 483 407224-407245 478->483 485 40733c-40734f 479->485 480->477 489 407351 481->489 490 406949 481->490 482->481 486 407247-40725c 483->486 487 40725e-407271 483->487 491 407354-407358 485->491 488 407274-40727b 486->488 487->488 492 40721b 488->492 493 40727d 488->493 489->491 494 406950-406954 490->494 495 406a90-406ab1 490->495 496 4069f5-4069f9 490->496 497 406a65-406a69 490->497 492->478 506 407200-407218 493->506 507 407332 493->507 494->485 501 40695a-406967 494->501 495->470 498 4072a5-4072af 496->498 499 4069ff-406a18 496->499 502 4072b4-4072be 497->502 503 406a6f-406a83 497->503 498->485 504 406a1b-406a1f 499->504 501->489 505 40696d-4069b3 501->505 502->485 508 406a86-406a8e 503->508 504->496 509 406a21-406a27 504->509 510 4069b5-4069b9 505->510 511 4069db-4069dd 505->511 506->492 507->485 508->495 508->497 512 406a51-406a63 509->512 513 406a29-406a30 509->513 514 4069c4-4069d2 GlobalAlloc 510->514 515 4069bb-4069be GlobalFree 510->515 516 4069eb-4069f3 511->516 517 4069df-4069e9 511->517 512->508 518 406a32-406a35 GlobalFree 513->518 519 406a3b-406a4b GlobalAlloc 513->519 514->489 520 4069d8 514->520 515->514 516->504 517->516 517->517 518->519 519->489 519->512 520->511
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bde7381304b81b3e09b27403b539467510d0fe95a90e5b4d7cfee1ed51f2236
                                          • Instruction ID: 759a5e24e10d50352dbc8de058c790801aa45a8a44818c86e8f054c705910e48
                                          • Opcode Fuzzy Hash: 6bde7381304b81b3e09b27403b539467510d0fe95a90e5b4d7cfee1ed51f2236
                                          • Instruction Fuzzy Hash: 1F913470D04229CBEF28CF98C8447ADBBB1FB44305F15816ED856BB281C778AA86DF45

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 521 406e02-406e06 522 406e0c-406e10 521->522 523 406ebd-406ecc 521->523 525 407351 522->525 526 406e16-406e2a 522->526 524 407122-407137 523->524 527 407151-407167 524->527 528 407139-40714f 524->528 531 407354-407358 525->531 529 4072f0-4072fa 526->529 530 406e30-406e39 526->530 532 40716a-407171 527->532 528->532 535 40733c-40734f 529->535 533 406e3b 530->533 534 406e3e-406e6e 530->534 536 407173-407177 532->536 537 407198-4071a4 532->537 533->534 534->523 542 40693a-406943 534->542 535->531 539 407326-407330 536->539 540 40717d-407195 536->540 537->542 539->535 540->537 542->525 543 406949 542->543 544 406950-406954 543->544 545 406a90-406ab1 543->545 546 4069f5-4069f9 543->546 547 406a65-406a69 543->547 544->535 550 40695a-406967 544->550 545->524 548 4072a5-4072af 546->548 549 4069ff-406a18 546->549 551 4072b4-4072be 547->551 552 406a6f-406a83 547->552 548->535 553 406a1b-406a1f 549->553 550->525 554 40696d-4069b3 550->554 551->535 555 406a86-406a8e 552->555 553->546 556 406a21-406a27 553->556 557 4069b5-4069b9 554->557 558 4069db-4069dd 554->558 555->545 555->547 559 406a51-406a63 556->559 560 406a29-406a30 556->560 561 4069c4-4069d2 GlobalAlloc 557->561 562 4069bb-4069be GlobalFree 557->562 563 4069eb-4069f3 558->563 564 4069df-4069e9 558->564 559->555 565 406a32-406a35 GlobalFree 560->565 566 406a3b-406a4b GlobalAlloc 560->566 561->525 567 4069d8 561->567 562->561 563->553 564->563 564->564 565->566 566->525 566->559 567->558
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e39de615352b626232416b4053d525421749ef36ddd4b9844f136144ab3fe8ed
                                          • Instruction ID: 1b2002c04af769fb6654495406821102eaccec2ab4c63d4c1d8c12c5004552e8
                                          • Opcode Fuzzy Hash: e39de615352b626232416b4053d525421749ef36ddd4b9844f136144ab3fe8ed
                                          • Instruction Fuzzy Hash: B7815671E04228CFDF24CFA9C8447ADBBB1FB44305F25816AD856BB281C7389986DF55

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 568 406907-40692a 569 406934-406937 568->569 570 40692c-40692f 568->570 572 40693a-406943 569->572 571 407354-407358 570->571 573 407351 572->573 574 406949 572->574 573->571 575 406950-406954 574->575 576 406a90-407137 574->576 577 4069f5-4069f9 574->577 578 406a65-406a69 574->578 581 40695a-406967 575->581 582 40733c-40734f 575->582 586 407151-407167 576->586 587 407139-40714f 576->587 579 4072a5-4072af 577->579 580 4069ff-406a18 577->580 583 4072b4-4072be 578->583 584 406a6f-406a83 578->584 579->582 588 406a1b-406a1f 580->588 581->573 589 40696d-4069b3 581->589 582->571 583->582 590 406a86-406a8e 584->590 591 40716a-407171 586->591 587->591 588->577 592 406a21-406a27 588->592 593 4069b5-4069b9 589->593 594 4069db-4069dd 589->594 590->576 590->578 595 407173-407177 591->595 596 407198-4071a4 591->596 597 406a51-406a63 592->597 598 406a29-406a30 592->598 599 4069c4-4069d2 GlobalAlloc 593->599 600 4069bb-4069be GlobalFree 593->600 601 4069eb-4069f3 594->601 602 4069df-4069e9 594->602 603 407326-407330 595->603 604 40717d-407195 595->604 596->572 597->590 606 406a32-406a35 GlobalFree 598->606 607 406a3b-406a4b GlobalAlloc 598->607 599->573 608 4069d8 599->608 600->599 601->588 602->601 602->602 603->582 604->596 606->607 607->573 607->597 608->594
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 509badd97ca0faa3f5d71b944ab43e2a447e2d4a76e4aeed0a6ea4a78de18d41
                                          • Instruction ID: 61fe4de2002a16c4612afb9d07323b890c67664fa2f3b9718a96419d1d375b0a
                                          • Opcode Fuzzy Hash: 509badd97ca0faa3f5d71b944ab43e2a447e2d4a76e4aeed0a6ea4a78de18d41
                                          • Instruction Fuzzy Hash: 42819971D04228DBEF24CFA9C8447ADBBB0FB44305F15816AD856BB2C1C778698ADF45

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 609 406d55-406d59 610 406d77-406dba 609->610 611 406d5b-406d72 609->611 612 407122-407137 610->612 611->612 613 407151-407167 612->613 614 407139-40714f 612->614 615 40716a-407171 613->615 614->615 616 407173-407177 615->616 617 407198-4071a4 615->617 618 407326-407330 616->618 619 40717d-407195 616->619 623 407351 617->623 624 406949 617->624 622 40733c-40734f 618->622 619->617 625 407354-407358 622->625 623->625 626 406950-406954 624->626 627 406a90-406ab1 624->627 628 4069f5-4069f9 624->628 629 406a65-406a69 624->629 626->622 632 40695a-406967 626->632 627->612 630 4072a5-4072af 628->630 631 4069ff-406a18 628->631 633 4072b4-4072be 629->633 634 406a6f-406a83 629->634 630->622 635 406a1b-406a1f 631->635 632->623 636 40696d-4069b3 632->636 633->622 637 406a86-406a8e 634->637 635->628 638 406a21-406a27 635->638 639 4069b5-4069b9 636->639 640 4069db-4069dd 636->640 637->627 637->629 641 406a51-406a63 638->641 642 406a29-406a30 638->642 643 4069c4-4069d2 GlobalAlloc 639->643 644 4069bb-4069be GlobalFree 639->644 645 4069eb-4069f3 640->645 646 4069df-4069e9 640->646 641->637 647 406a32-406a35 GlobalFree 642->647 648 406a3b-406a4b GlobalAlloc 642->648 643->623 649 4069d8 643->649 644->643 645->635 646->645 646->646 647->648 648->623 648->641 649->640
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 234d8de6b1a4825162bd56f0f275484faa6be4a536daf5717bc33d46969e13ad
                                          • Instruction ID: 41aba942b39599c1692c10913d65046045a3e4a9d9b4861b7f06a8ff37ecbfc8
                                          • Opcode Fuzzy Hash: 234d8de6b1a4825162bd56f0f275484faa6be4a536daf5717bc33d46969e13ad
                                          • Instruction Fuzzy Hash: E0713471E04228CBDF24CFA9C8447ADBBB1FB44305F15806AD856BB281D738A986DF15
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cb9a1c794173ec10a6f2dd2a1ae7cf519846913fbb24b072de2017ae18864e5d
                                          • Instruction ID: dbd92b475a9d0607fb1399eb60c35f34c7c8d9ad23197981acbd8ddbf59fdd3c
                                          • Opcode Fuzzy Hash: cb9a1c794173ec10a6f2dd2a1ae7cf519846913fbb24b072de2017ae18864e5d
                                          • Instruction Fuzzy Hash: AD714671E04228CBEF28CFA9C8447ADBBB1FF44305F15806AD816BB281C7389986DF55
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f551091bef97c8d90c96c086bb2fc810a191328d3c3cc4ee86ad8ead6d95e62
                                          • Instruction ID: 13446529a524af4b77d0006a34a1fb508395f1689c279074a8e075742fa5827d
                                          • Opcode Fuzzy Hash: 5f551091bef97c8d90c96c086bb2fc810a191328d3c3cc4ee86ad8ead6d95e62
                                          • Instruction Fuzzy Hash: CB715671E04229CBEF28CF99C8447ADBBB1FF44305F15806AD856BB281C738A986DF45
                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,?,?,00403751,0000000D), ref: 0040681C
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406837
                                            • Part of subcall function 0040679C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004067B3
                                            • Part of subcall function 0040679C: wsprintfA.USER32 ref: 004067EC
                                            • Part of subcall function 0040679C: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406800
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                          • String ID:
                                          • API String ID: 2547128583-0
                                          • Opcode ID: 083705430d5324b24e59e10dde8fdff82b0167a66bb10dfc30ab61c16026ae4d
                                          • Instruction ID: 2e1db5b2244f9e248c95e3a508c771c14dc2457370c723657138356a2d20bfb7
                                          • Opcode Fuzzy Hash: 083705430d5324b24e59e10dde8fdff82b0167a66bb10dfc30ab61c16026ae4d
                                          • Instruction Fuzzy Hash: D0E086336052205AD6116B745D04D3772A8AED8640306483EF542F2040DB38AC32A769
                                          APIs
                                          • GetFileAttributesA.KERNELBASE(00000003,00403163,C:\Users\user\Desktop\yDoZVwXSMG.exe,80000000,00000003), ref: 00405FA8
                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405FCA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: File$AttributesCreate
                                          • String ID:
                                          • API String ID: 415043291-0
                                          • Opcode ID: 3674cab34e86c9bb6ed208021152f8156afda3d0a6d4448f29a7fe7eff01a41d
                                          • Instruction ID: 99f0ed0b6f71b5c4d8d0263110580a9bc7934fab7bfe8a8d35efac0e687f4850
                                          • Opcode Fuzzy Hash: 3674cab34e86c9bb6ed208021152f8156afda3d0a6d4448f29a7fe7eff01a41d
                                          • Instruction Fuzzy Hash: 92D09E31654301EFFF098F20DE1AF2E7AA2EB84B00F11952CB682941E0DA7158599B15
                                          APIs
                                          • CreateDirectoryA.KERNELBASE(?,00000000,004036DA,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 00405AA5
                                          • GetLastError.KERNEL32 ref: 00405AB3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: CreateDirectoryErrorLast
                                          • String ID:
                                          • API String ID: 1375471231-0
                                          • Opcode ID: c0568d1a9d7a863155f8f57caddbba729ce21e02ac4465172204c49bf694c3b9
                                          • Instruction ID: 6d60ce6c2c78029c12fb4c6437a0e11bbe6e9f07fee022c993a6326ceae282bd
                                          • Opcode Fuzzy Hash: c0568d1a9d7a863155f8f57caddbba729ce21e02ac4465172204c49bf694c3b9
                                          • Instruction Fuzzy Hash: 6FC04C30745A019AEA115B709F48B177960AB50781F15893A6146E11B1DA348455DD6D
                                          APIs
                                          • CloseHandle.KERNEL32(FFFFFFFF,?,0040392A,00000020), ref: 00403B16
                                          • CloseHandle.KERNEL32(FFFFFFFF,?,0040392A,00000020), ref: 00403B2A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: d0050b2195ef2e819ffde977c11754b421d184e7c458b58060b124be02b59d7b
                                          • Instruction ID: e4df60f3e1548bc6cc995373602d7fd8356d13b4c50c2791bd9444f9ca37880a
                                          • Opcode Fuzzy Hash: d0050b2195ef2e819ffde977c11754b421d184e7c458b58060b124be02b59d7b
                                          • Instruction Fuzzy Hash: E1E0463090072056C510EB7CBE4A8063A3C5B0233A7280B26F1B8B24F2CA3968924A59
                                          APIs
                                          • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00414980,0040C980,00403572,00414980,00004000,?,00000000,?,004033FC,00000004,00000000,00000000), ref: 00403684
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 4ccc4bbe2abcb677344719b3a5d559962fdee24b46b0939c7a596c127dcbc5e6
                                          • Instruction ID: ffaae792c95b3e74212be0c0ac91cf90d2f7abdb703311f5376c9916736d2436
                                          • Opcode Fuzzy Hash: 4ccc4bbe2abcb677344719b3a5d559962fdee24b46b0939c7a596c127dcbc5e6
                                          • Instruction Fuzzy Hash: 46E08631150119BBDF215E51DC04E973B5CDB05365F008433F945E6250D576D6119B94
                                          APIs
                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040334B,?), ref: 004036AD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: 10ef837ee4804bf9d7f3e3ca6725328f0d2a1cf4c29bc69e4f563ca935bf008a
                                          • Instruction ID: bbe28819b9c1f708c1bc01410fff550cfc21c648a57af447a5397392da283f69
                                          • Opcode Fuzzy Hash: 10ef837ee4804bf9d7f3e3ca6725328f0d2a1cf4c29bc69e4f563ca935bf008a
                                          • Instruction Fuzzy Hash: 02B01271240300BFEA128B00DF0AF057B72AB64700F108434B3C8380F08A721031DB0D
                                          APIs
                                          • GetDlgItem.USER32(?,00000403), ref: 004056E2
                                          • GetDlgItem.USER32(?,000003EE), ref: 004056F1
                                          • GetClientRect.USER32(?,?), ref: 00405749
                                          • GetSystemMetrics.USER32(00000015), ref: 00405751
                                          • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405772
                                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405783
                                          • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405796
                                          • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004057A4
                                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 004057B7
                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057D9
                                          • ShowWindow.USER32(?,00000008), ref: 004057ED
                                          • GetDlgItem.USER32(?,000003EC), ref: 0040580E
                                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040581E
                                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405837
                                          • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405843
                                          • GetDlgItem.USER32(?,000003F8), ref: 00405700
                                            • Part of subcall function 004044D5: SendMessageA.USER32(00000028,?,00000001,00404306), ref: 004044E3
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(004253A0,?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,004253A0,?), ref: 00406766
                                          • GetDlgItem.USER32(?,000003EC), ref: 00405860
                                          • CreateThread.KERNEL32(00000000,00000000,Function_000055FD,00000000), ref: 0040586E
                                          • CloseHandle.KERNEL32(00000000), ref: 00405875
                                          • ShowWindow.USER32(00000000), ref: 00405899
                                          • ShowWindow.USER32(?,00000008), ref: 0040589E
                                          • ShowWindow.USER32(00000008), ref: 004058E5
                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405917
                                          • CreatePopupMenu.USER32 ref: 00405928
                                          • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040593D
                                          • GetWindowRect.USER32(?,?), ref: 00405950
                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405974
                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004059AF
                                          • OpenClipboard.USER32(00000000), ref: 004059BF
                                          • EmptyClipboard.USER32 ref: 004059C5
                                          • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004059CE
                                          • GlobalLock.KERNEL32(00000000), ref: 004059D8
                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004059EC
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405A04
                                          • SetClipboardData.USER32(00000001,00000000), ref: 00405A0F
                                          • CloseClipboard.USER32 ref: 00405A15
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlenwvsprintf
                                          • String ID: C:\Users\user\Desktop$New install of "%s" to "%s"${
                                          • API String ID: 430598769-860047555
                                          • Opcode ID: 6e77eacb8004290fe6ed722c867037a8234ca31613d18bea79517b39ef928cc2
                                          • Instruction ID: 2fba88bd0456375d88f597e1db9ec2698228ff227e9935e042ad6112b8d1c173
                                          • Opcode Fuzzy Hash: 6e77eacb8004290fe6ed722c867037a8234ca31613d18bea79517b39ef928cc2
                                          • Instruction Fuzzy Hash: 3DB16AB1900608FFDB11AF60DD89EAE3F78EB04354F50803AFA45BA1A0CB755952DF68
                                          APIs
                                          • GetDlgItem.USER32(?,000003F9), ref: 00404E91
                                          • GetDlgItem.USER32(?,00000408), ref: 00404E9E
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404EEA
                                          • LoadBitmapA.USER32(0000006E), ref: 00404EFD
                                          • SetWindowLongA.USER32(?,000000FC,0040547B), ref: 00404F17
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F2B
                                          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404F3F
                                          • SendMessageA.USER32(?,00001109,00000002), ref: 00404F54
                                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404F60
                                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F72
                                          • DeleteObject.GDI32(?), ref: 00404F77
                                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404FA2
                                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404FAE
                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405043
                                          • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 0040506E
                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405082
                                          • GetWindowLongA.USER32(?,000000F0), ref: 004050B1
                                          • SetWindowLongA.USER32(?,000000F0,00000000), ref: 004050BF
                                          • ShowWindow.USER32(?,00000005), ref: 004050D0
                                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 004051D3
                                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00405238
                                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040524D
                                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405271
                                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405297
                                          • ImageList_Destroy.COMCTL32(?), ref: 004052AC
                                          • GlobalFree.KERNEL32(?), ref: 004052BC
                                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0040532C
                                          • SendMessageA.USER32(?,00001102,00000410,?), ref: 004053D5
                                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004053E4
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00405404
                                          • ShowWindow.USER32(?,00000000), ref: 00405452
                                          • GetDlgItem.USER32(?,000003FE), ref: 0040545D
                                          • ShowWindow.USER32(00000000), ref: 00405464
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                          • String ID: $M$N
                                          • API String ID: 1638840714-813528018
                                          • Opcode ID: ad34ad8691b17b25a9ccd6bb964da61cb4def815d2f23b5d4b3dc1c834c130e8
                                          • Instruction ID: c6f49fae16b786c00443764c83c26e904ee8db6dc28079495487e9681e8e48f0
                                          • Opcode Fuzzy Hash: ad34ad8691b17b25a9ccd6bb964da61cb4def815d2f23b5d4b3dc1c834c130e8
                                          • Instruction Fuzzy Hash: CD029B70A00608EFDB209F55DD45AAF7BB5FB84314F10817AF611BA2E1D7798A81CF58
                                          APIs
                                          • DeleteFileA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,76232EE0), ref: 00405BB7
                                          • lstrcatA.KERNEL32(00422DE0,\*.*,00422DE0,?,00000000,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,76232EE0), ref: 00405C01
                                          • lstrcatA.KERNEL32(?,0040A28C,?,00422DE0,?,00000000,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,76232EE0), ref: 00405C22
                                          • lstrlenA.KERNEL32(?,?,0040A28C,?,00422DE0,?,00000000,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,76232EE0), ref: 00405C28
                                          • FindFirstFileA.KERNEL32(00422DE0,?,?,?,0040A28C,?,00422DE0,?,00000000,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,76232EE0), ref: 00405C39
                                          • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405D18
                                          • FindClose.KERNEL32(?), ref: 00405D29
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\~nsuA.tmp, xrefs: 00405BA3
                                          • Delete: DeleteFile failed("%s"), xrefs: 00405CF3
                                          • Delete: DeleteFile("%s"), xrefs: 00405CB1
                                          • "C:\Users\user\Desktop\yDoZVwXSMG.exe", xrefs: 00405B99
                                          • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00405D8F
                                          • \*.*, xrefs: 00405BFB
                                          • RMDir: RemoveDirectory failed("%s"), xrefs: 00405DAC
                                          • -B, xrefs: 00405BEB
                                          • Delete: DeleteFile on Reboot("%s"), xrefs: 00405CD5
                                          • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00405D47
                                          • RMDir: RemoveDirectory("%s"), xrefs: 00405D6B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                          • String ID: "C:\Users\user\Desktop\yDoZVwXSMG.exe"$C:\Users\user\AppData\Local\Temp\~nsuA.tmp$Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$-B
                                          • API String ID: 2035342205-2775081914
                                          • Opcode ID: d9e794bf4db949f9f167c4bc40a366908cc29f2bcc61605d68bee47b05557f6f
                                          • Instruction ID: 9491e254326f547fd3688dea50c8b6e7d0e4d1d5e1860c78739179a064ac5d31
                                          • Opcode Fuzzy Hash: d9e794bf4db949f9f167c4bc40a366908cc29f2bcc61605d68bee47b05557f6f
                                          • Instruction Fuzzy Hash: DE51E330508B4469EB216B219D4ABBF3B69CF42728F24803FF842751D2DB7C5981CE6E
                                          APIs
                                          • GetDlgItem.USER32(?,000003F0), ref: 0040492F
                                          • IsDlgButtonChecked.USER32(?,000003F0), ref: 0040493D
                                          • GetDlgItem.USER32(?,000003FB), ref: 0040495D
                                          • GetAsyncKeyState.USER32(00000010), ref: 00404964
                                          • GetDlgItem.USER32(?,000003F0), ref: 00404973
                                          • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404984
                                          • SetWindowTextA.USER32(?,?), ref: 004049B3
                                          • SHBrowseForFolderA.SHELL32(?,004219C0,?), ref: 00404A6A
                                          • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,00421DD8), ref: 00404AA7
                                          • lstrcatA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe), ref: 00404AB3
                                          • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404AC3
                                          • CoTaskMemFree.OLE32(00000000), ref: 00404A75
                                            • Part of subcall function 00405B19: GetDlgItemTextA.USER32(?,?,00000400,00404AF6), ref: 00405B2C
                                            • Part of subcall function 0040652F: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\yDoZVwXSMG.exe",C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,00000000,004036C2,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 00406587
                                            • Part of subcall function 0040652F: CharNextA.USER32(?,?,?,00000000), ref: 00406594
                                            • Part of subcall function 0040652F: CharNextA.USER32(?,"C:\Users\user\Desktop\yDoZVwXSMG.exe",C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,00000000,004036C2,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 00406599
                                            • Part of subcall function 0040652F: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,00000000,004036C2,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 004065A9
                                            • Part of subcall function 00403BF6: lstrcatA.KERNEL32(00000000,00000000,00424780,C:\Users\user\Desktop,install.log,00403D69,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\nsfC6FF.tmp,00421DD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421DD8,00000000,00000003), ref: 00403C11
                                          • GetDiskFreeSpaceA.KERNEL32(004215B0,?,?,0000040F,?,004215B0,004215B0,?,00000001,004215B0,?,?,000003FB,?), ref: 00404B7C
                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404B97
                                          • SetDlgItemTextA.USER32(00000000,00000400,00420D98), ref: 00404C29
                                            • Part of subcall function 00404CF0: lstrlenA.KERNEL32(00421DD8,00421DD8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404C0B,000000DF,004215B0,00000400,00000000), ref: 00404D8E
                                            • Part of subcall function 00404CF0: wsprintfA.USER32 ref: 00404D96
                                            • Part of subcall function 00404CF0: SetDlgItemTextA.USER32(?,00421DD8), ref: 00404DA9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Item$Text$Char$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTasklstrcmpilstrlenwsprintf
                                          • String ID: A$C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe$C:\Users\user\Desktop
                                          • API String ID: 323400435-2674471988
                                          • Opcode ID: 78c65bc590c1e235ef7a73e704ad4c428552a7094b56534d9291f6bd5556b852
                                          • Instruction ID: 53e1309a436ec8c8103ef3d9cb40cdd2e0d9dedad5aabb53aa7134592e3a1e93
                                          • Opcode Fuzzy Hash: 78c65bc590c1e235ef7a73e704ad4c428552a7094b56534d9291f6bd5556b852
                                          • Instruction Fuzzy Hash: B7B172B1A00218ABDB10AFA5CD85B9F7AB8EF84314F10843FF605B62D1D7789941CB6D
                                          APIs
                                          • CoCreateInstance.OLE32(00408400,?,00000001,004083F0,?), ref: 00402371
                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,0040ACA8,00000400,?,00000001,004083F0,?), ref: 00402429
                                          Strings
                                          • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402353
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: ByteCharCreateInstanceMultiWide
                                          • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                          • API String ID: 123533781-1377821865
                                          • Opcode ID: 54b1373629e2dc9903f390fa01b200151b173b83ed300e94aca67dfa06e08d4e
                                          • Instruction ID: 458830b68615384cc5dcfd7975f20282d1088c50676892df8a4bfa2d63e4f4ae
                                          • Opcode Fuzzy Hash: 54b1373629e2dc9903f390fa01b200151b173b83ed300e94aca67dfa06e08d4e
                                          • Instruction Fuzzy Hash: A2515D71A00105BFCB04DFA4CD88DAE7BB5EF44314B20416AF815EB2D1DBB99941CB64
                                          APIs
                                          • FindFirstFileA.KERNEL32(?,00423E28,004231E0,00405EE4,004231E0,004231E0,00000000,004231E0,004231E0,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,76232EE0), ref: 00406780
                                          • FindClose.KERNEL32(00000000), ref: 0040678C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID: (>B
                                          • API String ID: 2295610775-269022603
                                          • Opcode ID: 831b1997f9f916c35f8a1434769a77bffab4373bf7aed33ff049e2637960da6e
                                          • Instruction ID: b63e9011ec8c2b29868c80016797e029c48760d48fef13a3cdc6f45c5aca086a
                                          • Opcode Fuzzy Hash: 831b1997f9f916c35f8a1434769a77bffab4373bf7aed33ff049e2637960da6e
                                          • Instruction Fuzzy Hash: 31D012315141306BC6505F386E0C84B7AD89F593363628B36F46AF61E0CB388C6286A9
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402A93
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: b25bffc5d1a8db0066b663ac743355f19798926255be00f41aca0f60a6b0e191
                                          • Instruction ID: 1c0e8fb98d7fe62c5c3da10d8ea296ad93fcee16e05e3a722bccc70f37f90231
                                          • Opcode Fuzzy Hash: b25bffc5d1a8db0066b663ac743355f19798926255be00f41aca0f60a6b0e191
                                          • Instruction Fuzzy Hash: 77F0A032544101AAD710EBA4EE499FEB7689F64328FA004BFE101F20C1D7BC49469A2E
                                          APIs
                                          • PostQuitMessage.USER32(00000000), ref: 004014D5
                                          • Sleep.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00401541
                                          • SetForegroundWindow.USER32(?), ref: 0040155A
                                          • ShowWindow.USER32(?), ref: 004015E1
                                          • ShowWindow.USER32(?), ref: 004015F5
                                          • SetFileAttributesA.KERNEL32(00000000,?,?,000000F0), ref: 0040161A
                                          • SetCurrentDirectoryA.KERNEL32(00000000,0042C800,00000000,000000E6,00000000,?,?,000000F0,?,000000F0), ref: 00401706
                                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 00401714
                                          • MoveFileA.KERNEL32(00000000,?), ref: 004017A6
                                          • GetFullPathNameA.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,?,00000000,00000000,00000000,0000005C,00000000,?,?,000000F0), ref: 00401806
                                          • GetShortPathNameA.KERNEL32(00000000,00000000,00000400), ref: 0040184C
                                          • SearchPathA.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,00000000,00000000,00000000,0000005C,00000000,?,?,000000F0), ref: 0040186B
                                          Strings
                                          • SetFileAttributes failed., xrefs: 0040162F
                                          • Rename: %s, xrefs: 00401796
                                          • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 00401764
                                          • CreateDirectory: "%s" (%d), xrefs: 0040164B
                                          • Jump: %d, xrefs: 00401490
                                          • Rename on reboot: %s, xrefs: 004017D7
                                          • IfFileExists: file "%s" exists, jumping %d, xrefs: 0040174E
                                          • Call: %d, xrefs: 004014EA
                                          • Rename failed: %s, xrefs: 004017E9
                                          • SetFileAttributes: "%s":%08X, xrefs: 00401609
                                          • CreateDirectory: "%s" created, xrefs: 004016D4
                                          • CreateDirectory: can't create "%s" - a file already exists, xrefs: 004016C4
                                          • BringToFront, xrefs: 0040154C
                                          • Sleep(%d), xrefs: 0040152C
                                          • Aborting: "%s", xrefs: 004014AB
                                          • SetCurrentDirectory(%s) failed (%d), xrefs: 0040171C
                                          • detailprint: %s, xrefs: 00401509
                                          • CreateDirectory: can't create "%s" (err=%d), xrefs: 004016A6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: PathWindow$FileNameShow$AttributesCurrentDirectoryErrorForegroundFullLastMessageMovePostQuitSearchShortSleep
                                          • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetCurrentDirectory(%s) failed (%d)$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                          • API String ID: 1463463071-1581295400
                                          • Opcode ID: a01a94291aaa17a9f8ddfe9b1d95d566d5442128b45f80725a0d66aef6891e2c
                                          • Instruction ID: cd94397812fa9254d581f5ff6aeb3ca49ce95be99e6962c7f7d93c7b36d86e40
                                          • Opcode Fuzzy Hash: a01a94291aaa17a9f8ddfe9b1d95d566d5442128b45f80725a0d66aef6891e2c
                                          • Instruction Fuzzy Hash: CBB11671904200BFDB146BA1DD4AEAF36B8AF08318B25053FF841B72D1DBBD5D418A6E
                                          APIs
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404009
                                          • ShowWindow.USER32(?), ref: 00404026
                                          • DestroyWindow.USER32 ref: 0040403A
                                          • SetWindowLongA.USER32(?,00000000,00000000), ref: 00404056
                                          • GetDlgItem.USER32(?,?), ref: 00404077
                                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040408B
                                          • IsWindowEnabled.USER32(00000000), ref: 00404092
                                          • GetDlgItem.USER32(?,00000001), ref: 00404140
                                          • GetDlgItem.USER32(?,00000002), ref: 0040414A
                                          • SetClassLongA.USER32(?,000000F2,?), ref: 00404164
                                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 004041B5
                                          • GetDlgItem.USER32(?,00000003), ref: 0040425B
                                          • ShowWindow.USER32(00000000,?), ref: 0040427C
                                          • EnableWindow.USER32(?,?), ref: 0040428E
                                          • EnableWindow.USER32(?,?), ref: 004042A9
                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042BF
                                          • EnableMenuItem.USER32(00000000), ref: 004042C6
                                          • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 004042DE
                                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 004042F1
                                          • lstrlenA.KERNEL32(00421DD8,?,00421DD8,00425C00), ref: 0040431A
                                          • SetWindowTextA.USER32(?,00421DD8), ref: 00404329
                                          • ShowWindow.USER32(?,0000000A), ref: 0040445D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                          • String ID:
                                          • API String ID: 184305955-0
                                          • Opcode ID: 0248ba45e7b493aff9bc460956d3901db11cdf52f63362b6396d5a0f8d5974e5
                                          • Instruction ID: e8b814be20905fb269ae5e5496c6b8f26aecf55a6b1e554940ad996ba5c5a090
                                          • Opcode Fuzzy Hash: 0248ba45e7b493aff9bc460956d3901db11cdf52f63362b6396d5a0f8d5974e5
                                          • Instruction Fuzzy Hash: 2CC1C3B1600704AFCB206F61EE45E2B3AA8FB94749F50453EF781B51F1CB3968529B1E
                                          APIs
                                            • Part of subcall function 0040680A: GetModuleHandleA.KERNEL32(?,?,?,00403751,0000000D), ref: 0040681C
                                            • Part of subcall function 0040680A: GetProcAddress.KERNEL32(00000000,?), ref: 00406837
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsfC6FF.tmp,00421DD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421DD8,00000000,00000003,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,"C:\Users\user\Desktop\yDoZVwXSMG.exe",00000000), ref: 00403C88
                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,?,?,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,00000000,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\nsfC6FF.tmp,00421DD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421DD8,00000000,00000003,C:\Users\user\AppData\Local\Temp\~nsuA.tmp), ref: 00403CFD
                                          • lstrcmpiA.KERNEL32(?,.exe), ref: 00403D10
                                          • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe), ref: 00403D1B
                                          • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\Desktop), ref: 00403D84
                                            • Part of subcall function 0040622B: wsprintfA.USER32 ref: 00406238
                                          • RegisterClassA.USER32 ref: 00403DCB
                                          • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403DE3
                                          • CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1C
                                          • ShowWindow.USER32(00000005,00000000), ref: 00403E52
                                          • GetClassInfoA.USER32(00000000,RichEdit20A,00425BA0), ref: 00403E7E
                                          • GetClassInfoA.USER32(00000000,RichEdit,00425BA0), ref: 00403E8B
                                          • RegisterClassA.USER32(00425BA0), ref: 00403E94
                                          • DialogBoxParamA.USER32(?,00000000,00403FCD,00000000), ref: 00403EB3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: "C:\Users\user\Desktop\yDoZVwXSMG.exe"$.DEFAULT\Control Panel\International$.exe$C:\Users\user\AppData\Local\Temp\nsfC6FF.tmp$C:\Users\user\AppData\Local\Temp\~nsuA.tmp$C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe$C:\Users\user\Desktop$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                          • API String ID: 1975747703-3911588168
                                          • Opcode ID: 219e44700a7c5464ba9c373261ae23bdec3dc5ef048ecac8b3c837362af8f259
                                          • Instruction ID: 7568602f95d19c6b689a3b08b652a15b96228f33c85fe1690cd6c01ac20bc482
                                          • Opcode Fuzzy Hash: 219e44700a7c5464ba9c373261ae23bdec3dc5ef048ecac8b3c837362af8f259
                                          • Instruction Fuzzy Hash: 0661B6702406406ED720BF659D45F3B3E6CEB4074AF85053FF981B62E2DB7CA9428A6D
                                          APIs
                                          • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404673
                                          • GetDlgItem.USER32(00000000,000003E8), ref: 00404687
                                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004046A5
                                          • GetSysColor.USER32(?), ref: 004046B6
                                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004046C5
                                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004046D4
                                          • lstrlenA.KERNEL32(?), ref: 004046DE
                                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004046EC
                                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004046FB
                                          • GetDlgItem.USER32(?,0000040A), ref: 0040475E
                                          • SendMessageA.USER32(00000000), ref: 00404761
                                          • GetDlgItem.USER32(?,000003E8), ref: 0040478C
                                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004047CC
                                          • LoadCursorA.USER32(00000000,00007F02), ref: 004047DB
                                          • SetCursor.USER32(00000000), ref: 004047E4
                                          • ShellExecuteA.SHELL32(0000070B,open,00424BA0,00000000,00000000,00000001), ref: 004047F7
                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00404804
                                          • SetCursor.USER32(00000000), ref: 00404807
                                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404833
                                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404847
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe$N$open
                                          • API String ID: 3615053054-2634702824
                                          • Opcode ID: 4acb1e7f699876b9b080a19da7d3748d224994641b86eb42dea44ec3c9bac124
                                          • Instruction ID: 7ac1e07cf673726af58d7051cd64680cda6ca82f3b090425a6ea0e09ab9c8800
                                          • Opcode Fuzzy Hash: 4acb1e7f699876b9b080a19da7d3748d224994641b86eb42dea44ec3c9bac124
                                          • Instruction Fuzzy Hash: 0361C2B1A40208BFEB10AF60DD45F6A3768FB84714F10843AFB05BB1D1C7B8A951CB98
                                          APIs
                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                          • BeginPaint.USER32(?,?), ref: 00401047
                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                          • DeleteObject.GDI32(?), ref: 004010ED
                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                          • DrawTextA.USER32(00000000,00425C00,000000FF,00000010,00000820), ref: 00401156
                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                          • DeleteObject.GDI32(?), ref: 00401165
                                          • EndPaint.USER32(?,?), ref: 0040116E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                          • String ID: F
                                          • API String ID: 941294808-1304234792
                                          • Opcode ID: 750255ee06490405d36d6d77af7e8d62f2e9bab9d2e9b601842e2a7d5fc750e5
                                          • Instruction ID: 1a047666a44e0bd53f927bcc358f11ad8581032b766642e5cfbbeb7700f4c1b8
                                          • Opcode Fuzzy Hash: 750255ee06490405d36d6d77af7e8d62f2e9bab9d2e9b601842e2a7d5fc750e5
                                          • Instruction Fuzzy Hash: A5418B71800219AFCF058F95DE459AF7BB9FF44314F00802AF5A1AA1A1CB38EA55DFA4
                                          APIs
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(004253A0,?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,004253A0,?), ref: 00406766
                                          • lstrcatA.KERNEL32(00000000,00000000,0040B4B0,0042C800,00000000,00000000), ref: 004018F0
                                          • CompareFileTime.KERNEL32(-00000014,0040B4B0,0040B4B0,0040B4B0,00000000,00000000,0040B4B0,0042C800,00000000,00000000), ref: 0040191A
                                            • Part of subcall function 004062CD: lstrcpynA.KERNEL32(?,?,00000400,00403795,00425C00,NSIS Error), ref: 004062DA
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000,?), ref: 00405564
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(004030F8,00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000), ref: 00405574
                                            • Part of subcall function 0040552B: lstrcatA.KERNEL32(00420DB0,004030F8,004030F8,00420DB0,00000000,00000000,00000000), ref: 00405587
                                            • Part of subcall function 0040552B: SetWindowTextA.USER32(00420DB0,00420DB0), ref: 00405599
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055BF
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004055D9
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001013,?,00000000), ref: 004055E7
                                          Strings
                                          • File: wrote %d to "%s", xrefs: 00401A42
                                          • File: error, user retry, xrefs: 004019BA
                                          • File: error, user abort, xrefs: 004019CD
                                          • File: skipped: "%s" (overwriteflag=%d), xrefs: 004019FB
                                          • File: error creating "%s", xrefs: 0040196A
                                          • File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 004018B3
                                          • File: error, user cancel, xrefs: 00401A05
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                          • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                          • API String ID: 4286501637-704903514
                                          • Opcode ID: b489c16bb3b7e1a2c5301dae30614d08274f10404859f7f5edba48aaa1734e73
                                          • Instruction ID: 17351c833ff884be99ebbe4ca3dd04e93fba0c18e006415c8e205a2e39f5817b
                                          • Opcode Fuzzy Hash: b489c16bb3b7e1a2c5301dae30614d08274f10404859f7f5edba48aaa1734e73
                                          • Instruction Fuzzy Hash: A251E871A14214BACF107BB5DC4AEAF3668DF05339B21423FF416B11E1DB7C49518A6E
                                          APIs
                                          • GetVersion.KERNEL32(?,00420DB0,00000000,00405563,00420DB0,00000000), ref: 00406397
                                          • GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,00000400), ref: 00406412
                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,00000400), ref: 00406425
                                          • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00406461
                                          • SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe), ref: 0040646F
                                          • CoTaskMemFree.OLE32(00000000), ref: 0040647A
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 0040649C
                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe,?,00420DB0,00000000,00405563,00420DB0,00000000), ref: 004064EE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Zu_.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                          • API String ID: 900638850-460282004
                                          • Opcode ID: e70c36c15463e11e4d98769463c39d75202b1930655f9bc1c58c23aaa8b76e0f
                                          • Instruction ID: 5020ced7e0235193b8239b63b3ec8dced8004e66b88da715bb9c8bf5f7faf145
                                          • Opcode Fuzzy Hash: e70c36c15463e11e4d98769463c39d75202b1930655f9bc1c58c23aaa8b76e0f
                                          • Instruction Fuzzy Hash: F8510530A00210AEDF216F64DD8477E3BA4AB55724F12423FE953B62D1D73D8962DB4D
                                          APIs
                                          • RegCreateKeyExA.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004026D7
                                          • lstrlenA.KERNEL32(0040BCB0,00000023,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004026FA
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(004253A0,?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,004253A0,?), ref: 00406766
                                          • RegSetValueExA.ADVAPI32(?,?,?,?,0040BCB0,00000000), ref: 004027B0
                                          • RegCloseKey.ADVAPI32(?), ref: 004028C3
                                          Strings
                                          • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 00402724
                                          • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402712
                                          • WriteReg: error creating key "%s\%s", xrefs: 004027E3
                                          • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 00402797
                                          • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402750
                                          • WriteReg: error writing into "%s\%s" "%s", xrefs: 004027C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: lstrlen$CloseCreateValuewvsprintf
                                          • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                          • API String ID: 1641139501-220328614
                                          • Opcode ID: 3326b50684f42d6555f26c716621c72d8a630b4c615609b64f1a4946c695ced0
                                          • Instruction ID: 0d8f67e9f840f9fb8975a9187b81f617768a5146bfc4832fe9bc88b1c5f34d6b
                                          • Opcode Fuzzy Hash: 3326b50684f42d6555f26c716621c72d8a630b4c615609b64f1a4946c695ced0
                                          • Instruction Fuzzy Hash: 6D415BB2D00208BFDF11AFA1CD4AE9EBB78EF04348F11407AF505761D0D7BA4A619B69
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402B16
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402B32
                                          • GlobalFree.KERNEL32(?), ref: 00402B6B
                                          • WriteFile.KERNEL32(?,00000000,?,?), ref: 00402B7D
                                          • GlobalFree.KERNEL32(00000000), ref: 00402B84
                                          • CloseHandle.KERNEL32(?), ref: 00402B9C
                                          • DeleteFileA.KERNEL32(?), ref: 00402BC3
                                          Strings
                                          • created uninstaller: %d, "%s", xrefs: 00402BA8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                          • String ID: created uninstaller: %d, "%s"
                                          • API String ID: 3294113728-3145124454
                                          • Opcode ID: fcd8c44232e72c7a519ab1b54606f4df5990d39ba661982b9417052821f24287
                                          • Instruction ID: f039b0f35b450dc7ee41e930bae157162e8a347937c2952a3d4cbe63db110461
                                          • Opcode Fuzzy Hash: fcd8c44232e72c7a519ab1b54606f4df5990d39ba661982b9417052821f24287
                                          • Instruction Fuzzy Hash: C031BE71800128BBCF20AFA5CE49DAE7F78EF04324F10423AF914762E1DB795D419BA9
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402214
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000,?), ref: 00405564
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(004030F8,00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000), ref: 00405574
                                            • Part of subcall function 0040552B: lstrcatA.KERNEL32(00420DB0,004030F8,004030F8,00420DB0,00000000,00000000,00000000), ref: 00405587
                                            • Part of subcall function 0040552B: SetWindowTextA.USER32(00420DB0,00420DB0), ref: 00405599
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055BF
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004055D9
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001013,?,00000000), ref: 004055E7
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(004253A0,?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,004253A0,?), ref: 00406766
                                          • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402225
                                          • GetProcAddress.KERNEL32(?,?), ref: 0040223C
                                          • FreeLibrary.KERNEL32(?,?), ref: 004022BC
                                          Strings
                                          • Error registering DLL: Could not load %s, xrefs: 004022CF
                                          • Error registering DLL: Could not initialize OLE, xrefs: 004022E7
                                          • Error registering DLL: %s not found in %s, xrefs: 00402293
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$Library$AddressFreeHandleLoadModuleProcTextWindowlstrcatwvsprintf
                                          • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                          • API String ID: 3271377537-945480824
                                          • Opcode ID: 95944be87c664a0b58439fc9e78eee2c4482eb363a37399056f384f006046da1
                                          • Instruction ID: c758e62e292b85024776478069b6dbefcb92a1905fe08cf12c5b39257b8ea98b
                                          • Opcode Fuzzy Hash: 95944be87c664a0b58439fc9e78eee2c4482eb363a37399056f384f006046da1
                                          • Instruction Fuzzy Hash: C221B132904205BBCF106FA1DE49B9E7A70AF08358F60417FF410B11E0DBBD4A919A2E
                                          APIs
                                          • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\yDoZVwXSMG.exe",C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,00000000,004036C2,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 00406587
                                          • CharNextA.USER32(?,?,?,00000000), ref: 00406594
                                          • CharNextA.USER32(?,"C:\Users\user\Desktop\yDoZVwXSMG.exe",C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,00000000,004036C2,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 00406599
                                          • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,00000000,004036C2,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 004065A9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Char$Next$Prev
                                          • String ID: "C:\Users\user\Desktop\yDoZVwXSMG.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\~nsuA.tmp
                                          • API String ID: 589700163-2691690906
                                          • Opcode ID: 8096d849d1c9ce41e0346831cb37685f4dd6d64b26888903e7438f7d863a7a62
                                          • Instruction ID: 24dd96064d5417bc72e67d0c60cfec8ce53d8243db2d456a42809f7a95db7985
                                          • Opcode Fuzzy Hash: 8096d849d1c9ce41e0346831cb37685f4dd6d64b26888903e7438f7d863a7a62
                                          • Instruction Fuzzy Hash: 981134A180479039EB3216386C44B777F894F5B7A0F1A047BE4C2322C6DA7C5D62826D
                                          APIs
                                          • GetWindowLongA.USER32(?,000000EB), ref: 00404524
                                          • GetSysColor.USER32(00000000), ref: 00404540
                                          • SetTextColor.GDI32(?,00000000), ref: 0040454C
                                          • SetBkMode.GDI32(?,?), ref: 00404558
                                          • GetSysColor.USER32(?), ref: 0040456B
                                          • SetBkColor.GDI32(?,?), ref: 0040457B
                                          • DeleteObject.GDI32(?), ref: 00404595
                                          • CreateBrushIndirect.GDI32(?), ref: 0040459F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                          • String ID:
                                          • API String ID: 2320649405-0
                                          • Opcode ID: ff550e039535750ddee094f50c47ca332dcff401595c3ffc2c3d1fe0adab4e51
                                          • Instruction ID: 5129247060fdf99fe8797dcd9aa0072a42d6f3bc0e200a186bc0a46124ada848
                                          • Opcode Fuzzy Hash: ff550e039535750ddee094f50c47ca332dcff401595c3ffc2c3d1fe0adab4e51
                                          • Instruction Fuzzy Hash: 002142B1501704ABCB219F68DD08B5BBBF8AF41714F04892DFA96A26E0D738E9488B54
                                          APIs
                                          • lstrlenA.KERNEL32(00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000,?), ref: 00405564
                                          • lstrlenA.KERNEL32(004030F8,00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000), ref: 00405574
                                          • lstrcatA.KERNEL32(00420DB0,004030F8,004030F8,00420DB0,00000000,00000000,00000000), ref: 00405587
                                          • SetWindowTextA.USER32(00420DB0,00420DB0), ref: 00405599
                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055BF
                                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004055D9
                                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 004055E7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                          • String ID:
                                          • API String ID: 2531174081-0
                                          • Opcode ID: cb0f79ab979e13bb22370c5c0aa667bb76c3ef8d0eed0eb48269c6a4122cdca1
                                          • Instruction ID: b5f13368894abbd72d2ef9bcc5aed1bc168452b499d58a4623565611e2026dd0
                                          • Opcode Fuzzy Hash: cb0f79ab979e13bb22370c5c0aa667bb76c3ef8d0eed0eb48269c6a4122cdca1
                                          • Instruction Fuzzy Hash: 71218C71900118BBCF119FA5CD80ADFBFB9EF04354F04807AF944B6291C7388A419FA8
                                          APIs
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(004253A0,?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,004253A0,?), ref: 00406766
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000,?), ref: 00405564
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(004030F8,00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000), ref: 00405574
                                            • Part of subcall function 0040552B: lstrcatA.KERNEL32(00420DB0,004030F8,004030F8,00420DB0,00000000,00000000,00000000), ref: 00405587
                                            • Part of subcall function 0040552B: SetWindowTextA.USER32(00420DB0,00420DB0), ref: 00405599
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055BF
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004055D9
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001013,?,00000000), ref: 004055E7
                                            • Part of subcall function 00405AD4: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00423DE0,Error launching installer), ref: 00405AF9
                                            • Part of subcall function 00405AD4: CloseHandle.KERNEL32(?), ref: 00405B06
                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 004020C6
                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 004020D6
                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 004020FB
                                          Strings
                                          • Exec: command="%s", xrefs: 0040207F
                                          • Exec: success ("%s"), xrefs: 004020A1
                                          • Exec: failed createprocess ("%s"), xrefs: 0040210D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                          • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                          • API String ID: 2014279497-3433828417
                                          • Opcode ID: 4c0bf5a819c5cabc785e79fb82755261a9ca6965defa31031fc279229f133177
                                          • Instruction ID: f192cf5068fe721493c2ca47631b8fd5e11dfa55f6fb4389df25e9f95d382c2a
                                          • Opcode Fuzzy Hash: 4c0bf5a819c5cabc785e79fb82755261a9ca6965defa31031fc279229f133177
                                          • Instruction Fuzzy Hash: 96119031505214EADB25AF91DE899AE7B61EF01318F20403FF501750D1CBBD0991EB6E
                                          APIs
                                          • DestroyWindow.USER32(00000000,00000000), ref: 00403099
                                          • GetTickCount.KERNEL32 ref: 004030B7
                                          • wsprintfA.USER32 ref: 004030E5
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000,?), ref: 00405564
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(004030F8,00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000), ref: 00405574
                                            • Part of subcall function 0040552B: lstrcatA.KERNEL32(00420DB0,004030F8,004030F8,00420DB0,00000000,00000000,00000000), ref: 00405587
                                            • Part of subcall function 0040552B: SetWindowTextA.USER32(00420DB0,00420DB0), ref: 00405599
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055BF
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004055D9
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001013,?,00000000), ref: 004055E7
                                          • CreateDialogParamA.USER32(0000006F,00000000,00402FE9,00000000), ref: 00403109
                                          • ShowWindow.USER32(00000000,00000005), ref: 00403117
                                            • Part of subcall function 00403065: MulDiv.KERNEL32(00000000,00000064,00000004), ref: 0040307A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                          • String ID: ... %d%%
                                          • API String ID: 722711167-2449383134
                                          • Opcode ID: ce67bc7cccbabcfd3d998f218857b4b480decfb62087f9010a91ecd6a2638fba
                                          • Instruction ID: 8a56325a0c249c51aeddb8beeb044339652cd635e3f90c4b3db5a9aada2ba764
                                          • Opcode Fuzzy Hash: ce67bc7cccbabcfd3d998f218857b4b480decfb62087f9010a91ecd6a2638fba
                                          • Instruction Fuzzy Hash: 6C01C870502624DBCB217F60BD09AAA7F6CAB05B46B04803BF441B11D5DB784A45CF9E
                                          APIs
                                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404E15
                                          • GetMessagePos.USER32 ref: 00404E1D
                                          • ScreenToClient.USER32(?,?), ref: 00404E37
                                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404E49
                                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404E6F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Message$Send$ClientScreen
                                          • String ID: f
                                          • API String ID: 41195575-1993550816
                                          • Opcode ID: 2de7cdc7de5e6d73f2f496e999baad3857bc1053d919e802e93d4047082e1f51
                                          • Instruction ID: 577475e6f0e9fc61b494f9fa51c3945aaa03660cb513c050f00af2c753d98fa9
                                          • Opcode Fuzzy Hash: 2de7cdc7de5e6d73f2f496e999baad3857bc1053d919e802e93d4047082e1f51
                                          • Instruction Fuzzy Hash: 78015271D00219BADB00DBA4DD45FFEBBBCAF55B11F10012BBA50B61D1C7B459458B94
                                          APIs
                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403004
                                          • wsprintfA.USER32 ref: 00403038
                                          • SetWindowTextA.USER32(?,?), ref: 00403048
                                          • SetDlgItemTextA.USER32(?,00000406,?), ref: 0040305A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Text$ItemTimerWindowwsprintf
                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                          • API String ID: 1451636040-1158693248
                                          • Opcode ID: 34aea8c237d9a6b4262babc5d15cb9ea65e997ceb4a27ace1c078bd2d2e193bf
                                          • Instruction ID: 20546e6ba832e1b3fab4aa97257a5f65f69261077b3f880adcbb49229734dd85
                                          • Opcode Fuzzy Hash: 34aea8c237d9a6b4262babc5d15cb9ea65e997ceb4a27ace1c078bd2d2e193bf
                                          • Instruction Fuzzy Hash: 3AF0817050020CBBDF20AF60DD06BAE3BBCAB04345F00843AFA56B51D5DBB99A558F99
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402F05
                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402F41
                                          • RegCloseKey.ADVAPI32(?), ref: 00402F4A
                                          • RegCloseKey.ADVAPI32(?), ref: 00402F6F
                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402F8D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Close$DeleteEnumOpen
                                          • String ID:
                                          • API String ID: 1912718029-0
                                          • Opcode ID: b028ecec1d78a200503dadcefe2bc22e0f6fb028ff25e3f61a2c7c57b1882060
                                          • Instruction ID: 1bd9878c7ef2e45ac55117cc9ab264197938e8746315a7d31758d375fefd0929
                                          • Opcode Fuzzy Hash: b028ecec1d78a200503dadcefe2bc22e0f6fb028ff25e3f61a2c7c57b1882060
                                          • Instruction Fuzzy Hash: 0E117C7150000AFFDF10AFA0DE48DAA3B7DEB44389B404036FA45B01E0D7B49E55BB69
                                          APIs
                                          • CloseHandle.KERNEL32(FFFFFFFF,?,?,00406773,00000000), ref: 004065DE
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00424780,40000000,00000004,?,?,00406773,00000000), ref: 00406626
                                          • lstrcatA.KERNEL32(004253A0,0040ABEC,004253A0,?,?,00406773,00000000), ref: 00406641
                                          • lstrlenA.KERNEL32(004253A0,?,00000000,004253A0,0040ABEC,004253A0,?,?,00406773,00000000), ref: 0040664C
                                          • WriteFile.KERNEL32(004253A0,00000000,004253A0,?,00000000,004253A0,0040ABEC,004253A0,?,?,00406773,00000000), ref: 00406659
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: File$CloseHandlePointerWritelstrcatlstrlen
                                          • String ID:
                                          • API String ID: 4073665932-0
                                          • Opcode ID: 6985dbf8a51587ff873b0807ef77b93063035b7dde659fa51b5ad4c8cc64aba6
                                          • Instruction ID: 8cb7850f754a91aea35530736be2dd68b046b28bd0b92714d99c360fc914dd09
                                          • Opcode Fuzzy Hash: 6985dbf8a51587ff873b0807ef77b93063035b7dde659fa51b5ad4c8cc64aba6
                                          • Instruction Fuzzy Hash: BD019671500306ABD720AF74BD85E573A5CDB01374B52433BF172B51E0C73998A29A5E
                                          APIs
                                          • GetDlgItem.USER32(?), ref: 00401EEC
                                          • GetClientRect.USER32(00000000,?), ref: 00401EF9
                                          • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401F1A
                                          • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401F28
                                          • DeleteObject.GDI32(00000000), ref: 00401F37
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                          • String ID:
                                          • API String ID: 1849352358-0
                                          • Opcode ID: 2b5ee9b79bc2e435364925ea92796c897a067646052ad9859a883ee0aa8a3ada
                                          • Instruction ID: 21f7915a8cdd7433989eb4cccbd80dcd7ad255e5dc09bc42d858887927c334f1
                                          • Opcode Fuzzy Hash: 2b5ee9b79bc2e435364925ea92796c897a067646052ad9859a883ee0aa8a3ada
                                          • Instruction Fuzzy Hash: 70F0ECB2500105AFD700EBA4EF88CAFB7BCEB48345B11447AF641F6191CA789D018B38
                                          APIs
                                          • lstrlenA.KERNEL32(00421DD8,00421DD8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404C0B,000000DF,004215B0,00000400,00000000), ref: 00404D8E
                                          • wsprintfA.USER32 ref: 00404D96
                                          • SetDlgItemTextA.USER32(?,00421DD8), ref: 00404DA9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: ItemTextlstrlenwsprintf
                                          • String ID: %u.%u%s%s
                                          • API String ID: 3540041739-3551169577
                                          • Opcode ID: fb960496eb737e3345640ab9aa1b750d987e596b68fc784b6d450b4f24d22922
                                          • Instruction ID: fef6342639dcf3a39bf3010210a5e3f1a67f436211564216b1c935a3cd24951c
                                          • Opcode Fuzzy Hash: fb960496eb737e3345640ab9aa1b750d987e596b68fc784b6d450b4f24d22922
                                          • Instruction Fuzzy Hash: FA11B77360412827DB0065699C41EAE3298DF85775F25023BFA26F71D5E978DC1242A9
                                          APIs
                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401E34
                                          • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401E4C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: MessageSend$Timeout
                                          • String ID: !
                                          • API String ID: 1777923405-2657877971
                                          • Opcode ID: 4dc8f70aa0e183750effb2cde1311245b6065c9c0ffff7879e43e580c0dc7d9c
                                          • Instruction ID: 183b73fb6a545bb1246e923ab68f4d664312321a500069d7f5b6b65c517e0d36
                                          • Opcode Fuzzy Hash: 4dc8f70aa0e183750effb2cde1311245b6065c9c0ffff7879e43e580c0dc7d9c
                                          • Instruction Fuzzy Hash: CC219071940149BFDF01AFB0C94AAAE7BB5EF44304F10407EFA41B61D1D7B84A41DB98
                                          APIs
                                            • Part of subcall function 00402FAE: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402FD6
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00402640
                                          • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402620
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(004253A0,?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,004253A0,?), ref: 00406766
                                          Strings
                                          • DeleteRegValue: "%s\%s" "%s", xrefs: 00402632
                                          • DeleteRegKey: "%s\%s", xrefs: 00402655
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                          • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                          • API String ID: 1697273262-1764544995
                                          • Opcode ID: 02bdeb8d08911694a65d4586fa4c43738527b4bcc4f51e929d40f2f0180d0c71
                                          • Instruction ID: a5f9fdcf4292228b50cc97bbae3325fbb2d9f6784c2398e720f3cfd803d35b6f
                                          • Opcode Fuzzy Hash: 02bdeb8d08911694a65d4586fa4c43738527b4bcc4f51e929d40f2f0180d0c71
                                          • Instruction Fuzzy Hash: C411CE72A00210BBDB10AFA1DE4AEBE7A74EF44358F11043FF405B61C1DBBD49119AAE
                                          APIs
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(004253A0,?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,004253A0,?), ref: 00406766
                                            • Part of subcall function 00406775: FindFirstFileA.KERNEL32(?,00423E28,004231E0,00405EE4,004231E0,004231E0,00000000,004231E0,004231E0,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,76232EE0), ref: 00406780
                                            • Part of subcall function 00406775: FindClose.KERNEL32(00000000), ref: 0040678C
                                          • lstrlenA.KERNEL32 ref: 004024BF
                                          • lstrlenA.KERNEL32(00000000), ref: 004024C9
                                          • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004024F1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                          • String ID: CopyFiles "%s"->"%s"
                                          • API String ID: 2577523808-3778932970
                                          • Opcode ID: 1287623eff98437f27fce682f7b588892205dee902ac4484e1de8504ad36e18e
                                          • Instruction ID: 0832a6020f1036a0726e8da95463cb7d6bb66b9f43395e8b0a18584e12aaf647
                                          • Opcode Fuzzy Hash: 1287623eff98437f27fce682f7b588892205dee902ac4484e1de8504ad36e18e
                                          • Instruction Fuzzy Hash: 06115171D04244BACB10EFF5DE49A8EBBB89F05318F10403BB405B72C1D6BCC9018769
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: lstrcatwsprintf
                                          • String ID: %02x%c$...
                                          • API String ID: 3065427908-1057055748
                                          • Opcode ID: daa42dd9d71092567bb90f5aa1bf8f8b213d546467a0c39d0d39aa66ca362de9
                                          • Instruction ID: d62a74e215861be07d80cfa2a74bb9186ec53be61cd52c9054fc739eae054529
                                          • Opcode Fuzzy Hash: daa42dd9d71092567bb90f5aa1bf8f8b213d546467a0c39d0d39aa66ca362de9
                                          • Instruction Fuzzy Hash: 5601F531904214AFD711DF99C985BDEBBE9EB84704F21413BF805F7280D3759EA087A8
                                          APIs
                                          • OleInitialize.OLE32(00000000), ref: 0040560D
                                            • Part of subcall function 004044EC: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 004044FE
                                          • OleUninitialize.OLE32(00000404,00000000), ref: 0040565B
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(004253A0,?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,004253A0,?), ref: 00406766
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                          • String ID: Section: "%s"$Skipping section: "%s"
                                          • API String ID: 2266616436-4211696005
                                          • Opcode ID: c1e2c449bcc68b352cf79dcfb7db83265b1627727e3ad06e037315caf05dff02
                                          • Instruction ID: b6033417647ee4c6c9867fb094380a517277432fe9fbf8781098b48ebfeefd64
                                          • Opcode Fuzzy Hash: c1e2c449bcc68b352cf79dcfb7db83265b1627727e3ad06e037315caf05dff02
                                          • Instruction Fuzzy Hash: 4CF028732446009AE7243762AD0AF167794DF80324FA6443FFE88731E1CF7E48428A6D
                                          APIs
                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,004036D4,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 00405DC6
                                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,004036D4,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 00405DCF
                                          • lstrcatA.KERNEL32(?,0040A28C), ref: 00405DE0
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\~nsuA.tmp, xrefs: 00405DC0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrcatlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\~nsuA.tmp
                                          • API String ID: 2659869361-97582353
                                          • Opcode ID: 474ca4425f08dcfbce71dbb0ed893910abc24d850d6d34f35572f5f56a012a6b
                                          • Instruction ID: 0734be1ac4b4e6ef13ff8d97b6b7742c695e07c626293a3ddb6dea9da1bc223f
                                          • Opcode Fuzzy Hash: 474ca4425f08dcfbce71dbb0ed893910abc24d850d6d34f35572f5f56a012a6b
                                          • Instruction Fuzzy Hash: 88D0A7625019306AD10132555C09DCF1B089F0234170500BFF101B3191C77C4D5187FE
                                          APIs
                                            • Part of subcall function 004062CD: lstrcpynA.KERNEL32(?,?,00000400,00403795,00425C00,NSIS Error), ref: 004062DA
                                          • GlobalFree.KERNEL32(00000000), ref: 00401D9C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: FreeGloballstrcpyn
                                          • String ID: Exch: stack < %d elements$Pop: stack empty
                                          • API String ID: 1459762280-1566736970
                                          • Opcode ID: c1cfcf0f631f3b5dd603a5b161242025d82f77c49408bd9f9c2f6b8be0c3e131
                                          • Instruction ID: 25a31974a44f7f3c9bc4a7fc565ada83b9efa98a6fb8f9df3e5ad5d088b76f6c
                                          • Opcode Fuzzy Hash: c1cfcf0f631f3b5dd603a5b161242025d82f77c49408bd9f9c2f6b8be0c3e131
                                          • Instruction Fuzzy Hash: CC21B3B2604141EBD710BF94DE85A5F73A4AF48319721493FF512B32D1EB7CA8119B2D
                                          APIs
                                          • GetDC.USER32(?), ref: 00401F49
                                          • GetDeviceCaps.GDI32(00000000), ref: 00401F50
                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401F5F
                                          • CreateFontIndirectA.GDI32(0040C8B4), ref: 00401FB1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: CapsCreateDeviceFontIndirect
                                          • String ID:
                                          • API String ID: 3272661963-0
                                          • Opcode ID: 291d0e57388edc1b08859d94a8efc30bfd93f616262f4cc1ff9ef029793b8a23
                                          • Instruction ID: b63daee5e4490fecacf728a327702699109581dcf8ad524f23a780e713d248c9
                                          • Opcode Fuzzy Hash: 291d0e57388edc1b08859d94a8efc30bfd93f616262f4cc1ff9ef029793b8a23
                                          • Instruction Fuzzy Hash: B1F04473954684EFE7017760AF9ABAA3FA4A715306F148579E5C1B61E3C6B80008972D
                                          APIs
                                          • SetWindowTextA.USER32(00000000,00425C00), ref: 00403F98
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: TextWindow
                                          • String ID: "C:\Users\user\Desktop\yDoZVwXSMG.exe"$C:\Users\user\AppData\Local\Temp\nsfC6FF.tmp
                                          • API String ID: 530164218-921192254
                                          • Opcode ID: 824abd7a98796db34fe8f0091d41f8f78567243a6a7f46d0f054108d974f342d
                                          • Instruction ID: c0cba1e1e52928c29bb6f4708aec44978d016cd28d93ecea9319bf13156573fa
                                          • Opcode Fuzzy Hash: 824abd7a98796db34fe8f0091d41f8f78567243a6a7f46d0f054108d974f342d
                                          • Instruction Fuzzy Hash: 0111C375F046129BC720AF15DC90A777BBCEB8975A369417FE801AB3A0C6399D02866C
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 004054B1
                                          • CallWindowProcA.USER32(?,00000200,?,?), ref: 0040551F
                                            • Part of subcall function 004044EC: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 004044FE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Window$CallMessageProcSendVisible
                                          • String ID:
                                          • API String ID: 3748168415-3916222277
                                          • Opcode ID: a97747d4f20b58a5a8246378c350f1c08e6f5488a267fa018f0172030650b825
                                          • Instruction ID: 166d6715e7ab60c55adc75bb3d5397455d2db949af7a45014f951e8b9f02b12e
                                          • Opcode Fuzzy Hash: a97747d4f20b58a5a8246378c350f1c08e6f5488a267fa018f0172030650b825
                                          • Instruction Fuzzy Hash: 2C118C31200608BBDB216F52DC40A9B3B6AEF15365F00843BF609792A2C7788D51CFA9
                                          APIs
                                          • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,0042C800,?), ref: 00402040
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(004253A0,?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,004253A0,?), ref: 00406766
                                          Strings
                                          • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 0040204F
                                          • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402064
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: ExecuteShelllstrlenwvsprintf
                                          • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                          • API String ID: 2380004146-2180253247
                                          • Opcode ID: 7c1dea5b3ff3ade20b01131b07687108b99786545fcbf0ac971017966e44b1c4
                                          • Instruction ID: 9f4db21a6b6a14a70f0226e5947bfc74daeb421406b5451b347b61cec48b8855
                                          • Opcode Fuzzy Hash: 7c1dea5b3ff3ade20b01131b07687108b99786545fcbf0ac971017966e44b1c4
                                          • Instruction Fuzzy Hash: 7D01D4B1B442007EDB206AB6DD4EE6B6A68DF4575CB60043BF401F61C2DAFD8C119279
                                          APIs
                                            • Part of subcall function 004062CD: lstrcpynA.KERNEL32(?,?,00000400,00403795,00425C00,NSIS Error), ref: 004062DA
                                            • Part of subcall function 00405E54: CharNextA.USER32(00405BAD,?,004231E0,00000000,00405EB8,004231E0,004231E0,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,76232EE0), ref: 00405E62
                                            • Part of subcall function 00405E54: CharNextA.USER32(00000000), ref: 00405E67
                                            • Part of subcall function 00405E54: CharNextA.USER32(00000000), ref: 00405E76
                                          • lstrlenA.KERNEL32(004231E0,00000000,004231E0,004231E0,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,76232EE0), ref: 00405EF4
                                          • GetFileAttributesA.KERNEL32(004231E0,004231E0,004231E0,004231E0,004231E0,004231E0,00000000,004231E0,004231E0,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,76232EE0), ref: 00405F04
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                          • String ID: 1B
                                          • API String ID: 3248276644-3133059986
                                          • Opcode ID: dbfd0eb15a0aee7a56b9524eaabc91726594297034a6f990c90e67fba31c6c96
                                          • Instruction ID: 0a9ec8cc8701c190d5637e4eaeae3a47b1d3f29b87e2c858e077ece57a352d20
                                          • Opcode Fuzzy Hash: dbfd0eb15a0aee7a56b9524eaabc91726594297034a6f990c90e67fba31c6c96
                                          • Instruction Fuzzy Hash: 8DF0F435115D6116D622333A9C09AAF2A18CE82328716053FF8E2B22D1DB3C8B4389FD
                                          APIs
                                            • Part of subcall function 004062CD: lstrcpynA.KERNEL32(?,?,00000400,00403795,00425C00,NSIS Error), ref: 004062DA
                                          • WritePrivateProfileStringA.KERNEL32(?,?,?,00000000), ref: 004025AA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: PrivateProfileStringWritelstrcpyn
                                          • String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s
                                          • API String ID: 247603264-2205282576
                                          • Opcode ID: 761816c344bc7c14fad519cf076e7676c334ba530189723ea92024271b26ca30
                                          • Instruction ID: 330d2e4d02b989cca60e921ba8ea68942becdf5f63010b794772c6dbbebc1385
                                          • Opcode Fuzzy Hash: 761816c344bc7c14fad519cf076e7676c334ba530189723ea92024271b26ca30
                                          • Instruction Fuzzy Hash: B6012C71D40259BACF04BFA18E499AF7974AF44354F10443FB515761C2C7BC0A50CBAD
                                          APIs
                                          • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401FE4
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(004253A0,?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,004253A0,?), ref: 00406766
                                          • EnableWindow.USER32(00000000,00000000), ref: 00401FEF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Window$EnableShowlstrlenwvsprintf
                                          • String ID: HideWindow
                                          • API String ID: 1249568736-780306582
                                          • Opcode ID: 538e065fc1b70d76e8ca8ce03386398be470029bf36a18afe3fffe23a19aa57c
                                          • Instruction ID: f9bbae7df7fa4fde6100788e383a183b323f94d17af37d41b00e3582981cb5ce
                                          • Opcode Fuzzy Hash: 538e065fc1b70d76e8ca8ce03386398be470029bf36a18afe3fffe23a19aa57c
                                          • Instruction Fuzzy Hash: 93E09232600201DBCB10ABF5EE4999EB2B0AF44359B60043FE441F60D2DB7D8C41D67D
                                          APIs
                                          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,00000000,76232EE0,00403B38,?,0040392A,00000020), ref: 00403B7B
                                          • GlobalFree.KERNEL32(00000000), ref: 00403B82
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\~nsuA.tmp, xrefs: 00403B73
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: Free$GlobalLibrary
                                          • String ID: C:\Users\user\AppData\Local\Temp\~nsuA.tmp
                                          • API String ID: 1100898210-97582353
                                          • Opcode ID: 4a26028100cf0ca1eb7320d9d5861408e20f1dc8c6947a4482afe346d8307102
                                          • Instruction ID: fc000f3235394a2863270d4c988953181e2e652df1d5c43234967270b233dd50
                                          • Opcode Fuzzy Hash: 4a26028100cf0ca1eb7320d9d5861408e20f1dc8c6947a4482afe346d8307102
                                          • Instruction Fuzzy Hash: 2BE08C3352102097C6211F45A904B5AB7BCAF45B26F06853BE884772A287742C428BCC
                                          APIs
                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,0040318C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yDoZVwXSMG.exe,C:\Users\user\Desktop\yDoZVwXSMG.exe,80000000,00000003), ref: 00405E0D
                                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040318C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yDoZVwXSMG.exe,C:\Users\user\Desktop\yDoZVwXSMG.exe,80000000,00000003), ref: 00405E1B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrlen
                                          • String ID: C:\Users\user\Desktop
                                          • API String ID: 2709904686-3125694417
                                          • Opcode ID: 0e813410e8fe4af35f1e42066ab3310dcd072c640338dbde9885af6b97860c84
                                          • Instruction ID: 23fada268802dc59446a59c67ae78adf9070c91ebc4bc7db9eb0e03d7b787ba1
                                          • Opcode Fuzzy Hash: 0e813410e8fe4af35f1e42066ab3310dcd072c640338dbde9885af6b97860c84
                                          • Instruction Fuzzy Hash: A3D0A772408D701EE3036310DC04B8F6B48DF16300F0900A7F1C1AA1D0C6784D424BFD
                                          APIs
                                            • Part of subcall function 004062CD: lstrcpynA.KERNEL32(?,?,00000400,00403795,00425C00,NSIS Error), ref: 004062DA
                                            • Part of subcall function 00405DC0: lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,004036D4,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 00405DC6
                                            • Part of subcall function 00405DC0: CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,004036D4,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,?,00403875), ref: 00405DCF
                                            • Part of subcall function 00405DC0: lstrcatA.KERNEL32(?,0040A28C), ref: 00405DE0
                                          • lstrcatA.KERNEL32(00000000,00000000,00424780,C:\Users\user\Desktop,install.log,00403D69,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\nsfC6FF.tmp,00421DD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421DD8,00000000,00000003), ref: 00403C11
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: lstrcat$CharPrevlstrcpynlstrlen
                                          • String ID: C:\Users\user\Desktop$install.log
                                          • API String ID: 2126114531-2220312752
                                          • Opcode ID: 4b77a2e339eb68ff388b82575c8e29bbe101c667e65de6cbe57859233cde245b
                                          • Instruction ID: 573e70e16c7f3eccbdc253e2bea591d89099f51d3e6e710ae79217221ee15991
                                          • Opcode Fuzzy Hash: 4b77a2e339eb68ff388b82575c8e29bbe101c667e65de6cbe57859233cde245b
                                          • Instruction Fuzzy Hash: 27B00265BA075160D80436B32D5BF1E051C5C81B2C3F689BFB011710C259BCA065546D
                                          APIs
                                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00406127,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405F20
                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F39
                                          • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405F47
                                          • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00406127,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405F50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2191013243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.2190998009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191030062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191048241.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2191138576.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_yDoZVwXSMG.jbxd
                                          Similarity
                                          • API ID: lstrlen$CharNextlstrcmpi
                                          • String ID:
                                          • API String ID: 190613189-0
                                          • Opcode ID: 799b41214dee5a3a207c986fb220c019988a50b8bc6b7bac04f470c9780bf706
                                          • Instruction ID: a929261b065623d84111eb1ef98f27e3caca39442dc5c5f552f944d16b5be969
                                          • Opcode Fuzzy Hash: 799b41214dee5a3a207c986fb220c019988a50b8bc6b7bac04f470c9780bf706
                                          • Instruction Fuzzy Hash: 84F0A736209D52ABC202AB355C04A6B6B94EF86315B14047EF041F2240D73A98259BBE

                                          Execution Graph

                                          Execution Coverage:14.3%
                                          Dynamic/Decrypted Code Coverage:39.4%
                                          Signature Coverage:2.3%
                                          Total number of Nodes:1420
                                          Total number of Limit Nodes:44
                                          execution_graph 7808 401b41 7809 402e87 18 API calls 7808->7809 7810 401b48 7809->7810 7811 402e87 18 API calls 7810->7811 7812 401b52 7811->7812 7813 402ea4 18 API calls 7812->7813 7814 401b5b 7813->7814 7815 401b6e lstrlenA 7814->7815 7817 401ba9 7814->7817 7816 401b78 7815->7816 7816->7817 7821 4062cd lstrcpynA 7816->7821 7819 401b92 7819->7817 7820 401b9f lstrlenA 7819->7820 7820->7817 7821->7819 7111 403fcd 7112 404120 7111->7112 7113 403fe5 7111->7113 7115 404131 GetDlgItem GetDlgItem 7112->7115 7116 404171 7112->7116 7113->7112 7114 403ff1 7113->7114 7117 403ffc SetWindowPos 7114->7117 7118 40400f 7114->7118 7119 4044a0 19 API calls 7115->7119 7120 4041cb 7116->7120 7129 401389 80 API calls 7116->7129 7117->7118 7122 404014 ShowWindow 7118->7122 7123 40402c 7118->7123 7124 40415b SetClassLongA 7119->7124 7121 4044ec SendMessageA 7120->7121 7125 40411b 7120->7125 7150 4041dd 7121->7150 7122->7123 7126 404034 DestroyWindow 7123->7126 7127 40404e 7123->7127 7128 40140b 80 API calls 7124->7128 7130 404429 7126->7130 7131 404053 SetWindowLongA 7127->7131 7132 404064 7127->7132 7128->7116 7133 4041a3 7129->7133 7130->7125 7140 40445a ShowWindow 7130->7140 7131->7125 7136 404070 GetDlgItem 7132->7136 7137 4040db 7132->7137 7133->7120 7138 4041a7 SendMessageA 7133->7138 7134 40140b 80 API calls 7134->7150 7135 40442b DestroyWindow EndDialog 7135->7130 7141 4040a0 7136->7141 7142 404083 SendMessageA IsWindowEnabled 7136->7142 7188 404507 7137->7188 7138->7125 7140->7125 7144 4040ad 7141->7144 7145 4040f4 SendMessageA 7141->7145 7146 4040c0 7141->7146 7154 4040a5 7141->7154 7142->7125 7142->7141 7143 4062ef 18 API calls 7143->7150 7144->7145 7144->7154 7145->7137 7148 4040c8 7146->7148 7149 4040dd 7146->7149 7151 40140b 80 API calls 7148->7151 7152 40140b 80 API calls 7149->7152 7150->7125 7150->7134 7150->7135 7150->7143 7153 4044a0 19 API calls 7150->7153 7170 40436b DestroyWindow 7150->7170 7182 4044a0 7150->7182 7151->7154 7152->7154 7153->7150 7154->7137 7179 404479 7154->7179 7156 404258 GetDlgItem 7157 404275 ShowWindow KiUserCallbackDispatcher 7156->7157 7158 40426d 7156->7158 7185 4044c2 EnableWindow 7157->7185 7158->7157 7160 40429f EnableWindow 7163 4042b3 7160->7163 7161 4042b8 GetSystemMenu EnableMenuItem SendMessageA 7162 4042e8 SendMessageA 7161->7162 7161->7163 7162->7163 7163->7161 7186 4044d5 SendMessageA 7163->7186 7187 4062cd lstrcpynA 7163->7187 7166 404316 lstrlenA 7167 4062ef 18 API calls 7166->7167 7168 404327 SetWindowTextA 7167->7168 7169 401389 80 API calls 7168->7169 7169->7150 7170->7130 7171 404385 CreateDialogParamA 7170->7171 7171->7130 7172 4043b8 7171->7172 7173 4044a0 19 API calls 7172->7173 7174 4043c3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 7173->7174 7175 401389 80 API calls 7174->7175 7176 404409 7175->7176 7176->7125 7177 404411 ShowWindow 7176->7177 7178 4044ec SendMessageA 7177->7178 7178->7130 7180 404480 7179->7180 7181 404486 SendMessageA 7179->7181 7180->7181 7181->7137 7183 4062ef 18 API calls 7182->7183 7184 4044ab SetDlgItemTextA 7183->7184 7184->7156 7185->7160 7186->7163 7187->7166 7189 40451f GetWindowLongA 7188->7189 7199 4045a8 7188->7199 7190 404530 7189->7190 7189->7199 7191 404542 7190->7191 7192 40453f GetSysColor 7190->7192 7193 404552 SetBkMode 7191->7193 7194 404548 SetTextColor 7191->7194 7192->7191 7195 404570 7193->7195 7196 40456a GetSysColor 7193->7196 7194->7193 7197 404581 7195->7197 7198 404577 SetBkColor 7195->7198 7196->7195 7197->7199 7200 404594 DeleteObject 7197->7200 7201 40459b CreateBrushIndirect 7197->7201 7198->7197 7199->7125 7200->7201 7201->7199 7645 3a12732 SetWindowLongA SendMessageA ShowWindow 7646 3a1278e KiUserCallbackDispatcher IsDialogMessageA 7645->7646 7647 3a127d4 7646->7647 7648 3a127ad IsDialogMessageA 7646->7648 7647->7646 7650 3a127dc 7647->7650 7648->7647 7649 3a127be TranslateMessage DispatchMessageA 7648->7649 7649->7647 7651 3a127e9 SetWindowLongA DestroyWindow 7650->7651 7652 3a110dc 20 API calls 7650->7652 7653 3a12823 7651->7653 7654 3a1280e ShowWindow 7651->7654 7652->7651 7655 3a1100f GlobalFree 7653->7655 7654->7653 7656 3a1282e 7655->7656 7657 3a1100f GlobalFree 7656->7657 7658 3a12839 7657->7658 7659 3a1100f GlobalFree 7658->7659 7660 3a12844 7659->7660 7661 3a1100f GlobalFree 7660->7661 7662 3a1284f 7661->7662 7663 3a1100f GlobalFree 7662->7663 7667 3a1285a 7663->7667 7664 3a128ab 7665 3a1100f GlobalFree 7664->7665 7666 3a128b6 7665->7666 7669 3a12afb 2 API calls 7666->7669 7667->7664 7668 3a1100f GlobalFree 7667->7668 7671 3a1288d DeleteObject 7667->7671 7672 3a1289c DestroyIcon 7667->7672 7668->7667 7670 3a128dd 7669->7670 7671->7667 7672->7667 7673 401dd4 7674 402e87 18 API calls 7673->7674 7675 401ddb 7674->7675 7676 402e87 18 API calls 7675->7676 7677 401de5 7676->7677 7678 401df5 7677->7678 7679 402ea4 18 API calls 7677->7679 7680 401e05 7678->7680 7681 402ea4 18 API calls 7678->7681 7679->7678 7682 401e10 7680->7682 7683 401e54 7680->7683 7681->7680 7685 402e87 18 API calls 7682->7685 7684 402ea4 18 API calls 7683->7684 7686 401e59 7684->7686 7687 401e15 7685->7687 7688 402ea4 18 API calls 7686->7688 7689 402e87 18 API calls 7687->7689 7690 401e62 FindWindowExA 7688->7690 7691 401e1e 7689->7691 7694 401e80 7690->7694 7692 401e44 SendMessageA 7691->7692 7693 401e26 SendMessageTimeoutA 7691->7693 7692->7694 7693->7694 7695 39f3009 7696 39f301b 28 API calls 7695->7696 7697 39f3018 7696->7697 7698 10001097 7699 100010a7 7698->7699 7700 1000115b SetCursor 7698->7700 7701 10001142 CallWindowProcA 7699->7701 7702 100010b8 GetCapture 7699->7702 7703 10001169 7700->7703 7701->7703 7704 100010c2 SendMessageA InvalidateRect SetCapture 7702->7704 7705 100010e7 GetWindowRect ClientToScreen PtInRect 7702->7705 7704->7701 7705->7701 7706 10001121 SendDlgItemMessageA InvalidateRect SetDlgItemTextA 7705->7706 7706->7701 8378 4028e2 8379 402ea4 18 API calls 8378->8379 8380 4028e9 8379->8380 8383 405fa4 GetFileAttributesA CreateFileA 8380->8383 8382 4028f5 8383->8382 6238 4036e7 SetErrorMode GetVersion 6239 403725 6238->6239 6240 40371f 6238->6240 6330 40679c GetSystemDirectoryA 6239->6330 6241 40680a 5 API calls 6240->6241 6241->6239 6243 40373b lstrlenA 6243->6239 6244 40374a 6243->6244 6333 40680a GetModuleHandleA 6244->6333 6247 40680a 5 API calls 6248 403758 #17 OleInitialize SHGetFileInfoA 6247->6248 6339 4062cd lstrcpynA 6248->6339 6250 403795 GetCommandLineA 6340 4062cd lstrcpynA 6250->6340 6252 4037a7 GetModuleHandleA 6253 4037be 6252->6253 6341 405deb 6253->6341 6256 40384c 6257 40385f GetTempPathA 6256->6257 6345 4036b6 6257->6345 6259 403875 6262 403879 GetWindowsDirectoryA lstrcatA 6259->6262 6263 40389d DeleteFileA 6259->6263 6260 405deb CharNextA 6261 4037df 6260->6261 6261->6256 6261->6260 6267 40384e 6261->6267 6265 4036b6 12 API calls 6262->6265 6355 403120 GetTickCount GetModuleFileNameA 6263->6355 6268 403895 6265->6268 6266 4038b1 6272 405deb CharNextA 6266->6272 6308 40390a 6266->6308 6325 403925 6266->6325 6444 4062cd lstrcpynA 6267->6444 6268->6263 6268->6325 6275 4038c8 6272->6275 6274 40391a 6461 4065c8 6274->6461 6285 403950 6275->6285 6286 4038e5 6275->6286 6276 403a49 6280 403aec ExitProcess 6276->6280 6283 40680a 5 API calls 6276->6283 6277 40393a 6480 405b35 6277->6480 6284 403a5c 6283->6284 6287 40680a 5 API calls 6284->6287 6484 405abc 6285->6484 6445 405ea1 6286->6445 6290 403a65 6287->6290 6293 40680a 5 API calls 6290->6293 6297 403a6e 6293->6297 6294 403971 lstrcatA lstrcmpiA 6296 40398d 6294->6296 6294->6325 6295 403966 lstrcatA 6295->6294 6299 403992 6296->6299 6300 403999 6296->6300 6301 403a8c 6297->6301 6311 403a7c GetCurrentProcess 6297->6311 6487 405a22 CreateDirectoryA 6299->6487 6492 405a9f CreateDirectoryA 6300->6492 6306 40680a 5 API calls 6301->6306 6302 4038ff 6460 4062cd lstrcpynA 6302->6460 6307 403ac3 6306->6307 6312 403ad8 ExitWindowsEx 6307->6312 6315 403ae5 6307->6315 6385 403c17 6308->6385 6310 40399e SetCurrentDirectoryA 6313 4039b8 6310->6313 6314 4039ad 6310->6314 6311->6301 6312->6280 6312->6315 6496 4062cd lstrcpynA 6313->6496 6495 4062cd lstrcpynA 6314->6495 6545 40140b 6315->6545 6321 4039f5 CopyFileA 6327 4039c6 6321->6327 6322 403a3d 6324 40601b 40 API calls 6322->6324 6324->6325 6471 403b04 6325->6471 6326 4062ef 18 API calls 6326->6327 6327->6322 6327->6326 6329 403a29 CloseHandle 6327->6329 6497 4062ef 6327->6497 6516 40601b 6327->6516 6542 405ad4 CreateProcessA 6327->6542 6329->6327 6331 4067be wsprintfA LoadLibraryExA 6330->6331 6331->6243 6334 406830 GetProcAddress 6333->6334 6335 406826 6333->6335 6337 403751 6334->6337 6336 40679c 3 API calls 6335->6336 6338 40682c 6336->6338 6337->6247 6338->6334 6338->6337 6339->6250 6340->6252 6342 405df1 6341->6342 6343 4037d2 CharNextA 6342->6343 6344 405df7 CharNextA 6342->6344 6343->6261 6344->6342 6548 40652f 6345->6548 6347 4036cc 6347->6259 6348 4036c2 6348->6347 6557 405dc0 lstrlenA CharPrevA 6348->6557 6351 405a9f 2 API calls 6352 4036da 6351->6352 6560 405fd3 6352->6560 6564 405fa4 GetFileAttributesA CreateFileA 6355->6564 6357 403163 6384 403170 6357->6384 6565 4062cd lstrcpynA 6357->6565 6359 403186 6566 405e07 lstrlenA 6359->6566 6363 403197 GetFileSize 6364 403298 6363->6364 6366 4031ae 6363->6366 6573 403081 6364->6573 6366->6364 6368 403333 6366->6368 6375 403081 33 API calls 6366->6375 6366->6384 6571 40366d ReadFile 6366->6571 6372 403081 33 API calls 6368->6372 6370 4032db GlobalAlloc 6371 4032f2 6370->6371 6376 405fd3 2 API calls 6371->6376 6372->6384 6374 4032bc 6377 40366d ReadFile 6374->6377 6375->6366 6379 403303 CreateFileA 6376->6379 6378 4032c7 6377->6378 6378->6370 6378->6384 6380 40333d 6379->6380 6379->6384 6589 40369f SetFilePointer 6380->6589 6382 40334b 6590 4033c6 6382->6590 6384->6266 6386 40680a 5 API calls 6385->6386 6387 403c2b 6386->6387 6388 403c31 6387->6388 6389 403c43 6387->6389 6653 40622b wsprintfA 6388->6653 6654 4061b4 RegOpenKeyExA 6389->6654 6393 403c82 lstrcatA 6394 403c41 6393->6394 6644 403f00 6394->6644 6395 4061b4 3 API calls 6395->6393 6398 405ea1 18 API calls 6399 403cb4 6398->6399 6400 403d3d 6399->6400 6402 4061b4 3 API calls 6399->6402 6401 405ea1 18 API calls 6400->6401 6403 403d43 6401->6403 6404 403ce0 6402->6404 6405 403d53 6403->6405 6406 4062ef 18 API calls 6403->6406 6404->6400 6410 403cfc lstrlenA 6404->6410 6413 405deb CharNextA 6404->6413 6407 403d73 LoadImageA 6405->6407 6660 403bf6 6405->6660 6406->6405 6408 403e27 6407->6408 6409 403d9e RegisterClassA 6407->6409 6412 40140b 80 API calls 6408->6412 6411 403dda SystemParametersInfoA CreateWindowExA 6409->6411 6443 403e31 6409->6443 6414 403d30 6410->6414 6415 403d0a lstrcmpiA 6410->6415 6411->6408 6419 403e2d 6412->6419 6420 403cfa 6413->6420 6418 405dc0 3 API calls 6414->6418 6415->6414 6421 403d1a GetFileAttributesA 6415->6421 6417 403d69 6417->6407 6423 403d36 6418->6423 6426 403f00 19 API calls 6419->6426 6419->6443 6420->6410 6422 403d26 6421->6422 6422->6414 6424 405e07 2 API calls 6422->6424 6659 4062cd lstrcpynA 6423->6659 6424->6414 6427 403e3e 6426->6427 6428 403e4a ShowWindow 6427->6428 6429 403ecd 6427->6429 6431 40679c 3 API calls 6428->6431 6665 4055fd OleInitialize 6429->6665 6433 403e62 6431->6433 6432 403ed3 6434 403ed7 6432->6434 6435 403eef 6432->6435 6436 403e70 GetClassInfoA 6433->6436 6440 40679c 3 API calls 6433->6440 6442 40140b 80 API calls 6434->6442 6434->6443 6439 40140b 80 API calls 6435->6439 6437 403e84 GetClassInfoA RegisterClassA 6436->6437 6438 403e9a DialogBoxParamA 6436->6438 6437->6438 6441 40140b 80 API calls 6438->6441 6439->6443 6440->6436 6441->6443 6442->6443 6443->6274 6444->6257 6822 4062cd lstrcpynA 6445->6822 6447 405eb2 6448 405e54 4 API calls 6447->6448 6449 405eb8 6448->6449 6450 4038f0 6449->6450 6451 40652f 5 API calls 6449->6451 6450->6325 6459 4062cd lstrcpynA 6450->6459 6457 405ec8 6451->6457 6452 405ef3 lstrlenA 6453 405efe 6452->6453 6452->6457 6454 405dc0 3 API calls 6453->6454 6456 405f03 GetFileAttributesA 6454->6456 6455 406775 2 API calls 6455->6457 6456->6450 6457->6450 6457->6452 6457->6455 6458 405e07 2 API calls 6457->6458 6458->6452 6459->6302 6460->6308 6462 4065d3 6461->6462 6466 4065ed 6461->6466 6463 4065e4 6462->6463 6464 4065dd CloseHandle 6462->6464 6463->6325 6464->6463 6465 40662c 6465->6463 6467 406635 lstrcatA lstrlenA WriteFile 6465->6467 6466->6463 6466->6465 6466->6467 6823 405fa4 GetFileAttributesA CreateFileA 6466->6823 6467->6463 6469 406617 6469->6463 6470 406621 SetFilePointer 6469->6470 6470->6465 6472 403b15 CloseHandle 6471->6472 6473 403b1f 6471->6473 6472->6473 6474 403b33 6473->6474 6475 403b29 CloseHandle 6473->6475 6824 403b61 6474->6824 6475->6474 6482 405b4a 6480->6482 6481 403948 ExitProcess 6482->6481 6483 405b5e MessageBoxIndirectA 6482->6483 6483->6481 6485 40680a 5 API calls 6484->6485 6486 403955 lstrcatA 6485->6486 6486->6294 6486->6295 6488 405a73 GetLastError 6487->6488 6489 403997 6487->6489 6488->6489 6490 405a82 SetFileSecurityA 6488->6490 6489->6310 6490->6489 6491 405a98 GetLastError 6490->6491 6491->6489 6493 405ab3 GetLastError 6492->6493 6494 405aaf 6492->6494 6493->6494 6494->6310 6495->6313 6496->6327 6509 4062fc 6497->6509 6498 406516 6499 4039e8 DeleteFileA 6498->6499 6883 4062cd lstrcpynA 6498->6883 6499->6321 6499->6327 6501 406394 GetVersion 6511 4063a1 6501->6511 6502 4064ed lstrlenA 6502->6509 6505 4062ef 10 API calls 6505->6502 6506 40640c GetSystemDirectoryA 6506->6511 6507 4061b4 3 API calls 6507->6511 6508 40641f GetWindowsDirectoryA 6508->6511 6509->6498 6509->6501 6509->6502 6509->6505 6510 40652f 5 API calls 6509->6510 6881 40622b wsprintfA 6509->6881 6882 4062cd lstrcpynA 6509->6882 6510->6509 6511->6506 6511->6507 6511->6508 6511->6509 6512 406453 SHGetSpecialFolderLocation 6511->6512 6513 4062ef 10 API calls 6511->6513 6514 406496 lstrcatA 6511->6514 6512->6511 6515 40646b SHGetPathFromIDListA CoTaskMemFree 6512->6515 6513->6511 6514->6509 6515->6511 6517 40680a 5 API calls 6516->6517 6518 406026 6517->6518 6519 406083 GetShortPathNameA 6518->6519 6521 406178 6518->6521 6884 405fa4 GetFileAttributesA CreateFileA 6518->6884 6520 406098 6519->6520 6519->6521 6520->6521 6524 4060a0 wsprintfA 6520->6524 6521->6327 6523 406067 CloseHandle GetShortPathNameA 6523->6521 6525 40607b 6523->6525 6526 4062ef 18 API calls 6524->6526 6525->6519 6525->6521 6527 4060c8 6526->6527 6885 405fa4 GetFileAttributesA CreateFileA 6527->6885 6529 4060d5 6529->6521 6530 4060e4 GetFileSize GlobalAlloc 6529->6530 6531 406171 CloseHandle 6530->6531 6532 406102 ReadFile 6530->6532 6531->6521 6532->6531 6533 406116 6532->6533 6533->6531 6886 405f19 lstrlenA 6533->6886 6536 406185 6539 405f19 4 API calls 6536->6539 6537 40612b 6891 4062cd lstrcpynA 6537->6891 6540 406139 6539->6540 6541 40614c SetFilePointer WriteFile GlobalFree 6540->6541 6541->6531 6543 405b03 CloseHandle 6542->6543 6544 405b0f 6542->6544 6543->6544 6544->6327 6546 401389 80 API calls 6545->6546 6547 401420 6546->6547 6547->6280 6550 40653b 6548->6550 6549 4065a3 6551 4065a7 CharPrevA 6549->6551 6554 4065c2 6549->6554 6550->6549 6552 406598 CharNextA 6550->6552 6553 405deb CharNextA 6550->6553 6555 406586 CharNextA 6550->6555 6556 406593 CharNextA 6550->6556 6551->6549 6552->6549 6552->6550 6553->6550 6554->6348 6555->6550 6556->6552 6558 4036d4 6557->6558 6559 405dda lstrcatA 6557->6559 6558->6351 6559->6558 6561 405fde GetTickCount GetTempFileNameA 6560->6561 6562 4036e5 6561->6562 6563 40600a 6561->6563 6562->6259 6563->6561 6563->6562 6564->6357 6565->6359 6567 405e14 6566->6567 6568 40318c 6567->6568 6569 405e19 CharPrevA 6567->6569 6570 4062cd lstrcpynA 6568->6570 6569->6567 6569->6568 6570->6363 6572 40368e 6571->6572 6572->6366 6574 4030a7 6573->6574 6575 40308f 6573->6575 6578 4030b7 GetTickCount 6574->6578 6579 4030af 6574->6579 6576 403098 DestroyWindow 6575->6576 6577 40309f 6575->6577 6576->6577 6577->6370 6577->6384 6588 40369f SetFilePointer 6577->6588 6578->6577 6580 4030c5 6578->6580 6605 406846 6579->6605 6582 4030fa CreateDialogParamA ShowWindow 6580->6582 6583 4030cd 6580->6583 6582->6577 6583->6577 6609 403065 6583->6609 6585 4030db wsprintfA 6612 40552b 6585->6612 6588->6374 6589->6382 6591 4033f3 6590->6591 6592 4033d7 SetFilePointer 6590->6592 6623 4034f1 GetTickCount 6591->6623 6592->6591 6595 403404 ReadFile 6596 403424 6595->6596 6604 4034b0 6595->6604 6597 4034f1 43 API calls 6596->6597 6596->6604 6598 40343b 6597->6598 6599 4034b6 ReadFile 6598->6599 6603 40344b 6598->6603 6598->6604 6599->6604 6601 403466 ReadFile 6601->6603 6601->6604 6602 40347f WriteFile 6602->6603 6602->6604 6603->6601 6603->6602 6603->6604 6604->6384 6606 406863 PeekMessageA 6605->6606 6607 406873 6606->6607 6608 406859 DispatchMessageA 6606->6608 6607->6577 6608->6606 6610 403074 6609->6610 6611 403076 MulDiv 6609->6611 6610->6611 6611->6585 6613 4030f8 6612->6613 6614 405546 6612->6614 6613->6577 6615 405563 lstrlenA 6614->6615 6616 4062ef 18 API calls 6614->6616 6617 405571 lstrlenA 6615->6617 6618 40558c 6615->6618 6616->6615 6617->6613 6619 405583 lstrcatA 6617->6619 6620 405592 SetWindowTextA 6618->6620 6621 40559f 6618->6621 6619->6618 6620->6621 6621->6613 6622 4055a5 SendMessageA SendMessageA SendMessageA 6621->6622 6622->6613 6624 403520 6623->6624 6625 40365b 6623->6625 6636 40369f SetFilePointer 6624->6636 6626 403081 33 API calls 6625->6626 6632 4033fc 6626->6632 6628 40352b SetFilePointer 6634 403550 6628->6634 6629 40366d ReadFile 6629->6634 6631 403081 33 API calls 6631->6634 6632->6595 6632->6604 6633 4035e5 WriteFile 6633->6632 6633->6634 6634->6629 6634->6631 6634->6632 6634->6633 6635 40363c SetFilePointer 6634->6635 6637 406907 6634->6637 6635->6625 6636->6628 6638 40692c 6637->6638 6641 406934 6637->6641 6638->6634 6639 4069c4 GlobalAlloc 6639->6638 6639->6641 6640 4069bb GlobalFree 6640->6639 6641->6638 6641->6639 6641->6640 6642 406a32 GlobalFree 6641->6642 6643 406a3b GlobalAlloc 6641->6643 6642->6643 6643->6638 6643->6641 6645 403f14 6644->6645 6673 40622b wsprintfA 6645->6673 6647 403f85 6648 4062ef 18 API calls 6647->6648 6649 403f91 SetWindowTextA 6648->6649 6650 403c92 6649->6650 6651 403fad 6649->6651 6650->6398 6651->6650 6652 4062ef 18 API calls 6651->6652 6652->6651 6653->6394 6655 403c64 6654->6655 6656 4061e7 RegQueryValueExA 6654->6656 6655->6393 6655->6395 6657 406208 RegCloseKey 6656->6657 6657->6655 6659->6400 6674 4062cd lstrcpynA 6660->6674 6662 403c0a 6663 405dc0 3 API calls 6662->6663 6664 403c10 lstrcatA 6663->6664 6664->6417 6675 4044ec 6665->6675 6667 4044ec SendMessageA 6668 40565b OleUninitialize 6667->6668 6668->6432 6669 406747 9 API calls 6670 405620 6669->6670 6670->6669 6672 40564b 6670->6672 6678 401389 6670->6678 6672->6667 6673->6647 6674->6662 6676 404504 6675->6676 6677 4044f5 SendMessageA 6675->6677 6676->6670 6677->6676 6681 401390 6678->6681 6679 4013fe 6679->6670 6681->6679 6682 4013cb MulDiv SendMessageA 6681->6682 6683 401434 6681->6683 6682->6681 6684 401488 6683->6684 6764 40149a 6683->6764 6685 4014e0 6684->6685 6686 401502 6684->6686 6687 401523 6684->6687 6688 4015c3 6684->6688 6689 4014a4 6684->6689 6690 4014c5 6684->6690 6691 401565 6684->6691 6692 40154c 6684->6692 6693 40148f 6684->6693 6694 4015d0 6684->6694 6695 4017f3 6684->6695 6696 401857 6684->6696 6697 401738 6684->6697 6698 401779 6684->6698 6699 4015fc 6684->6699 6700 40163e 6684->6700 6684->6764 6728 406747 9 API calls 6685->6728 6707 402ea4 18 API calls 6686->6707 6810 402e87 6687->6810 6821 40622b wsprintfA 6688->6821 6714 402ea4 18 API calls 6689->6714 6701 4014d4 PostQuitMessage 6690->6701 6690->6764 6727 402e87 18 API calls 6691->6727 6691->6764 6711 406747 9 API calls 6692->6711 6710 406747 9 API calls 6693->6710 6702 4015e6 6694->6702 6703 4015df ShowWindow 6694->6703 6712 402ea4 18 API calls 6695->6712 6705 402ea4 18 API calls 6696->6705 6713 402ea4 18 API calls 6697->6713 6704 402ea4 18 API calls 6698->6704 6706 402ea4 18 API calls 6699->6706 6795 402ea4 6700->6795 6701->6764 6715 4015f3 ShowWindow 6702->6715 6702->6764 6703->6702 6716 401780 6704->6716 6717 40185e SearchPathA 6705->6717 6718 401603 6706->6718 6719 401508 6707->6719 6710->6764 6723 401556 SetForegroundWindow 6711->6723 6724 4017f9 GetFullPathNameA 6712->6724 6725 40173e 6713->6725 6726 4014aa 6714->6726 6715->6764 6729 402ea4 18 API calls 6716->6729 6717->6764 6730 406747 9 API calls 6718->6730 6731 406747 9 API calls 6719->6731 6722 401529 6733 406747 9 API calls 6722->6733 6723->6764 6734 401810 6724->6734 6735 401831 6724->6735 6817 406775 FindFirstFileA 6725->6817 6737 406747 9 API calls 6726->6737 6727->6764 6738 4014f4 6728->6738 6739 401789 6729->6739 6740 401613 SetFileAttributesA 6730->6740 6741 401513 6731->6741 6743 401536 6733->6743 6734->6735 6760 406775 2 API calls 6734->6760 6747 401845 GetShortPathNameA 6735->6747 6735->6764 6745 4014b5 6737->6745 6748 401389 67 API calls 6738->6748 6749 402ea4 18 API calls 6739->6749 6750 401628 6740->6750 6740->6764 6751 40552b 25 API calls 6741->6751 6753 401540 Sleep 6743->6753 6754 40153d 6743->6754 6746 40552b 25 API calls 6745->6746 6746->6764 6747->6764 6748->6764 6758 401793 6749->6758 6759 406747 9 API calls 6750->6759 6751->6764 6753->6764 6754->6753 6755 401760 6757 406747 9 API calls 6755->6757 6756 40174a 6761 406747 9 API calls 6756->6761 6757->6764 6765 406747 9 API calls 6758->6765 6766 401639 6759->6766 6762 401821 6760->6762 6763 401758 6761->6763 6762->6735 6820 4062cd lstrcpynA 6762->6820 6763->6764 6776 406747 9 API calls 6763->6776 6764->6681 6768 4017a0 MoveFileA 6765->6768 6766->6764 6767 4016ee 6769 401731 6767->6769 6770 4016f3 6767->6770 6773 4017b0 6768->6773 6774 4017b7 6768->6774 6777 401423 25 API calls 6769->6777 6813 401423 6770->6813 6771 405deb CharNextA 6790 40165e 6771->6790 6773->6769 6778 4017d6 6774->6778 6781 406775 2 API calls 6774->6781 6776->6764 6777->6764 6778->6763 6780 405a9f 2 API calls 6780->6790 6783 4017c2 6781->6783 6783->6778 6788 40601b 40 API calls 6783->6788 6784 401705 SetCurrentDirectoryA 6784->6764 6786 401714 GetLastError 6784->6786 6785 405abc 5 API calls 6785->6790 6789 406747 9 API calls 6786->6789 6787 4016b8 GetFileAttributesA 6787->6790 6791 4017cf 6788->6791 6789->6764 6790->6767 6790->6771 6790->6780 6790->6785 6790->6787 6792 405a22 4 API calls 6790->6792 6793 406747 9 API calls 6790->6793 6794 401423 25 API calls 6791->6794 6792->6790 6793->6790 6794->6778 6796 402eb0 6795->6796 6797 4062ef 18 API calls 6796->6797 6798 402ed1 6797->6798 6799 401645 6798->6799 6800 40652f 5 API calls 6798->6800 6801 406747 lstrlenA wvsprintfA 6799->6801 6800->6799 6802 4065c8 7 API calls 6801->6802 6803 401655 6802->6803 6804 405e54 CharNextA CharNextA 6803->6804 6805 405e6e 6804->6805 6808 405e7a 6804->6808 6806 405e75 CharNextA 6805->6806 6805->6808 6807 405e97 6806->6807 6807->6790 6808->6807 6809 405deb CharNextA 6808->6809 6809->6808 6811 4062ef 18 API calls 6810->6811 6812 402e9b 6811->6812 6812->6722 6814 40552b 25 API calls 6813->6814 6815 401431 6814->6815 6816 4062cd lstrcpynA 6815->6816 6816->6784 6818 401746 6817->6818 6819 40678b FindClose 6817->6819 6818->6755 6818->6756 6819->6818 6820->6735 6821->6764 6822->6447 6823->6469 6825 403b6f 6824->6825 6826 403b38 6825->6826 6827 403b74 FreeLibrary GlobalFree 6825->6827 6828 405b99 6826->6828 6827->6826 6827->6827 6829 405ea1 18 API calls 6828->6829 6830 405bad 6829->6830 6831 405bb6 DeleteFileA 6830->6831 6832 405bcd 6830->6832 6833 40392a OleUninitialize 6831->6833 6834 405d39 6832->6834 6876 4062cd lstrcpynA 6832->6876 6833->6276 6833->6277 6834->6833 6837 405d47 6834->6837 6842 406775 2 API calls 6834->6842 6836 405bf7 6838 405c08 6836->6838 6839 405bfb lstrcatA 6836->6839 6843 406747 9 API calls 6837->6843 6841 405e07 2 API calls 6838->6841 6840 405c0e 6839->6840 6844 405c1c lstrcatA 6840->6844 6846 405c27 lstrlenA FindFirstFileA 6840->6846 6841->6840 6845 405d60 6842->6845 6843->6833 6844->6846 6845->6833 6848 405dc0 3 API calls 6845->6848 6847 405d2f 6846->6847 6863 405c4b 6846->6863 6847->6834 6850 405d6a 6848->6850 6849 405deb CharNextA 6849->6863 6851 406747 9 API calls 6850->6851 6852 405d75 6851->6852 6853 405f85 2 API calls 6852->6853 6854 405d7d RemoveDirectoryA 6853->6854 6858 405db3 6854->6858 6859 405d89 6854->6859 6855 405d0e FindNextFileA 6857 405d26 FindClose 6855->6857 6855->6863 6857->6847 6861 40552b 25 API calls 6858->6861 6859->6837 6860 405d8f 6859->6860 6862 406747 9 API calls 6860->6862 6861->6833 6864 405d99 6862->6864 6863->6849 6863->6855 6865 405b99 68 API calls 6863->6865 6872 40552b 25 API calls 6863->6872 6873 406747 9 API calls 6863->6873 6874 40552b 25 API calls 6863->6874 6875 40601b 40 API calls 6863->6875 6877 4062cd lstrcpynA 6863->6877 6878 405f85 GetFileAttributesA 6863->6878 6867 40552b 25 API calls 6864->6867 6865->6863 6869 405da3 6867->6869 6870 40601b 40 API calls 6869->6870 6871 405daa 6870->6871 6871->6833 6872->6855 6873->6863 6874->6863 6875->6863 6876->6836 6877->6863 6879 405cc3 DeleteFileA 6878->6879 6880 405f94 SetFileAttributesA 6878->6880 6879->6863 6880->6879 6881->6509 6882->6509 6883->6499 6884->6523 6885->6529 6887 405f4f lstrlenA 6886->6887 6888 405f59 6887->6888 6889 405f2d lstrcmpiA 6887->6889 6888->6536 6888->6537 6889->6888 6890 405f46 CharNextA 6889->6890 6890->6887 6891->6540 6892 4021e9 6893 4022e0 6892->6893 6894 4021fb 6892->6894 6895 401423 25 API calls 6893->6895 6896 402ea4 18 API calls 6894->6896 6902 4022d9 6895->6902 6897 402202 6896->6897 6898 402ea4 18 API calls 6897->6898 6899 40220b 6898->6899 6900 402221 LoadLibraryExA 6899->6900 6901 402213 GetModuleHandleA 6899->6901 6903 402236 GetProcAddress 6900->6903 6904 4022c7 6900->6904 6901->6900 6901->6903 6905 402285 6903->6905 6906 402248 6903->6906 6907 401423 25 API calls 6904->6907 6908 40552b 25 API calls 6905->6908 6909 402250 6906->6909 6910 402267 6906->6910 6911 4022ce 6907->6911 6912 40228f 6908->6912 6913 401423 25 API calls 6909->6913 6920 3a12931 6910->6920 6928 1000116d 6910->6928 6915 406747 9 API calls 6911->6915 6914 406747 9 API calls 6912->6914 6916 402258 6913->6916 6914->6916 6915->6902 6916->6902 6917 4022b9 FreeLibrary 6916->6917 6917->6902 6921 3a12965 6920->6921 6922 3a1297a 6921->6922 6923 3a1296e 6921->6923 6944 3a11e2f 6922->6944 6941 3a12afb 6923->6941 7100 100013a6 6928->7100 6930 100013a6 2 API calls 6932 100011c1 6930->6932 6931 100011a2 6931->6930 6933 100013a6 2 API calls 6932->6933 6934 100011de 6933->6934 6935 100011f4 GetDlgItem 6934->6935 6936 100013a6 2 API calls 6935->6936 6937 1000121e 8 API calls 6936->6937 6938 100012b1 EnableWindow SetWindowLongA SetWindowLongA 6937->6938 6939 1000129b LoadImageA 6937->6939 6940 100012f1 6938->6940 6939->6938 6940->6916 6942 3a12b04 GlobalAlloc lstrcpynA 6941->6942 6943 3a12978 6941->6943 6942->6943 6943->6916 6945 3a11e56 6944->6945 6950 3a11e66 6944->6950 7059 3a12abb 6945->7059 6947 3a1271a 6949 3a12abb 2 API calls 6947->6949 6948 3a11e5c 6951 3a12afb 2 API calls 6948->6951 6949->6948 6950->6947 7016 3a11410 6950->7016 6952 3a12702 6951->6952 6952->6916 6955 3a11ea3 GetDlgItem 6956 3a11ec9 GetDlgItem GetDlgItem GetDlgItem 6955->6956 6957 3a11eb9 6955->6957 7056 3a11087 6956->7056 6958 3a12abb 2 API calls 6957->6958 6958->6948 6961 3a11087 SetWindowTextA 6962 3a11f09 6961->6962 6963 3a11087 SetWindowTextA 6962->6963 6964 3a11f1a 6963->6964 6965 3a11f33 6964->6965 6966 3a11f2a EnableWindow 6964->6966 6967 3a11f67 6965->6967 6968 3a11f3d EnableWindow 6965->6968 6966->6965 6970 3a11f71 ShowWindow 6967->6970 6971 3a11f8a SendMessageA CreateDialogParamA 6967->6971 6969 3a11f4e GetSystemMenu EnableMenuItem 6968->6969 6969->6967 6970->6971 6973 3a11fc2 GetWindowRect MapWindowPoints SetWindowPos SendMessageA 6971->6973 6974 3a12706 6971->6974 6976 3a126b6 6973->6976 6988 3a1202c 6973->6988 6975 3a12abb 2 API calls 6974->6975 6978 3a1270c 6975->6978 7073 3a11071 SendMessageA 6976->7073 6980 3a12afb 2 API calls 6978->6980 6979 3a126c1 6982 3a11087 SetWindowTextA 6979->6982 6980->6952 6981 3a126b0 6981->6976 6981->6979 6984 3a126cf wsprintfA 6982->6984 6983 3a12076 MapDialogRect 6983->6988 6985 3a12afb 2 API calls 6984->6985 6985->6952 6986 3a1219e CreateWindowExA wsprintfA wsprintfA WritePrivateProfileStringA 6987 3a12233 SendMessageA 6986->6987 6986->6988 6987->6988 6988->6981 6988->6983 6988->6986 6989 3a12617 SendMessageA 6988->6989 6993 3a1226c SetWindowLongA 6988->6993 6994 3a12293 LoadImageA 6988->6994 6995 3a11087 SetWindowTextA 6988->6995 6996 3a122d8 LoadIconA 6988->6996 6997 3a1245f SendMessageA 6988->6997 6999 3a122f6 GetObjectA 6988->6999 7003 3a12564 CharNextA 6988->7003 7004 3a1100f GlobalFree 6988->7004 7005 3a12552 SendMessageA 6988->7005 7006 3a12328 CreateCompatibleDC SelectObject GetDIBits CreateRectRgn 6988->7006 7007 3a12436 SetWindowRgn DeleteObject DeleteObject 6988->7007 7008 3a125f8 SendMessageA 6988->7008 7011 3a123f8 CreateRectRgn CombineRgn DeleteObject 6988->7011 7012 3a124ca 6988->7012 7064 3a12a54 6988->7064 7068 3a11000 GlobalAlloc 6988->7068 7069 3a1101f lstrlenA 6988->7069 6989->6988 6991 3a1262d GetWindowLongA SetWindowLongA 6989->6991 6991->6988 6992 3a1260f SendMessageA 6992->6988 6993->6988 6994->6988 6995->6988 6996->6988 6997->6988 7001 3a1247a GetClientRect SetWindowPos 6997->7001 6999->6988 6999->6997 7001->6988 7003->6988 7004->6988 7005->6988 7006->6988 7006->7007 7009 3a1100f GlobalFree 7007->7009 7008->6988 7008->7012 7009->6988 7010 3a12596 SendMessageA 7010->7012 7011->6988 7012->6988 7012->6992 7012->7008 7012->7010 7013 3a125b8 CharNextA 7012->7013 7014 3a125ce SendMessageA 7012->7014 7072 3a11071 SendMessageA 7012->7072 7013->7012 7014->7012 7015 3a125e1 SendMessageA 7014->7015 7015->7012 7074 3a113d5 7016->7074 7019 3a113d5 4 API calls 7020 3a11437 7019->7020 7021 3a113d5 4 API calls 7020->7021 7022 3a11446 7021->7022 7023 3a113d5 4 API calls 7022->7023 7024 3a11455 7023->7024 7079 3a113f3 GetPrivateProfileIntA 7024->7079 7026 3a11467 7080 3a113f3 GetPrivateProfileIntA 7026->7080 7028 3a1147b 7081 3a113f3 GetPrivateProfileIntA 7028->7081 7030 3a1148c 7082 3a113f3 GetPrivateProfileIntA 7030->7082 7032 3a1149d 7083 3a113f3 GetPrivateProfileIntA 7032->7083 7034 3a114ae 7084 3a113f3 GetPrivateProfileIntA 7034->7084 7036 3a114be 7051 3a114d8 7036->7051 7091 3a11000 GlobalAlloc 7036->7091 7038 3a11763 7038->6947 7038->6955 7039 3a11509 wsprintfA 7085 3a113a6 GetPrivateProfileStringA 7039->7085 7041 3a129d7 lstrcmpiA 7041->7051 7043 3a1101f GlobalAlloc lstrlenA lstrcpyA 7043->7051 7044 3a113a6 GetPrivateProfileStringA 7044->7051 7046 3a115aa lstrcpyA 7046->7051 7047 3a12a54 CharNextA 7047->7051 7048 3a113d5 GlobalAlloc lstrlenA lstrcpyA GetPrivateProfileStringA 7048->7051 7049 3a12a54 CharNextA 7050 3a11603 GetPrivateProfileStringA 7049->7050 7050->7051 7051->7038 7051->7039 7051->7041 7051->7043 7051->7044 7051->7047 7051->7048 7051->7049 7054 3a1164e CharNextA 7051->7054 7055 3a113f3 GetPrivateProfileIntA 7051->7055 7086 3a12a11 7051->7086 7092 3a11000 GlobalAlloc 7051->7092 7093 3a11000 GlobalAlloc 7051->7093 7053 3a11633 lstrcpyA 7053->7051 7054->7051 7055->7051 7057 3a11094 7056->7057 7058 3a1108e SetWindowTextA 7056->7058 7057->6961 7058->7057 7060 3a12ac5 7059->7060 7061 3a12af4 7059->7061 7060->7061 7062 3a12ad2 lstrcpyA 7060->7062 7063 3a12ae5 GlobalFree 7060->7063 7061->6948 7062->7063 7063->7061 7065 3a12ab3 7064->7065 7067 3a12a5d 7064->7067 7065->6988 7066 3a12a84 CharNextA 7066->7067 7067->7065 7067->7066 7068->6988 7099 3a11000 GlobalAlloc 7069->7099 7071 3a11030 lstrcpyA 7071->6988 7072->6988 7073->6979 7094 3a113a6 GetPrivateProfileStringA 7074->7094 7076 3a113de 7077 3a1101f 3 API calls 7076->7077 7078 3a113ec 7076->7078 7077->7078 7078->7019 7079->7026 7080->7028 7081->7030 7082->7032 7083->7034 7084->7036 7085->7051 7087 3a12a1b 7086->7087 7088 3a12a28 CharNextA 7087->7088 7090 3a12a4b 7087->7090 7095 3a129d7 7087->7095 7088->7087 7090->7051 7091->7051 7092->7046 7093->7053 7094->7076 7096 3a12a03 7095->7096 7097 3a129e4 7095->7097 7096->7087 7097->7096 7098 3a129e8 lstrcmpiA 7097->7098 7098->7096 7098->7097 7099->7071 7101 100013b0 7100->7101 7102 100013d9 7100->7102 7101->7102 7103 100013b6 lstrcpyA GlobalFree 7101->7103 7102->6931 7103->7102 8549 4027f5 8550 402fae 19 API calls 8549->8550 8551 4027ff 8550->8551 8552 402ea4 18 API calls 8551->8552 8553 402808 8552->8553 8554 402812 RegQueryValueExA 8553->8554 8559 402aa2 8553->8559 8555 402832 8554->8555 8556 402838 RegCloseKey 8554->8556 8555->8556 8560 40622b wsprintfA 8555->8560 8556->8559 8560->8556 8025 40547b 8026 4054a0 8025->8026 8027 405489 8025->8027 8029 4054c5 8026->8029 8030 4054ae IsWindowVisible 8026->8030 8028 40548f 8027->8028 8043 405509 8027->8043 8031 4044ec SendMessageA 8028->8031 8032 40550f CallWindowProcA 8029->8032 8044 4062cd lstrcpynA 8029->8044 8033 4054bb 8030->8033 8030->8043 8034 405499 8031->8034 8032->8034 8035 404dfa 5 API calls 8033->8035 8035->8029 8037 4054f4 8045 40622b wsprintfA 8037->8045 8039 4054fb 8040 40140b 80 API calls 8039->8040 8041 405502 8040->8041 8046 4062cd lstrcpynA 8041->8046 8043->8032 8044->8037 8045->8039 8046->8043 7779 40187e 7780 402ea4 18 API calls 7779->7780 7781 401885 7780->7781 7782 405fd3 2 API calls 7781->7782 7783 40188c 7782->7783 6195 3a119e7 6196 3a11a6b CallWindowProcA 6195->6196 6199 3a119fd 6195->6199 6197 3a11abe 6196->6197 6201 3a11a8a 6196->6201 6198 3a11a5f 6211 3a110dc 6198->6211 6199->6196 6199->6198 6203 3a11a26 SendMessageA 6199->6203 6201->6197 6202 3a11aa6 PostMessageA 6201->6202 6202->6197 6205 3a11a3b 6203->6205 6205->6199 6206 3a11ac7 6205->6206 6207 3a11afd 6206->6207 6208 3a11acd GetWindowTextA MessageBoxA 6206->6208 6233 3a11071 SendMessageA 6207->6233 6208->6207 6210 3a11b05 6210->6197 6234 3a11000 GlobalAlloc 6211->6234 6213 3a11398 6213->6196 6214 3a11366 wsprintfA WritePrivateProfileStringA 6235 3a1100f 6214->6235 6216 3a110ee 6216->6213 6216->6214 6217 3a112e2 SendMessageA wsprintfA 6216->6217 6219 3a11202 SendMessageA 6216->6219 6220 3a11159 lstrlenA 6216->6220 6223 3a1100f GlobalFree 6216->6223 6224 3a11000 GlobalAlloc 6216->6224 6226 3a11197 SendMessageA 6216->6226 6218 3a11305 wsprintfA WritePrivateProfileStringA 6217->6218 6218->6216 6221 3a1122b GetWindowTextA 6219->6221 6228 3a111c1 6219->6228 6220->6216 6221->6218 6221->6228 6222 3a1100f GlobalFree 6222->6228 6223->6216 6224->6216 6225 3a11000 GlobalAlloc 6225->6228 6227 3a111af SendMessageA 6226->6227 6226->6228 6227->6228 6228->6213 6228->6218 6228->6221 6228->6222 6228->6225 6228->6227 6229 3a111d2 SendMessageA lstrcatA 6228->6229 6230 3a111c6 lstrcatA 6228->6230 6231 3a112bb CharNextA CharNextA 6228->6231 6232 3a1128e CharNextA lstrcpynA 6228->6232 6229->6228 6230->6229 6231->6228 6232->6231 6233->6210 6234->6216 6236 3a11016 GlobalFree 6235->6236 6237 3a1101c 6235->6237 6236->6237 6237->6213 7625 402d11 SendMessageA 7626 402d35 7625->7626 7627 402d2a InvalidateRect 7625->7627 7627->7626 7707 404897 7708 4048a7 7707->7708 7709 4048cd 7707->7709 7710 4044a0 19 API calls 7708->7710 7711 404507 8 API calls 7709->7711 7712 4048b4 SetDlgItemTextA 7710->7712 7713 4048d9 7711->7713 7712->7709 8143 402117 8144 402ea4 18 API calls 8143->8144 8145 40211e 8144->8145 8146 406775 2 API calls 8145->8146 8147 402124 8146->8147 8148 402136 8147->8148 8150 40622b wsprintfA 8147->8150 8150->8148 7714 401899 7715 402ea4 18 API calls 7714->7715 7716 4018a0 7715->7716 7717 406747 9 API calls 7716->7717 7718 4018c3 7717->7718 7719 4018d6 7718->7719 7720 4018de 7718->7720 7767 4062cd lstrcpynA 7719->7767 7768 4062cd lstrcpynA 7720->7768 7723 4018dc 7726 40652f 5 API calls 7723->7726 7724 4018e9 7725 405dc0 3 API calls 7724->7725 7727 4018ef lstrcatA 7725->7727 7757 4018fb 7726->7757 7727->7723 7728 406775 2 API calls 7728->7757 7729 405f85 2 API calls 7729->7757 7731 401912 CompareFileTime 7731->7757 7732 401a1b 7733 40552b 25 API calls 7732->7733 7737 401a25 7733->7737 7734 4019d7 7736 40552b 25 API calls 7734->7736 7735 406747 9 API calls 7735->7757 7738 4019ea 7736->7738 7739 4033c6 48 API calls 7737->7739 7744 406747 9 API calls 7738->7744 7749 401a0f 7738->7749 7740 401a38 7739->7740 7742 406747 9 API calls 7740->7742 7741 4062cd lstrcpynA 7741->7757 7743 401a4c 7742->7743 7745 401a5b SetFileTime 7743->7745 7746 401a6d CloseHandle 7743->7746 7744->7749 7745->7746 7748 401a7e 7746->7748 7746->7749 7747 4062ef 18 API calls 7747->7757 7750 401a83 7748->7750 7751 401a96 7748->7751 7752 4062ef 18 API calls 7750->7752 7753 4062ef 18 API calls 7751->7753 7754 401a8b lstrcatA 7752->7754 7756 401a9e 7753->7756 7754->7756 7755 405b35 MessageBoxIndirectA 7755->7757 7758 406747 9 API calls 7756->7758 7757->7728 7757->7729 7757->7731 7757->7732 7757->7734 7757->7735 7757->7741 7757->7747 7757->7755 7759 4019ca 7757->7759 7766 405fa4 GetFileAttributesA CreateFileA 7757->7766 7760 401aa9 7758->7760 7761 401a05 7759->7761 7762 4019cd 7759->7762 7760->7749 7763 405b35 MessageBoxIndirectA 7760->7763 7765 406747 9 API calls 7761->7765 7764 406747 9 API calls 7762->7764 7763->7749 7764->7734 7765->7749 7766->7757 7767->7723 7768->7724 7202 39f1a6f 7204 39f1a8b 7202->7204 7206 39f1a82 7202->7206 7204->7206 7209 39f1ab3 7204->7209 7210 39f1996 7204->7210 7205 39f1ad3 7208 39f1996 104 API calls 7205->7208 7205->7209 7206->7205 7207 39f1996 104 API calls 7206->7207 7206->7209 7207->7205 7208->7209 7211 39f1a2b 7210->7211 7212 39f19a3 GetVersion 7210->7212 7214 39f1a5d 7211->7214 7219 39f1a31 7211->7219 7239 39f2c8f HeapCreate 7212->7239 7217 39f19f6 7214->7217 7340 39f225f 7214->7340 7216 39f19b5 7216->7217 7251 39f2173 7216->7251 7217->7206 7218 39f1a4c 7330 39f268e 7218->7330 7219->7217 7219->7218 7327 39f23f2 7219->7327 7224 39f19ed 7226 39f19fa GetCommandLineA 7224->7226 7227 39f19f1 7224->7227 7268 39f29e8 7226->7268 7261 39f2cec 7227->7261 7232 39f2cec 6 API calls 7232->7217 7234 39f1a14 7305 39f279b 7234->7305 7236 39f1a19 7314 39f26e2 7236->7314 7238 39f1a1e 7238->7217 7240 39f2caf 7239->7240 7241 39f2ce5 7239->7241 7362 39f2b47 7240->7362 7241->7216 7244 39f2cbe 7374 39f3f3f HeapAlloc 7244->7374 7246 39f2ce8 7246->7216 7247 39f2ccb 7247->7246 7376 39f4790 7247->7376 7248 39f2cc8 7248->7246 7250 39f2cd9 HeapDestroy 7248->7250 7250->7241 7583 39f1b3f InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 7251->7583 7253 39f2179 TlsAlloc 7254 39f2189 7253->7254 7255 39f21c3 7253->7255 7256 39f356e 29 API calls 7254->7256 7255->7224 7257 39f2192 7256->7257 7257->7255 7258 39f219a TlsSetValue 7257->7258 7258->7255 7259 39f21ab 7258->7259 7260 39f21b1 GetCurrentThreadId 7259->7260 7260->7224 7262 39f2d5e 7261->7262 7263 39f2cf8 7261->7263 7265 39f2d85 HeapDestroy 7262->7265 7267 39f2d71 VirtualFree 7262->7267 7264 39f2d4a HeapFree 7263->7264 7266 39f2d18 VirtualFree VirtualFree HeapFree 7263->7266 7264->7265 7265->7217 7266->7264 7266->7266 7267->7262 7269 39f2a36 7268->7269 7270 39f2a03 GetEnvironmentStringsW 7268->7270 7271 39f2a0b 7269->7271 7273 39f2a27 7269->7273 7270->7271 7272 39f2a17 GetEnvironmentStrings 7270->7272 7275 39f2a4f WideCharToMultiByte 7271->7275 7276 39f2a43 GetEnvironmentStringsW 7271->7276 7272->7273 7274 39f1a0a 7272->7274 7273->7274 7278 39f2ac9 GetEnvironmentStrings 7273->7278 7279 39f2ad5 7273->7279 7291 39f24d2 7274->7291 7280 39f2ab5 FreeEnvironmentStringsW 7275->7280 7281 39f2a83 7275->7281 7276->7274 7276->7275 7278->7274 7278->7279 7282 39f3009 28 API calls 7279->7282 7280->7274 7283 39f3009 28 API calls 7281->7283 7289 39f2af0 7282->7289 7284 39f2a89 7283->7284 7284->7280 7285 39f2a92 WideCharToMultiByte 7284->7285 7287 39f2aa3 7285->7287 7288 39f2aac 7285->7288 7286 39f2b06 FreeEnvironmentStringsA 7286->7274 7290 39f2f20 28 API calls 7287->7290 7288->7280 7289->7286 7290->7288 7292 39f3009 28 API calls 7291->7292 7293 39f24e5 7292->7293 7294 39f24f3 GetStartupInfoA 7293->7294 7295 39f1b0c 7 API calls 7293->7295 7297 39f2612 7294->7297 7304 39f2541 7294->7304 7295->7294 7298 39f263d GetStdHandle 7297->7298 7299 39f267d SetHandleCount 7297->7299 7298->7297 7300 39f264b GetFileType 7298->7300 7299->7234 7300->7297 7301 39f3009 28 API calls 7301->7304 7302 39f25b8 7302->7297 7303 39f25da GetFileType 7302->7303 7303->7302 7304->7297 7304->7301 7304->7302 7306 39f27ad 7305->7306 7307 39f27b2 GetModuleFileNameA 7305->7307 7584 39f20b7 7306->7584 7309 39f27d5 7307->7309 7310 39f3009 28 API calls 7309->7310 7311 39f27f6 7310->7311 7312 39f2806 7311->7312 7313 39f1b0c 7 API calls 7311->7313 7312->7236 7313->7312 7315 39f26ef 7314->7315 7317 39f26f4 7314->7317 7316 39f20b7 47 API calls 7315->7316 7316->7317 7318 39f3009 28 API calls 7317->7318 7319 39f2721 7318->7319 7320 39f1b0c 7 API calls 7319->7320 7326 39f2735 7319->7326 7320->7326 7321 39f2778 7322 39f2f20 28 API calls 7321->7322 7323 39f2784 7322->7323 7323->7238 7324 39f3009 28 API calls 7324->7326 7325 39f1b0c 7 API calls 7325->7326 7326->7321 7326->7324 7326->7325 7610 39f2401 7327->7610 7329 39f23fd 7329->7218 7331 39f2696 7330->7331 7332 39f1a51 7331->7332 7333 39f2f20 28 API calls 7331->7333 7334 39f26b0 DeleteCriticalSection 7331->7334 7335 39f21c7 7332->7335 7333->7331 7334->7331 7620 39f1b68 7335->7620 7337 39f21cc 7338 39f21d6 TlsFree 7337->7338 7339 39f1a56 7337->7339 7338->7339 7339->7232 7341 39f22fe 7340->7341 7342 39f226d 7340->7342 7341->7217 7343 39f2276 TlsGetValue 7342->7343 7344 39f2283 7342->7344 7343->7344 7345 39f22ef TlsSetValue 7343->7345 7346 39f2290 7344->7346 7347 39f2f20 28 API calls 7344->7347 7345->7341 7348 39f229e 7346->7348 7350 39f2f20 28 API calls 7346->7350 7347->7346 7349 39f22ac 7348->7349 7351 39f2f20 28 API calls 7348->7351 7352 39f22ba 7349->7352 7353 39f2f20 28 API calls 7349->7353 7350->7348 7351->7349 7354 39f22c8 7352->7354 7355 39f2f20 28 API calls 7352->7355 7353->7352 7356 39f22d6 7354->7356 7358 39f2f20 28 API calls 7354->7358 7355->7354 7357 39f22e7 7356->7357 7359 39f2f20 28 API calls 7356->7359 7360 39f2f20 28 API calls 7357->7360 7358->7356 7359->7357 7361 39f22ee 7360->7361 7361->7345 7385 39f3f10 7362->7385 7364 39f2b54 GetVersionExA 7365 39f2b8a GetEnvironmentVariableA 7364->7365 7366 39f2b70 7364->7366 7367 39f2c67 7365->7367 7370 39f2ba9 7365->7370 7366->7365 7368 39f2b82 7366->7368 7367->7368 7390 39f2b1a GetModuleHandleA 7367->7390 7368->7244 7368->7247 7371 39f2bee GetModuleFileNameA 7370->7371 7372 39f2be6 7370->7372 7371->7372 7372->7367 7387 39f3b55 7372->7387 7375 39f3f5b 7374->7375 7375->7248 7377 39f479d 7376->7377 7378 39f47a4 HeapAlloc 7376->7378 7379 39f47c1 VirtualAlloc 7377->7379 7378->7379 7380 39f47f9 7378->7380 7381 39f48b6 7379->7381 7382 39f47e1 VirtualAlloc 7379->7382 7380->7248 7381->7380 7383 39f48be HeapFree 7381->7383 7382->7380 7384 39f48a8 VirtualFree 7382->7384 7383->7380 7384->7381 7386 39f3f1c 7385->7386 7386->7364 7386->7386 7392 39f3b6c 7387->7392 7391 39f2b31 7390->7391 7391->7368 7394 39f3b84 7392->7394 7396 39f3bb4 7394->7396 7401 39f22ff 7394->7401 7395 39f22ff 6 API calls 7395->7396 7396->7395 7398 39f3cdd 7396->7398 7400 39f3b68 7396->7400 7405 39f5191 7396->7405 7398->7400 7414 39f5188 7398->7414 7400->7367 7402 39f231d 7401->7402 7404 39f2311 7401->7404 7417 39f33d9 7402->7417 7404->7394 7406 39f51af InterlockedIncrement 7405->7406 7409 39f519c 7405->7409 7407 39f51cb InterlockedDecrement 7406->7407 7412 39f51d5 7406->7412 7429 39f1bd4 7407->7429 7409->7396 7442 39f5200 7412->7442 7413 39f51f5 InterlockedDecrement 7413->7409 7541 39f21f8 GetLastError TlsGetValue 7414->7541 7416 39f518d 7416->7400 7418 39f340a GetStringTypeW 7417->7418 7419 39f3422 7417->7419 7418->7419 7420 39f3426 GetStringTypeA 7418->7420 7421 39f344d GetStringTypeA 7419->7421 7422 39f3471 7419->7422 7420->7419 7423 39f350e 7420->7423 7421->7423 7422->7423 7425 39f3487 MultiByteToWideChar 7422->7425 7423->7404 7425->7423 7426 39f34ab 7425->7426 7426->7423 7427 39f34e5 MultiByteToWideChar 7426->7427 7427->7423 7428 39f34fe GetStringTypeW 7427->7428 7428->7423 7430 39f1bec 7429->7430 7431 39f1c2a EnterCriticalSection 7429->7431 7448 39f3009 7430->7448 7431->7412 7435 39f1bd4 26 API calls 7437 39f1c0a 7435->7437 7436 39f1c02 7436->7435 7438 39f1c1b 7437->7438 7439 39f1c11 InitializeCriticalSection 7437->7439 7457 39f2f20 7438->7457 7440 39f1c20 7439->7440 7440->7431 7443 39f522b 7442->7443 7447 39f51e2 7442->7447 7444 39f5247 7443->7444 7445 39f22ff 6 API calls 7443->7445 7444->7447 7523 39f318a 7444->7523 7445->7444 7447->7409 7447->7413 7470 39f301b 7448->7470 7451 39f1b0c 7452 39f1b16 7451->7452 7453 39f1b28 7452->7453 7488 39f2d94 7452->7488 7494 39f2dcd 7453->7494 7458 39f2f4e 7457->7458 7459 39f2ffa 7457->7459 7460 39f2f58 7458->7460 7461 39f2f93 7458->7461 7459->7440 7462 39f1bd4 27 API calls 7460->7462 7464 39f1bd4 27 API calls 7461->7464 7469 39f2f79 7461->7469 7465 39f2f5f 7462->7465 7463 39f2fec HeapFree 7463->7459 7467 39f2f9f 7464->7467 7465->7469 7508 39f3fb2 7465->7508 7467->7469 7514 39f4a43 7467->7514 7469->7459 7469->7463 7471 39f1bf4 7470->7471 7473 39f3022 7470->7473 7471->7436 7471->7451 7473->7471 7474 39f3047 7473->7474 7475 39f3074 7474->7475 7479 39f30b7 7474->7479 7476 39f1bd4 27 API calls 7475->7476 7483 39f3095 7475->7483 7477 39f308a 7476->7477 7481 39f42db HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 7477->7481 7478 39f3126 RtlAllocateHeap 7487 39f30a9 7478->7487 7480 39f30d9 7479->7480 7479->7483 7482 39f1bd4 27 API calls 7480->7482 7481->7483 7484 39f30e0 7482->7484 7483->7478 7483->7487 7485 39f4a88 6 API calls 7484->7485 7486 39f30f3 7485->7486 7486->7483 7486->7487 7487->7473 7489 39f2d9e 7488->7489 7490 39f2dcd 7 API calls 7489->7490 7493 39f2dcb 7489->7493 7491 39f2db5 7490->7491 7492 39f2dcd 7 API calls 7491->7492 7492->7493 7493->7453 7495 39f2de0 7494->7495 7496 39f2ef7 7495->7496 7497 39f2e20 7495->7497 7502 39f1b31 7495->7502 7499 39f2f0a GetStdHandle WriteFile 7496->7499 7498 39f2e2c GetModuleFileNameA 7497->7498 7497->7502 7500 39f2e44 7498->7500 7499->7502 7503 39f4db4 7500->7503 7502->7436 7504 39f4dc1 LoadLibraryA 7503->7504 7505 39f4e03 7503->7505 7504->7505 7506 39f4dd2 GetProcAddress 7504->7506 7505->7502 7506->7505 7507 39f4de9 GetProcAddress GetProcAddress 7506->7507 7507->7505 7509 39f3ff0 7508->7509 7513 39f42a6 7508->7513 7510 39f41ec VirtualFree 7509->7510 7509->7513 7511 39f4250 7510->7511 7512 39f425f VirtualFree HeapFree 7511->7512 7511->7513 7512->7513 7513->7469 7515 39f4a86 7514->7515 7516 39f4a70 7514->7516 7515->7469 7516->7515 7518 39f492a 7516->7518 7521 39f4937 7518->7521 7519 39f49e7 7519->7515 7520 39f4958 VirtualFree 7520->7521 7521->7519 7521->7520 7522 39f48d4 VirtualFree HeapFree 7521->7522 7522->7521 7524 39f31ba LCMapStringW 7523->7524 7525 39f31d6 7523->7525 7524->7525 7526 39f31de LCMapStringA 7524->7526 7527 39f321f LCMapStringA 7525->7527 7528 39f323c 7525->7528 7526->7525 7529 39f3318 7526->7529 7527->7529 7528->7529 7530 39f3252 MultiByteToWideChar 7528->7530 7529->7447 7530->7529 7531 39f327c 7530->7531 7531->7529 7532 39f32b2 MultiByteToWideChar 7531->7532 7532->7529 7533 39f32cb LCMapStringW 7532->7533 7533->7529 7534 39f32e6 7533->7534 7535 39f32ec 7534->7535 7537 39f332c 7534->7537 7535->7529 7536 39f32fa LCMapStringW 7535->7536 7536->7529 7537->7529 7538 39f3364 LCMapStringW 7537->7538 7538->7529 7539 39f337c WideCharToMultiByte 7538->7539 7539->7529 7542 39f2214 7541->7542 7543 39f2253 SetLastError 7541->7543 7552 39f356e 7542->7552 7543->7416 7546 39f224b 7548 39f1b0c 7 API calls 7546->7548 7547 39f2225 TlsSetValue 7547->7546 7550 39f2236 7547->7550 7549 39f2252 7548->7549 7549->7543 7551 39f223c GetCurrentThreadId 7550->7551 7551->7543 7553 39f35a3 7552->7553 7554 39f221d 7553->7554 7555 39f1bd4 28 API calls 7553->7555 7556 39f365b HeapAlloc 7553->7556 7559 39f42db 7553->7559 7565 39f4a88 7553->7565 7554->7546 7554->7547 7555->7553 7556->7553 7562 39f430d 7559->7562 7560 39f43ac 7563 39f43bb 7560->7563 7579 39f4695 7560->7579 7562->7560 7562->7563 7572 39f45e4 7562->7572 7563->7553 7566 39f4a96 7565->7566 7567 39f4b82 VirtualAlloc 7566->7567 7568 39f4c57 7566->7568 7571 39f4b53 7566->7571 7567->7571 7569 39f4790 5 API calls 7568->7569 7569->7571 7571->7553 7573 39f4627 HeapAlloc 7572->7573 7574 39f45f7 HeapReAlloc 7572->7574 7575 39f4677 7573->7575 7577 39f464d VirtualAlloc 7573->7577 7574->7575 7576 39f4616 7574->7576 7575->7560 7576->7573 7577->7575 7578 39f4667 HeapFree 7577->7578 7578->7575 7580 39f46a7 VirtualAlloc 7579->7580 7582 39f46f0 7580->7582 7582->7563 7583->7253 7585 39f20c7 7584->7585 7586 39f20c0 7584->7586 7585->7307 7588 39f1cdf 7586->7588 7589 39f1bd4 28 API calls 7588->7589 7590 39f1cef 7589->7590 7597 39f1e8c 7590->7597 7593 39f1d06 7593->7585 7594 39f1d2b GetCPInfo 7596 39f1d41 7594->7596 7596->7593 7602 39f1f32 GetCPInfo 7596->7602 7598 39f1eac 7597->7598 7599 39f1e9c GetOEMCP 7597->7599 7600 39f1cf7 7598->7600 7601 39f1eb1 GetACP 7598->7601 7599->7598 7600->7593 7600->7594 7600->7596 7601->7600 7603 39f1f55 7602->7603 7609 39f201d 7602->7609 7604 39f33d9 6 API calls 7603->7604 7605 39f1fd1 7604->7605 7606 39f318a 9 API calls 7605->7606 7607 39f1ff5 7606->7607 7608 39f318a 9 API calls 7607->7608 7608->7609 7609->7593 7617 39f24a6 7610->7617 7613 39f2412 GetCurrentProcess TerminateProcess 7614 39f2423 7613->7614 7615 39f248d 7614->7615 7616 39f2494 ExitProcess 7614->7616 7615->7329 7618 39f1bd4 28 API calls 7617->7618 7619 39f2407 7618->7619 7619->7613 7619->7614 7621 39f1b75 7620->7621 7622 39f1bb1 DeleteCriticalSection DeleteCriticalSection DeleteCriticalSection DeleteCriticalSection 7621->7622 7623 39f1b9b DeleteCriticalSection 7621->7623 7622->7337 7624 39f2f20 28 API calls 7623->7624 7624->7621 7628 402531 7643 4062cd lstrcpynA 7628->7643 7630 40254a 7644 4062cd lstrcpynA 7630->7644 7632 402556 7633 402561 7632->7633 7634 402ea4 18 API calls 7632->7634 7635 402570 7633->7635 7636 402ea4 18 API calls 7633->7636 7634->7633 7637 40257f 7635->7637 7639 402ea4 18 API calls 7635->7639 7636->7635 7638 402ea4 18 API calls 7637->7638 7640 402589 7638->7640 7639->7637 7641 406747 9 API calls 7640->7641 7642 40259d WritePrivateProfileStringA 7641->7642 7643->7630 7644->7632 8763 401ab6 8764 402ea4 18 API calls 8763->8764 8765 401abc 8764->8765 8766 406747 9 API calls 8765->8766 8767 401b1f 8766->8767 8768 405b99 77 API calls 8767->8768 8769 401b2a 8768->8769 7769 401fbc 7770 402e87 18 API calls 7769->7770 7771 401fc2 7770->7771 7772 402e87 18 API calls 7771->7772 7773 401fcb 7772->7773 7774 401fdc 7773->7774 7777 406747 9 API calls 7773->7777 7775 401fe4 ShowWindow 7774->7775 7776 401fef EnableWindow 7774->7776 7778 402d35 7775->7778 7776->7778 7777->7774

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 179 4036e7-40371d SetErrorMode GetVersion 180 403730 179->180 181 40371f-403727 call 40680a 179->181 183 403735-403748 call 40679c lstrlenA 180->183 181->180 186 403729 181->186 188 40374a-4037bc call 40680a * 2 #17 OleInitialize SHGetFileInfoA call 4062cd GetCommandLineA call 4062cd GetModuleHandleA 183->188 186->180 197 4037c8-4037dd call 405deb CharNextA 188->197 198 4037be-4037c3 188->198 201 403846-40384a 197->201 198->197 202 40384c 201->202 203 4037df-4037e2 201->203 206 40385f-403877 GetTempPathA call 4036b6 202->206 204 4037e4-4037e8 203->204 205 4037ea-4037f2 203->205 204->204 204->205 207 4037f4-4037f5 205->207 208 4037fa-4037fd 205->208 216 403879-403897 GetWindowsDirectoryA lstrcatA call 4036b6 206->216 217 40389d-4038b7 DeleteFileA call 403120 206->217 207->208 210 403836-403843 call 405deb 208->210 211 4037ff-403803 208->211 210->201 226 403845 210->226 214 403815-40381b 211->214 215 403805-40380e 211->215 222 40382d-403834 214->222 223 40381d-403826 214->223 215->214 220 403810 215->220 216->217 229 403925-403934 call 403b04 OleUninitialize 216->229 217->229 230 4038b9-4038bf 217->230 220->214 222->210 225 40384e-40385a call 4062cd 222->225 223->222 228 403828 223->228 225->206 226->201 228->222 240 403a49-403a4f 229->240 241 40393a-40394a call 405b35 ExitProcess 229->241 232 4038c1-4038ca call 405deb 230->232 233 40390e-403915 call 403c17 230->233 243 4038d5-4038d7 232->243 238 40391a-403920 call 4065c8 233->238 238->229 245 403a55-403a72 call 40680a * 3 240->245 246 403aec-403af4 240->246 249 4038d9-4038e3 243->249 250 4038cc-4038d2 243->250 272 403a74-403a76 245->272 273 403abc-403aca call 40680a 245->273 247 403af6 246->247 248 403afa-403afe ExitProcess 246->248 247->248 255 403950-403964 call 405abc lstrcatA 249->255 256 4038e5-4038f2 call 405ea1 249->256 250->249 254 4038d4 250->254 254->243 265 403971-40398b lstrcatA lstrcmpiA 255->265 266 403966-40396c lstrcatA 255->266 256->229 264 4038f4-40390a call 4062cd * 2 256->264 264->233 265->229 267 40398d-403990 265->267 266->265 270 403992-403997 call 405a22 267->270 271 403999 call 405a9f 267->271 283 40399e-4039ab SetCurrentDirectoryA 270->283 271->283 272->273 278 403a78-403a7a 272->278 285 403ad8-403ae3 ExitWindowsEx 273->285 286 403acc-403ad6 273->286 278->273 284 403a7c-403a8e GetCurrentProcess 278->284 287 4039b8-4039d2 call 4062cd 283->287 288 4039ad-4039b3 call 4062cd 283->288 284->273 295 403a90-403ab2 284->295 285->246 289 403ae5-403ae7 call 40140b 285->289 286->285 286->289 297 4039d7-4039f3 call 4062ef DeleteFileA 287->297 288->287 289->246 295->273 301 403a34-403a3b 297->301 302 4039f5-403a05 CopyFileA 297->302 301->297 304 403a3d-403a44 call 40601b 301->304 302->301 303 403a07-403a27 call 40601b call 4062ef call 405ad4 302->303 303->301 313 403a29-403a30 CloseHandle 303->313 304->229 313->301
                                          APIs
                                          • SetErrorMode.KERNEL32 ref: 0040370D
                                          • GetVersion.KERNEL32 ref: 00403713
                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373C
                                          • #17.COMCTL32(0000000B,0000000D), ref: 0040375D
                                          • OleInitialize.OLE32(00000000), ref: 00403764
                                          • SHGetFileInfoA.SHELL32(00420D98,00000000,?,00000160,00000000), ref: 00403780
                                          • GetCommandLineA.KERNEL32(LogicLinx 3.31 Uninstall,NSIS Error), ref: 00403795
                                          • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" ,00000000), ref: 004037A8
                                          • CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" ,0040A7B0), ref: 004037D3
                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040386A
                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040387F
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040388B
                                          • DeleteFileA.KERNEL32(1033), ref: 004038A2
                                            • Part of subcall function 0040680A: GetModuleHandleA.KERNEL32(?,?,?,00403751,0000000D), ref: 0040681C
                                            • Part of subcall function 0040680A: GetProcAddress.KERNEL32(00000000,?), ref: 00406837
                                          • OleUninitialize.OLE32(00000020), ref: 0040392A
                                          • ExitProcess.KERNEL32 ref: 0040394A
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" ,00000000,00000020), ref: 0040395D
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A82C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" ,00000000,00000020), ref: 0040396C
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" ,00000000,00000020), ref: 00403977
                                          • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\~nsuA.tmp), ref: 00403983
                                          • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399F
                                          • DeleteFileA.KERNEL32(00420998,00420998,?,00427000,?), ref: 004039E9
                                          • CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe,00420998,00000001), ref: 004039FD
                                          • CloseHandle.KERNEL32(00000000,00420998,00420998,?,00420998,00000000), ref: 00403A2A
                                          • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 00403A83
                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403ADB
                                          • ExitProcess.KERNEL32 ref: 00403AFE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Filelstrcat$ExitHandleProcess$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
                                          • String ID: $ /D=$ _?=$"$"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\~nsuA.tmp$C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe$C:\Users\user\Desktop\$C:\Users\user\Desktop\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LogicLinx 3.31 Uninstall$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$~nsu
                                          • API String ID: 3469842172-2379017375
                                          • Opcode ID: 2d1a2868c3e38152bc4e16b98a2c1fc03756dbe8ed38c61e5e719d0c04cd0c3d
                                          • Instruction ID: 5ceea3819846a486be4215ca695653b375cf8776205228b8cf71ce6426392153
                                          • Opcode Fuzzy Hash: 2d1a2868c3e38152bc4e16b98a2c1fc03756dbe8ed38c61e5e719d0c04cd0c3d
                                          • Instruction Fuzzy Hash: 69B1B271604340ABD7207F619D4AB2B7EACAF4170AF05447FF182B61D2CB7C89458B6E

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 03A113F3: GetPrivateProfileIntA.KERNEL32(?,?,03A11467,NumFields), ref: 03A11407
                                          • wsprintfA.USER32 ref: 03A1152C
                                          • lstrcpyA.KERNEL32(00000000,All Files|*.*,00000002,ListItems,All Files|*.*,State,03A14098,All Files|*.*,Flags,03A14098,All Files|*.*,03A14008,All Files|*.*,TYPE,CancelButtonText,Title), ref: 03A115AF
                                          • GetPrivateProfileStringA.KERNEL32(03A16664,Filter,All Files|*.*,All Files|*.*,00002000,00000000), ref: 03A1161E
                                          • lstrcpyA.KERNEL32(00000000,All Files|*.*,-00000002), ref: 03A11638
                                            • Part of subcall function 03A11000: GlobalAlloc.KERNEL32(00000040,?,03A11030,00000001), ref: 03A11006
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: PrivateProfilelstrcpy$AllocGlobalStringwsprintf
                                          • String ID: ...$All Files|*.*$All Files|*.*$BOTTOM$BackButtonText$BackEnabled$CancelButtonText$CancelEnabled$CancelShow$Field %d$Filter$Flags$HWND$HWND2$LEFT$ListItems$MaxLen$MinLen$NextButtonText$NumFields$RIGHT$ROOT$RTL$Rect$Settings$State$T$TEXT$TOP$TYPE$Title$TxtColor$ValidateText
                                          • API String ID: 3510956051-2700349506
                                          • Opcode ID: 51095f3c621e1cf30d2a4e8b707c687bb94b1ec1f75fa15319709b439dcaa0b4
                                          • Instruction ID: d05ba7c5c94278219a0fbd4f19fe786ca21b9b160e7f4e3b31196a6dfc2a1a59
                                          • Opcode Fuzzy Hash: 51095f3c621e1cf30d2a4e8b707c687bb94b1ec1f75fa15319709b439dcaa0b4
                                          • Instruction Fuzzy Hash: 47919DB8904702AFC760EF6EDA4490ABBF4FB49710700091FE5A5DBB49EB78E425CB51

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 814 405b99-405bb4 call 405ea1 817 405bb6-405bc8 DeleteFileA 814->817 818 405bcd-405bd7 814->818 819 405dba-405dbd 817->819 820 405bd9-405bdb 818->820 821 405beb-405bf9 call 4062cd 818->821 822 405be1-405be5 820->822 823 405d39-405d3f 820->823 829 405c08-405c09 call 405e07 821->829 830 405bfb-405c06 lstrcatA 821->830 822->821 822->823 823->819 825 405d41-405d45 823->825 827 405d47 825->827 828 405d5b-405d62 call 406775 825->828 831 405d4c-405d59 call 406747 827->831 828->819 841 405d64-405d87 call 405dc0 call 406747 call 405f85 RemoveDirectoryA 828->841 832 405c0e-405c11 829->832 830->832 831->819 836 405c13-405c1a 832->836 837 405c1c-405c22 lstrcatA 832->837 836->837 840 405c27-405c45 lstrlenA FindFirstFileA 836->840 837->840 842 405c4b-405c62 call 405deb 840->842 843 405d2f-405d33 840->843 862 405db3-405db5 call 40552b 841->862 863 405d89-405d8d 841->863 850 405c64-405c68 842->850 851 405c6d-405c70 842->851 843->823 845 405d35 843->845 845->823 850->851 853 405c6a 850->853 855 405c72-405c77 851->855 856 405c8b-405c99 call 4062cd 851->856 853->851 858 405c7d-405c7f 855->858 859 405d0e-405d20 FindNextFileA 855->859 868 405cb0-405ccd call 406747 call 405f85 DeleteFileA 856->868 869 405c9b-405ca3 856->869 858->856 864 405c81-405c85 858->864 859->842 861 405d26-405d29 FindClose 859->861 861->843 862->819 866 405dac-405db1 863->866 867 405d8f-405daa call 406747 call 40552b call 40601b 863->867 864->856 864->859 866->831 867->819 882 405d07-405d09 call 40552b 868->882 883 405ccf-405cd3 868->883 869->859 872 405ca5-405cae call 405b99 869->872 872->859 882->859 885 405cf3-405d05 call 406747 883->885 886 405cd5-405cf1 call 406747 call 40552b call 40601b 883->886 885->859 886->859
                                          APIs
                                          • DeleteFileA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405BB7
                                          • lstrcatA.KERNEL32(00422DE0,\*.*,00422DE0,?,00000000,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405C01
                                          • lstrcatA.KERNEL32(?,0040A28C,?,00422DE0,?,00000000,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405C22
                                          • lstrlenA.KERNEL32(?,?,0040A28C,?,00422DE0,?,00000000,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405C28
                                          • FindFirstFileA.KERNEL32(00422DE0,?,?,?,0040A28C,?,00422DE0,?,00000000,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405C39
                                          • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405D18
                                          • FindClose.KERNEL32(?), ref: 00405D29
                                          Strings
                                          • RMDir: RemoveDirectory("%s"), xrefs: 00405D6B
                                          • -B, xrefs: 00405BEB
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BA3
                                          • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00405D47
                                          • Delete: DeleteFile on Reboot("%s"), xrefs: 00405CD5
                                          • RMDir: RemoveDirectory failed("%s"), xrefs: 00405DAC
                                          • "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" , xrefs: 00405B99
                                          • \*.*, xrefs: 00405BFB
                                          • Delete: DeleteFile failed("%s"), xrefs: 00405CF3
                                          • Delete: DeleteFile("%s"), xrefs: 00405CB1
                                          • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00405D8F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                          • String ID: "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" $C:\Users\user\AppData\Local\Temp\$Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$-B
                                          • API String ID: 2035342205-1903259898
                                          • Opcode ID: e8b37471e32341b68081867d0c9733b86c99145f8e8a5da0c5cf008019d44974
                                          • Instruction ID: 9491e254326f547fd3688dea50c8b6e7d0e4d1d5e1860c78739179a064ac5d31
                                          • Opcode Fuzzy Hash: e8b37471e32341b68081867d0c9733b86c99145f8e8a5da0c5cf008019d44974
                                          • Instruction Fuzzy Hash: DE51E330508B4469EB216B219D4ABBF3B69CF42728F24803FF842751D2DB7C5981CE6E
                                          APIs
                                          • FindFirstFileA.KERNEL32(?,00423E28,C:\Users\user\AppData\Local\Temp\nslC943.tmp,00405EE4,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,00000000,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00406780
                                          • FindClose.KERNEL32(00000000), ref: 0040678C
                                          Strings
                                          • (>B, xrefs: 00406776
                                          • C:\Users\user\AppData\Local\Temp\nslC943.tmp, xrefs: 00406775
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID: (>B$C:\Users\user\AppData\Local\Temp\nslC943.tmp
                                          • API String ID: 2295610775-1330780697
                                          • Opcode ID: 831b1997f9f916c35f8a1434769a77bffab4373bf7aed33ff049e2637960da6e
                                          • Instruction ID: b63e9011ec8c2b29868c80016797e029c48760d48fef13a3cdc6f45c5aca086a
                                          • Opcode Fuzzy Hash: 831b1997f9f916c35f8a1434769a77bffab4373bf7aed33ff049e2637960da6e
                                          • Instruction Fuzzy Hash: 31D012315141306BC6505F386E0C84B7AD89F593363628B36F46AF61E0CB388C6286A9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f8c0cb152ca077a17e7f7cfd6049439835df5b56467184ace3d81a746cc5e8b0
                                          • Instruction ID: 2a9aa8917219c7ba8d85c1882f41a63cf1be2f3d7e8fd7c71b64c591a4991728
                                          • Opcode Fuzzy Hash: f8c0cb152ca077a17e7f7cfd6049439835df5b56467184ace3d81a746cc5e8b0
                                          • Instruction Fuzzy Hash: D5F16771D04229CBDF28CFA8C8946ADBBB0FF44305F15816ED856BB281D7386A86DF45
                                          APIs
                                          • GetDlgItem.USER32(?), ref: 03A11EB0
                                            • Part of subcall function 03A12ABB: lstrcpyA.KERNEL32(?,?,?,03A12720,00000000), ref: 03A12ADA
                                            • Part of subcall function 03A12ABB: GlobalFree.KERNEL32 ref: 03A12AEA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: FreeGlobalItemlstrcpy
                                          • String ID: $ $($D$Field %d$`#v$error creating dialog$error finding childwnd$error finding config$error finding mainwnd
                                          • API String ID: 962754457-681165833
                                          • Opcode ID: dfd4174c2dae0a0198f5f24c6bd80b90a89f6baadf85558fbfb21aa521058c35
                                          • Instruction ID: 46ebe51d598b896251e3883bd364cbc682eefb18f651e5e10d68bea27ac984e5
                                          • Opcode Fuzzy Hash: dfd4174c2dae0a0198f5f24c6bd80b90a89f6baadf85558fbfb21aa521058c35
                                          • Instruction Fuzzy Hash: EE52DF75D00218AFDF21DFA4DD84BAEBBB9FF09310F14495AE914EA2A8D774C961CB10

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 403 403fcd-403fdf 404 404120-40412f 403->404 405 403fe5-403feb 403->405 407 404131-404179 GetDlgItem * 2 call 4044a0 SetClassLongA call 40140b 404->407 408 40417e-404193 404->408 405->404 406 403ff1-403ffa 405->406 409 403ffc-404009 SetWindowPos 406->409 410 40400f-404012 406->410 407->408 412 4041d3-4041d8 call 4044ec 408->412 413 404195-404198 408->413 409->410 415 404014-404026 ShowWindow 410->415 416 40402c-404032 410->416 421 4041dd-4041f8 412->421 418 40419a-4041a5 call 401389 413->418 419 4041cb-4041cd 413->419 415->416 422 404034-404049 DestroyWindow 416->422 423 40404e-404051 416->423 418->419 440 4041a7-4041c6 SendMessageA 418->440 419->412 420 40446d 419->420 428 40446f-404476 420->428 426 404201-404207 421->426 427 4041fa-4041fc call 40140b 421->427 429 40444a-404450 422->429 431 404053-40405f SetWindowLongA 423->431 432 404064-40406a 423->432 436 40442b-404444 DestroyWindow EndDialog 426->436 437 40420d-404218 426->437 427->426 429->420 434 404452-404458 429->434 431->428 438 404070-404081 GetDlgItem 432->438 439 40410d-40411b call 404507 432->439 434->420 442 40445a-404463 ShowWindow 434->442 436->429 437->436 443 40421e-40426b call 4062ef call 4044a0 * 3 GetDlgItem 437->443 444 4040a0-4040a3 438->444 445 404083-40409a SendMessageA IsWindowEnabled 438->445 439->428 440->428 442->420 473 404275-4042b1 ShowWindow KiUserCallbackDispatcher call 4044c2 EnableWindow 443->473 474 40426d-404272 443->474 448 4040a5-4040a6 444->448 449 4040a8-4040ab 444->449 445->420 445->444 453 4040d6 call 404479 448->453 450 4040b9-4040be 449->450 451 4040ad-4040b3 449->451 454 4040f4-404107 SendMessageA 450->454 456 4040c0-4040c6 450->456 451->454 455 4040b5-4040b7 451->455 461 4040db 453->461 454->439 455->453 459 4040c8-4040ce call 40140b 456->459 460 4040dd-4040e6 call 40140b 456->460 469 4040d4 459->469 460->439 470 4040e8-4040f2 460->470 461->439 469->453 470->469 477 4042b3-4042b4 473->477 478 4042b6 473->478 474->473 479 4042b8-4042e6 GetSystemMenu EnableMenuItem SendMessageA 477->479 478->479 480 4042e8-4042f9 SendMessageA 479->480 481 4042fb 479->481 482 404301-40433a call 4044d5 call 4062cd lstrlenA call 4062ef SetWindowTextA call 401389 480->482 481->482 482->421 491 404340-404342 482->491 491->421 492 404348-40434c 491->492 493 40436b-40437f DestroyWindow 492->493 494 40434e-404354 492->494 493->429 496 404385-4043b2 CreateDialogParamA 493->496 494->420 495 40435a-404360 494->495 495->421 497 404366 495->497 496->429 498 4043b8-40440f call 4044a0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 496->498 497->420 498->420 503 404411-404424 ShowWindow call 4044ec 498->503 505 404429 503->505 505->429
                                          APIs
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404009
                                          • ShowWindow.USER32(?), ref: 00404026
                                          • DestroyWindow.USER32 ref: 0040403A
                                          • SetWindowLongA.USER32(?,00000000,00000000), ref: 00404056
                                          • GetDlgItem.USER32(?,?), ref: 00404077
                                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040408B
                                          • IsWindowEnabled.USER32(00000000), ref: 00404092
                                          • GetDlgItem.USER32(?,00000001), ref: 00404140
                                          • GetDlgItem.USER32(?,00000002), ref: 0040414A
                                          • SetClassLongA.USER32(?,000000F2,?), ref: 00404164
                                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 004041B5
                                          • GetDlgItem.USER32(?,00000003), ref: 0040425B
                                          • ShowWindow.USER32(00000000,?), ref: 0040427C
                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040428E
                                          • EnableWindow.USER32(?,?), ref: 004042A9
                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042BF
                                          • EnableMenuItem.USER32(00000000), ref: 004042C6
                                          • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 004042DE
                                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 004042F1
                                          • lstrlenA.KERNEL32(00421DD8,?,00421DD8,LogicLinx 3.31 Uninstall), ref: 0040431A
                                          • SetWindowTextA.USER32(?,00421DD8), ref: 00404329
                                          • ShowWindow.USER32(?,0000000A), ref: 0040445D
                                          Strings
                                          • LogicLinx 3.31 Uninstall, xrefs: 0040430B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                          • String ID: LogicLinx 3.31 Uninstall
                                          • API String ID: 3282139019-2177277121
                                          • Opcode ID: 0248ba45e7b493aff9bc460956d3901db11cdf52f63362b6396d5a0f8d5974e5
                                          • Instruction ID: e8b814be20905fb269ae5e5496c6b8f26aecf55a6b1e554940ad996ba5c5a090
                                          • Opcode Fuzzy Hash: 0248ba45e7b493aff9bc460956d3901db11cdf52f63362b6396d5a0f8d5974e5
                                          • Instruction Fuzzy Hash: 2CC1C3B1600704AFCB206F61EE45E2B3AA8FB94749F50453EF781B51F1CB3968529B1E

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 506 401434-401482 507 402d35-402d3e 506->507 508 401488 506->508 527 402d40-402d44 507->527 509 4014e0-4014fd call 40136d call 406747 call 401389 508->509 510 401502-40151e call 402ea4 call 406747 call 40552b 508->510 511 4015a2-4015be 508->511 512 401523-40153b call 402e87 call 406747 508->512 513 4015c3-402ce3 call 40622b 508->513 514 4014a4-4014c0 call 402ea4 call 406747 call 40552b 508->514 515 4014c5-4014ce 508->515 516 401565-40156d 508->516 517 40154c-401560 call 406747 SetForegroundWindow 508->517 518 40148f-40149f call 406747 508->518 519 4015d0-4015dd 508->519 520 4017f3-40180e call 402ea4 GetFullPathNameA 508->520 521 401857-401873 call 402ea4 SearchPathA 508->521 522 401738-401748 call 402ea4 call 406775 508->522 523 401779-4017ae call 402ea4 * 3 call 406747 MoveFileA 508->523 524 4015fc-401622 call 402ea4 call 406747 SetFileAttributesA 508->524 525 40163e-401662 call 402ea4 call 406747 call 405e54 508->525 509->527 510->507 511->527 593 401540-401547 Sleep 512->593 594 40153d-40153f 512->594 513->507 530 40251c-402521 514->530 529 4014d4-4014db PostQuitMessage 515->529 515->530 545 401591-40159d 516->545 546 40156f-40158c call 402e87 516->546 517->507 518->527 531 4015e6-4015ed 519->531 532 4015df-4015e3 ShowWindow 519->532 571 401810-401815 520->571 572 401833-40183a 520->572 521->507 565 401879 521->565 596 401760-401774 call 406747 522->596 597 40174a-401eac call 406747 522->597 624 4017b0-4017b2 523->624 625 4017b7-4017ba 523->625 524->507 590 401628-401639 call 406747 524->590 612 401668-40167b call 405deb 525->612 613 4016ee-4016f1 525->613 529->530 530->527 553 402a76-402a7f 530->553 531->507 547 4015f3-4015f7 ShowWindow 531->547 532->531 545->507 546->507 547->507 553->507 565->553 576 40183c-40183f 571->576 583 401817-401819 571->583 572->576 576->507 587 401845-401852 GetShortPathNameA 576->587 583->576 595 40181b-401823 call 406775 583->595 587->507 618 4022da-4022db 590->618 593->507 594->593 595->572 614 401825-401831 call 4062cd 595->614 596->527 597->527 623 4022d4-4022d9 call 406747 597->623 635 401693-401694 call 405a9f 612->635 636 40167d-401680 612->636 619 401731-401733 613->619 620 4016f3-40170e call 401423 call 4062cd SetCurrentDirectoryA 613->620 614->576 618->507 628 402462-402467 call 401423 619->628 620->507 650 401714-40172c GetLastError call 406747 620->650 623->618 624->628 632 4017e1-4017ee 625->632 633 4017bc-4017c4 call 406775 625->633 628->507 632->623 633->632 649 4017c6-4017dc call 40601b call 401423 633->649 643 401699-40169b 635->643 636->635 642 401682-401689 call 405abc 636->642 642->635 657 40168b-40168c call 405a22 642->657 647 4016d3-4016d9 call 406747 643->647 648 40169d-4016a2 643->648 661 4016de-4016df 647->661 652 4016a4-4016b6 call 406747 648->652 653 4016b8-4016c1 GetFileAttributesA 648->653 649->623 650->507 659 4016e0-4016e8 652->659 653->659 660 4016c3-4016d1 call 406747 653->660 668 401691 657->668 659->612 659->613 660->661 661->659 668->643
                                          APIs
                                          • PostQuitMessage.USER32(00000000), ref: 004014D5
                                          • Sleep.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00401541
                                          • SetForegroundWindow.USER32(?), ref: 0040155A
                                          • ShowWindow.USER32(00000000), ref: 004015E1
                                          • ShowWindow.USER32(00000000), ref: 004015F5
                                          • SetFileAttributesA.KERNEL32(00000000,?,?,000000F0), ref: 0040161A
                                          • SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\Desktop\,00000000,000000E6,00000000,?,?,000000F0,?,000000F0), ref: 00401706
                                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 00401714
                                          • MoveFileA.KERNEL32(00000000,?), ref: 004017A6
                                          • GetFullPathNameA.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,?,00000000,00000000,00000000,0000005C,00000000,?,?,000000F0), ref: 00401806
                                          • GetShortPathNameA.KERNEL32(00000000,00000000,00000400), ref: 0040184C
                                          • SearchPathA.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,00000000,00000000,00000000,0000005C,00000000,?,?,000000F0), ref: 0040186B
                                          Strings
                                          • Rename failed: %s, xrefs: 004017E9
                                          • Aborting: "%s", xrefs: 004014AB
                                          • Jump: %d, xrefs: 00401490
                                          • BringToFront, xrefs: 0040154C
                                          • Call: %d, xrefs: 004014EA
                                          • CreateDirectory: can't create "%s" (err=%d), xrefs: 004016A6
                                          • Rename: %s, xrefs: 00401796
                                          • SetCurrentDirectory(%s) failed (%d), xrefs: 0040171C
                                          • Sleep(%d), xrefs: 0040152C
                                          • IfFileExists: file "%s" exists, jumping %d, xrefs: 0040174E
                                          • detailprint: %s, xrefs: 00401509
                                          • CreateDirectory: "%s" created, xrefs: 004016D4
                                          • CreateDirectory: can't create "%s" - a file already exists, xrefs: 004016C4
                                          • C:\Users\user\Desktop\, xrefs: 004016FB
                                          • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 00401764
                                          • CreateDirectory: "%s" (%d), xrefs: 0040164B
                                          • SetFileAttributes failed., xrefs: 0040162F
                                          • SetFileAttributes: "%s":%08X, xrefs: 00401609
                                          • Rename on reboot: %s, xrefs: 004017D7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: PathWindow$FileNameShow$AttributesCurrentDirectoryErrorForegroundFullLastMessageMovePostQuitSearchShortSleep
                                          • String ID: Aborting: "%s"$BringToFront$C:\Users\user\Desktop\$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetCurrentDirectory(%s) failed (%d)$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                          • API String ID: 1463463071-1213553954
                                          • Opcode ID: 4ea7baa423deea346482f081290d896363ffcc99c378c9c5ed3661cfa77155d3
                                          • Instruction ID: cd94397812fa9254d581f5ff6aeb3ca49ce95be99e6962c7f7d93c7b36d86e40
                                          • Opcode Fuzzy Hash: 4ea7baa423deea346482f081290d896363ffcc99c378c9c5ed3661cfa77155d3
                                          • Instruction Fuzzy Hash: CBB11671904200BFDB146BA1DD4AEAF36B8AF08318B25053FF841B72D1DBBD5D418A6E

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 671 403c17-403c2f call 40680a 674 403c31-403c41 call 40622b 671->674 675 403c43-403c6a call 4061b4 671->675 682 403c8d-403cb6 call 403f00 call 405ea1 674->682 680 403c82-403c88 lstrcatA 675->680 681 403c6c-403c7d call 4061b4 675->681 680->682 681->680 689 403cbc-403cc1 682->689 690 403d3d-403d45 call 405ea1 682->690 689->690 691 403cc3-403ce7 call 4061b4 689->691 696 403d53-403d5a 690->696 697 403d47-403d4e call 4062ef 690->697 691->690 698 403ce9-403ceb 691->698 700 403d73-403d98 LoadImageA 696->700 701 403d5c-403d62 696->701 697->696 704 403cfc-403d08 lstrlenA 698->704 705 403ced-403cfa call 405deb 698->705 702 403e27-403e2f call 40140b 700->702 703 403d9e-403dd4 RegisterClassA 700->703 701->700 706 403d64-403d69 call 403bf6 701->706 723 403e31-403e34 702->723 724 403e39-403e44 call 403f00 702->724 707 403ef6 703->707 708 403dda-403e22 SystemParametersInfoA CreateWindowExA 703->708 711 403d30-403d38 call 405dc0 call 4062cd 704->711 712 403d0a-403d18 lstrcmpiA 704->712 705->704 706->700 715 403ef8-403eff 707->715 708->702 711->690 712->711 719 403d1a-403d24 GetFileAttributesA 712->719 720 403d26-403d28 719->720 721 403d2a-403d2b call 405e07 719->721 720->711 720->721 721->711 723->715 729 403e4a-403e64 ShowWindow call 40679c 724->729 730 403ecd-403ed5 call 4055fd 724->730 737 403e70-403e82 GetClassInfoA 729->737 738 403e66-403e6b call 40679c 729->738 735 403ed7-403edd 730->735 736 403eef-403ef1 call 40140b 730->736 735->723 741 403ee3-403eea call 40140b 735->741 736->707 739 403e84-403e94 GetClassInfoA RegisterClassA 737->739 740 403e9a-403ebd DialogBoxParamA call 40140b 737->740 738->737 739->740 746 403ec2-403ecb call 403b46 740->746 741->723 746->715
                                          APIs
                                            • Part of subcall function 0040680A: GetModuleHandleA.KERNEL32(?,?,?,00403751,0000000D), ref: 0040681C
                                            • Part of subcall function 0040680A: GetProcAddress.KERNEL32(00000000,?), ref: 00406837
                                          • lstrcatA.KERNEL32(1033,00421DD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421DD8,00000000,00000003,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" ,00000000), ref: 00403C88
                                          • lstrlenA.KERNEL32(LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.,?,?,?,LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.,00000000,C:\Users\user\Desktop\,1033,00421DD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421DD8,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 00403CFD
                                          • lstrcmpiA.KERNEL32(?,.exe), ref: 00403D10
                                          • GetFileAttributesA.KERNEL32(LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.), ref: 00403D1B
                                          • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\Desktop\), ref: 00403D84
                                            • Part of subcall function 0040622B: wsprintfA.USER32 ref: 00406238
                                          • RegisterClassA.USER32 ref: 00403DCB
                                          • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403DE3
                                          • CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1C
                                          • ShowWindow.USER32(00000005,00000000), ref: 00403E52
                                          • GetClassInfoA.USER32(00000000,RichEdit20A,00425BA0), ref: 00403E7E
                                          • GetClassInfoA.USER32(00000000,RichEdit,00425BA0), ref: 00403E8B
                                          • RegisterClassA.USER32(00425BA0), ref: 00403E94
                                          • DialogBoxParamA.USER32(?,00000000,00403FCD,00000000), ref: 00403EB3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\$Control Panel\Desktop\ResourceLocale$LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                          • API String ID: 1975747703-1783688793
                                          • Opcode ID: 05311a38aaea39ea47b31c922d26c1672691d2af13fd95cb2cc0faeab00d08b8
                                          • Instruction ID: 7568602f95d19c6b689a3b08b652a15b96228f33c85fe1690cd6c01ac20bc482
                                          • Opcode Fuzzy Hash: 05311a38aaea39ea47b31c922d26c1672691d2af13fd95cb2cc0faeab00d08b8
                                          • Instruction Fuzzy Hash: 0661B6702406406ED720BF659D45F3B3E6CEB4074AF85053FF981B62E2DB7CA9428A6D

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 750 3a110dc-3a110f4 call 3a11000 753 3a113a2-3a113a4 750->753 754 3a110fa-3a1110c 750->754 757 3a1139a-3a113a1 753->757 755 3a11112 754->755 756 3a11366-3a11393 wsprintfA WritePrivateProfileStringA call 3a1100f 754->756 758 3a11116-3a1112f 755->758 762 3a11398 756->762 760 3a11135-3a11138 758->760 761 3a11334-3a1133d 758->761 763 3a11349-3a11360 760->763 764 3a1113e-3a11141 760->764 765 3a11345 761->765 766 3a1133f 761->766 762->757 763->756 763->758 767 3a112e2-3a11302 SendMessageA wsprintfA 764->767 768 3a11147-3a1114a 764->768 765->763 766->765 769 3a11305-3a11332 wsprintfA WritePrivateProfileStringA 767->769 770 3a11150-3a11153 768->770 771 3a11202-3a11210 SendMessageA 768->771 769->763 770->763 772 3a11159-3a11169 lstrlenA 770->772 773 3a11212-3a11225 call 3a1100f call 3a11000 771->773 774 3a1122b-3a1124f GetWindowTextA 771->774 776 3a11183-3a11191 call 3a11000 772->776 777 3a1116b-3a1117d call 3a1100f call 3a11000 772->777 773->753 773->774 774->769 775 3a11255-3a11259 774->775 775->769 779 3a1125f-3a11272 call 3a11000 775->779 776->753 787 3a11197-3a111ad SendMessageA 776->787 777->753 777->776 793 3a112d3-3a112e0 call 3a1100f 779->793 794 3a11274-3a1127b 779->794 791 3a111f4-3a111fd call 3a1100f 787->791 792 3a111af-3a111bf SendMessageA 787->792 791->769 797 3a111c1-3a111c4 792->797 798 3a111ed-3a111f2 792->798 793->769 799 3a112b5 794->799 800 3a1127d-3a1127e 794->800 803 3a111d2-3a111e7 SendMessageA lstrcatA 797->803 804 3a111c6-3a111cc lstrcatA 797->804 798->791 798->792 808 3a112ba 799->808 805 3a11280-3a11283 800->805 806 3a112ae-3a112b3 800->806 803->798 804->803 809 3a11285-3a11288 805->809 810 3a112a7-3a112ac 805->810 806->808 811 3a112bb-3a112d1 CharNextA * 2 808->811 812 3a1128a-3a1128d 809->812 813 3a1128e-3a112a5 CharNextA lstrcpynA 809->813 810->808 811->793 811->794 812->813 813->811
                                          APIs
                                            • Part of subcall function 03A11000: GlobalAlloc.KERNEL32(00000040,?,03A11030,00000001), ref: 03A11006
                                          • lstrlenA.KERNEL32(?,00002000), ref: 03A1115C
                                          • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 03A111A2
                                          • SendMessageA.USER32(?,00000187,00000000,00000000), ref: 03A111B8
                                          • lstrcatA.KERNEL32(00000000,03A144B8,?,00000187,00000000,00000000,?,0000018B,00000000,00000000,00002000), ref: 03A111CC
                                          • SendMessageA.USER32(?,00000189,00000000,00002000), ref: 03A111DD
                                          • lstrcatA.KERNEL32(00000000,00002000,?,00000189,00000000,00002000,?,00000187,00000000,00000000,?,0000018B,00000000,00000000,00002000), ref: 03A111E7
                                          • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 03A11207
                                          • GetWindowTextA.USER32(00001FFF,00000001,00001FFF), ref: 03A1123A
                                          • CharNextA.USER32(00000000,00002000), ref: 03A1128F
                                          • lstrcpynA.KERNEL32(00000000,00000000,00000000), ref: 03A1129F
                                          • CharNextA.USER32(00000000,00002000), ref: 03A112BC
                                          • CharNextA.USER32(00000001), ref: 03A112C5
                                          • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 03A112EA
                                          • wsprintfA.USER32 ref: 03A112FC
                                          • wsprintfA.USER32 ref: 03A11314
                                          • WritePrivateProfileStringA.KERNEL32(03A16648,State,00000000), ref: 03A1132A
                                          • wsprintfA.USER32 ref: 03A11372
                                          • WritePrivateProfileStringA.KERNEL32(Settings,State,00000000), ref: 03A1138C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSend$CharNextwsprintf$PrivateProfileStringWritelstrcat$AllocGlobalTextWindowlstrcpynlstrlen
                                          • String ID: Field %d$Settings$State$T
                                          • API String ID: 1338839387-1936150994
                                          • Opcode ID: e4a1869b80794b52f886fac9510a855e7beef05e6e2245054ef6a093329c8fd4
                                          • Instruction ID: 5764951b533ca159595e5deff51a048ce18d33df3ac03906c0f6db5654fbb2f5
                                          • Opcode Fuzzy Hash: e4a1869b80794b52f886fac9510a855e7beef05e6e2245054ef6a093329c8fd4
                                          • Instruction Fuzzy Hash: CE712134504342BFCB51EF24D948A2FBBE9FF45740F08442EFA82DA246E774852687A2

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 100013A6: lstrcpyA.KERNEL32(?,?,https://www.gegridsolutions.com/multilin/,100011A2,https://www.gegridsolutions.com/multilin/), ref: 100013BE
                                            • Part of subcall function 100013A6: GlobalFree.KERNEL32(https://www.gegridsolutions.com/multilin/), ref: 100013CF
                                          • GetDlgItem.USER32(?,00000404), ref: 10001210
                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 10001221
                                          • SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 1000122E
                                          • SetPropA.USER32(00000000,_Plugin_Static_Hyperlink_,00000001), ref: 1000123C
                                          • SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 1000124D
                                          • GetObjectA.GDI32(00000000,0000003C,?), ref: 1000125B
                                          • CreateFontIndirectA.GDI32(?), ref: 10001269
                                          • SendMessageA.USER32(00000000,00000030,00000000,00000000), ref: 10001279
                                          • LoadImageA.USER32(00000000,00007F89,00000002,00000000,00000000,00008040), ref: 10001290
                                          • LoadImageA.USER32(00000000,00007F00,00000002,00000000,00000000,00008040), ref: 100012AA
                                          • EnableWindow.USER32(00000000,00000001), ref: 100012B4
                                          • SetWindowLongA.USER32(000000FC,10001000), ref: 100012CD
                                          • SetWindowLongA.USER32(00000000,000000FC,10001097), ref: 100012DC
                                          • RedrawWindow.USER32(00000000,00000000,00000000,00000105), ref: 100012EB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440554333.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000002.00000002.3440542193.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000002.00000002.3440566258.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000002.00000002.3440578387.0000000010003000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000002.00000002.3440590369.0000000010004000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_10000000_Au_.jbxd
                                          Similarity
                                          • API ID: Window$Long$ImageLoadMessageSend$CreateEnableFontFreeGlobalIndirectItemObjectPropRedrawlstrcpy
                                          • String ID: _Plugin_Static_Hyperlink_$https://www.gegridsolutions.com/multilin/$^s
                                          • API String ID: 3906149694-822001222
                                          • Opcode ID: 8b0eb765e6e48039e4865cb80709fa49e1116976669fe2920b5731e1ce855353
                                          • Instruction ID: ca8671abe9f8f2495f193ae5b887a50235a0880a62267edce4059e6dc7c109c0
                                          • Opcode Fuzzy Hash: 8b0eb765e6e48039e4865cb80709fa49e1116976669fe2920b5731e1ce855353
                                          • Instruction Fuzzy Hash: A541B3B0905264BFF716DF658CD5FEB7BACEB097D0F00811AFA04A61A9CB745900CB64

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 924 401899-4018d4 call 402ea4 call 406747 call 405e2d 931 4018d6-4018dc call 4062cd 924->931 932 4018de-4018f0 call 4062cd call 405dc0 lstrcatA 924->932 937 4018f5-4018fb call 40652f 931->937 932->937 942 401900-401904 937->942 943 401906-401910 call 406775 942->943 944 401937-40193a 942->944 951 401922-401934 943->951 952 401912-401920 CompareFileTime 943->952 946 401942-40195e call 405fa4 944->946 947 40193c-40193d call 405f85 944->947 954 401964-401967 946->954 955 401a1b-401a53 call 40552b call 4033c6 call 406747 946->955 947->946 951->944 952->951 957 4019e0-4019ee call 40552b 954->957 958 401969-4019b8 call 406747 call 4062cd * 2 call 4062ef call 4062cd call 405b35 954->958 976 401a55-401a59 955->976 977 401a5b-401a67 SetFileTime 955->977 967 4019f0 957->967 968 4019f7-4027e8 957->968 997 4019ca-4019cb 958->997 998 4019ba-4019c5 call 406747 958->998 967->968 974 4027ed-4027f0 968->974 975 4027e8 call 406747 968->975 979 402d35-402d38 974->979 975->974 976->977 980 401a6d-401a78 CloseHandle 976->980 977->980 982 402d3e 979->982 980->979 983 401a7e-401a81 980->983 985 402d40-402d44 982->985 986 401a83-401a94 call 4062ef lstrcatA 983->986 987 401a96-401a99 call 4062ef 983->987 994 401a9e-402517 call 406747 986->994 987->994 1004 40251c-402521 994->1004 1005 402517 call 405b35 994->1005 1000 401a05-401a16 call 406747 997->1000 1001 4019cd-4019d9 call 406747 997->1001 998->942 1000->982 1001->957 1004->985 1009 402a76-402a7f 1004->1009 1005->1004 1009->979
                                          APIs
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                          • lstrcatA.KERNEL32(00000000,00000000,show,C:\Users\user\Desktop\,00000000,00000000), ref: 004018F0
                                          • CompareFileTime.KERNEL32(-00000014,?,show,show,00000000,00000000,show,C:\Users\user\Desktop\,00000000,00000000), ref: 0040191A
                                            • Part of subcall function 004062CD: lstrcpynA.KERNEL32(?,?,00000400,00403795,LogicLinx 3.31 Uninstall,NSIS Error), ref: 004062DA
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000,?), ref: 00405564
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(004030F8,00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000), ref: 00405574
                                            • Part of subcall function 0040552B: lstrcatA.KERNEL32(00420DB0,004030F8,004030F8,00420DB0,00000000,00000000,00000000), ref: 00405587
                                            • Part of subcall function 0040552B: SetWindowTextA.USER32(00420DB0,00420DB0), ref: 00405599
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055BF
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004055D9
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001013,?,00000000), ref: 004055E7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                          • String ID: C:\Users\user\AppData\Local\Temp\nslC943.tmp$C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll$C:\Users\user\Desktop\$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$show
                                          • API String ID: 4286501637-1684548421
                                          • Opcode ID: 0724c35fb236221f4b574d59a3aecd957e911db8adaeec6d51cd7d9740fba54e
                                          • Instruction ID: 17351c833ff884be99ebbe4ca3dd04e93fba0c18e006415c8e205a2e39f5817b
                                          • Opcode Fuzzy Hash: 0724c35fb236221f4b574d59a3aecd957e911db8adaeec6d51cd7d9740fba54e
                                          • Instruction Fuzzy Hash: A251E871A14214BACF107BB5DC4AEAF3668DF05339B21423FF416B11E1DB7C49518A6E

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1012 3a12732-3a12788 SetWindowLongA SendMessageA ShowWindow 1013 3a1278e-3a127ab KiUserCallbackDispatcher IsDialogMessageA 1012->1013 1014 3a127d4-3a127da 1013->1014 1015 3a127ad-3a127bc IsDialogMessageA 1013->1015 1014->1013 1017 3a127dc-3a127e2 1014->1017 1015->1014 1016 3a127be-3a127ce TranslateMessage DispatchMessageA 1015->1016 1016->1014 1018 3a127e4 call 3a110dc 1017->1018 1019 3a127e9-3a1280c SetWindowLongA DestroyWindow 1017->1019 1018->1019 1021 3a12823-3a12861 call 3a1100f * 5 1019->1021 1022 3a1280e-3a12821 ShowWindow 1019->1022 1033 3a12863-3a12869 1021->1033 1034 3a128ab-3a128bc call 3a1100f 1021->1034 1022->1021 1036 3a1286c-3a12879 1033->1036 1039 3a128c5-3a128d0 1034->1039 1040 3a128be-3a128c3 1034->1040 1038 3a1287a-3a12885 call 3a1100f 1036->1038 1046 3a12887-3a1288b 1038->1046 1042 3a128d7-3a128e4 call 3a12afb 1039->1042 1043 3a128d2 1039->1043 1040->1042 1043->1042 1048 3a12896-3a1289a 1046->1048 1049 3a1288d-3a12890 DeleteObject 1046->1049 1050 3a128a5-3a128a9 1048->1050 1051 3a1289c-3a1289f DestroyIcon 1048->1051 1049->1048 1050->1034 1050->1036 1051->1050
                                          APIs
                                          • SetWindowLongA.USER32(00000004,Function_000019E7), ref: 03A1274C
                                          • SendMessageA.USER32(0000040D,00000000), ref: 03A12767
                                          • ShowWindow.USER32(00000008,0000040D,00000000), ref: 03A1277A
                                          • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 03A12796
                                          • IsDialogMessageA.USER32(?), ref: 03A127A7
                                          • IsDialogMessageA.USER32(?), ref: 03A127B8
                                          • TranslateMessage.USER32(?), ref: 03A127C3
                                          • DispatchMessageA.USER32(?), ref: 03A127CE
                                          • SetWindowLongA.USER32(00000004), ref: 03A127F7
                                          • DestroyWindow.USER32 ref: 03A127FF
                                          • ShowWindow.USER32(?), ref: 03A12821
                                          • DeleteObject.GDI32(?), ref: 03A12890
                                          • DestroyIcon.USER32(?,76937CE0), ref: 03A1289F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageWindow$DestroyDialogLongShow$CallbackDeleteDispatchDispatcherIconObjectSendTranslateUser
                                          • String ID: back$cancel$success
                                          • API String ID: 90777642-2779835836
                                          • Opcode ID: a25e9aab8da46ee1436dea23841e526380fbbcc59830500a6ff8d176c5a64ab9
                                          • Instruction ID: c0ad0f0a4cd5099680cae0bb959f5d118ee94814f338f9b7e2409e8b031b8312
                                          • Opcode Fuzzy Hash: a25e9aab8da46ee1436dea23841e526380fbbcc59830500a6ff8d176c5a64ab9
                                          • Instruction Fuzzy Hash: 5941C136500349EFCB20FF65ED449167BBAFB46781B04092AFA51D6178C732D86ADF21

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1052 403120-40316e GetTickCount GetModuleFileNameA call 405fa4 1055 403170-403175 1052->1055 1056 40317a-4031a8 call 4062cd call 405e07 call 4062cd GetFileSize 1052->1056 1057 4033bf-4033c3 1055->1057 1064 403298-4032a6 call 403081 1056->1064 1065 4031ae-4031c5 1056->1065 1072 403377-40337c 1064->1072 1073 4032ac-4032af 1064->1073 1067 4031c7 1065->1067 1068 4031c9-4031cf call 40366d 1065->1068 1067->1068 1071 4031d4-4031d6 1068->1071 1074 403333-40333b call 403081 1071->1074 1075 4031dc-4031e2 1071->1075 1072->1057 1076 4032b1-4032c2 call 40369f call 40366d 1073->1076 1077 4032db-403327 GlobalAlloc call 4068e7 call 405fd3 CreateFileA 1073->1077 1074->1072 1078 403262-403266 1075->1078 1079 4031e4-4031fc call 405f65 1075->1079 1095 4032c7-4032c9 1076->1095 1103 403329-40332e 1077->1103 1104 40333d-40336d call 40369f call 4033c6 1077->1104 1083 403268-40326e call 403081 1078->1083 1084 40326f-403275 1078->1084 1079->1084 1098 4031fe-403205 1079->1098 1083->1084 1090 403277-403285 call 406879 1084->1090 1091 403288-403292 1084->1091 1090->1091 1091->1064 1091->1065 1095->1072 1100 4032cf-4032d5 1095->1100 1098->1084 1102 403207-40320e 1098->1102 1100->1072 1100->1077 1102->1084 1105 403210-403217 1102->1105 1103->1057 1112 403372-403375 1104->1112 1105->1084 1107 403219-403220 1105->1107 1107->1084 1109 403222-403242 1107->1109 1109->1072 1111 403248-40324c 1109->1111 1114 403254-40325c 1111->1114 1115 40324e-403252 1111->1115 1112->1072 1113 40337e-40338f 1112->1113 1116 403391 1113->1116 1117 403397-40339c 1113->1117 1114->1084 1118 40325e-403260 1114->1118 1115->1064 1115->1114 1116->1117 1119 40339d-4033a3 1117->1119 1118->1084 1119->1119 1120 4033a5-4033bd call 405f65 1119->1120 1120->1057
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00403134
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe,00000400), ref: 00403150
                                            • Part of subcall function 00405FA4: GetFileAttributesA.KERNEL32(00000003,00403163,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe,80000000,00000003), ref: 00405FA8
                                            • Part of subcall function 00405FA4: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405FCA
                                          • GetFileSize.KERNEL32(00000000,00000000,0042E000,00000000,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe,80000000,00000003), ref: 00403199
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 004032E0
                                          Strings
                                          • Inst, xrefs: 00403207
                                          • soft, xrefs: 00403210
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040312D, 004032F8
                                          • Null, xrefs: 00403219
                                          • C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe, xrefs: 0040313A, 00403149, 0040315D, 0040317A
                                          • Error launching installer, xrefs: 00403170
                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403377
                                          • "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" , xrefs: 00403120
                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403329
                                          • C:\Users\user\AppData\Local\Temp\~nsuA.tmp, xrefs: 0040317B, 00403180, 00403186
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                          • String ID: "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\~nsuA.tmp$C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                          • API String ID: 2803837635-3567043747
                                          • Opcode ID: 4cf895d843c1e51e5214ca8c183206d7589522ef64cf37b5abe811079b5ea464
                                          • Instruction ID: 96d146e497d990707c57d5b2e40503737fdf144c81fc00ef777e1dfa3ff37f12
                                          • Opcode Fuzzy Hash: 4cf895d843c1e51e5214ca8c183206d7589522ef64cf37b5abe811079b5ea464
                                          • Instruction Fuzzy Hash: 4661F671A00214ABDB20AF64DD85BAE7FACAB04316F61447FF940B72D1CB3C9A418B5D

                                          Control-flow Graph

                                          APIs
                                          • GetCapture.USER32 ref: 100010B8
                                          • SendMessageA.USER32(?,00000030,00000000), ref: 100010CD
                                          • InvalidateRect.USER32(?,00000000,00000000), ref: 100010D8
                                          • SetCapture.USER32(?), ref: 100010DF
                                          • GetWindowRect.USER32(?,?), ref: 100010EC
                                          • ClientToScreen.USER32(?,?), ref: 10001107
                                          • PtInRect.USER32(?,?,?), ref: 10001117
                                          • SendDlgItemMessageA.USER32(?,00000030,00000000), ref: 1000112B
                                          • InvalidateRect.USER32(?,00000000,00000000), ref: 10001136
                                          • SetDlgItemTextA.USER32 ref: 1000113C
                                          • CallWindowProcA.USER32(?,00000200,?,?), ref: 10001152
                                          • SetCursor.USER32 ref: 10001161
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440554333.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000002.00000002.3440542193.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000002.00000002.3440566258.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000002.00000002.3440578387.0000000010003000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000002.00000002.3440590369.0000000010004000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_10000000_Au_.jbxd
                                          Similarity
                                          • API ID: Rect$CaptureInvalidateItemMessageSendWindow$CallClientCursorProcScreenText
                                          • String ID:
                                          • API String ID: 3670556111-3916222277
                                          • Opcode ID: 8c2edf1ee4263d53ed0fbb4dc934b7f9fbb8ac039e1be9a10c550e2cb2bc73bd
                                          • Instruction ID: 3a2e42d8f5861b05cd0f484eca161aee98a157bdc6ba3a99a838d0896b5d053a
                                          • Opcode Fuzzy Hash: 8c2edf1ee4263d53ed0fbb4dc934b7f9fbb8ac039e1be9a10c550e2cb2bc73bd
                                          • Instruction Fuzzy Hash: 39210832501229FBFB16AFA0CD89BDE7BBDEF08781F108011FA01A5069C7749A55DFA5

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1132 4021e9-4021f5 1133 4022e0-4022e7 call 401423 1132->1133 1134 4021fb-402211 call 402ea4 * 2 1132->1134 1139 402d35-402d44 1133->1139 1143 402221-402230 LoadLibraryExA 1134->1143 1144 402213-40221f GetModuleHandleA 1134->1144 1146 402236-402246 GetProcAddress 1143->1146 1147 4022c7-4022db call 401423 call 406747 1143->1147 1144->1143 1144->1146 1148 402285-40229d call 40552b call 406747 1146->1148 1149 402248-40224e 1146->1149 1147->1139 1162 4022a0-4022a3 1148->1162 1152 402250-40225c call 401423 1149->1152 1153 402267-40227b 1149->1153 1152->1162 1169 40225e-402265 1152->1169 1172 40227e call 3a12931 1153->1172 1173 40227e call 1000116d 1153->1173 1158 402280-402283 1158->1162 1162->1139 1165 4022a9-4022b3 call 403b96 1162->1165 1165->1139 1171 4022b9-4022c2 FreeLibrary 1165->1171 1169->1162 1171->1139 1172->1158 1173->1158
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402214
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000,?), ref: 00405564
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(004030F8,00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000), ref: 00405574
                                            • Part of subcall function 0040552B: lstrcatA.KERNEL32(00420DB0,004030F8,004030F8,00420DB0,00000000,00000000,00000000), ref: 00405587
                                            • Part of subcall function 0040552B: SetWindowTextA.USER32(00420DB0,00420DB0), ref: 00405599
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055BF
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004055D9
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001013,?,00000000), ref: 004055E7
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                          • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402225
                                          • GetProcAddress.KERNEL32(?,?), ref: 0040223C
                                          • FreeLibrary.KERNEL32(?,?), ref: 004022BC
                                          Strings
                                          • Error registering DLL: Could not load %s, xrefs: 004022CF
                                          • Error registering DLL: %s not found in %s, xrefs: 00402293
                                          • Error registering DLL: Could not initialize OLE, xrefs: 004022E7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$Library$AddressFreeHandleLoadModuleProcTextWindowlstrcatwvsprintf
                                          • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                          • API String ID: 3271377537-945480824
                                          • Opcode ID: 24048724a9ac06ccc5715d981e71ea74bcba6b6cb785788758c0bf0f3e52e316
                                          • Instruction ID: c758e62e292b85024776478069b6dbefcb92a1905fe08cf12c5b39257b8ea98b
                                          • Opcode Fuzzy Hash: 24048724a9ac06ccc5715d981e71ea74bcba6b6cb785788758c0bf0f3e52e316
                                          • Instruction Fuzzy Hash: C221B132904205BBCF106FA1DE49B9E7A70AF08358F60417FF410B11E0DBBD4A919A2E

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1174 3a119e7-3a119fb 1175 3a11a6b-3a11a88 CallWindowProcA 1174->1175 1176 3a119fd-3a11a01 1174->1176 1178 3a11a8a-3a11a8c 1175->1178 1179 3a11abe 1175->1179 1176->1175 1177 3a11a03-3a11a0b 1176->1177 1180 3a11a0d-3a11a16 1177->1180 1181 3a11a5f-3a11a64 call 3a110dc 1177->1181 1178->1179 1183 3a11a8e-3a11a92 1178->1183 1182 3a11ac0-3a11ac4 1179->1182 1180->1181 1184 3a11a18-3a11a24 1180->1184 1181->1175 1186 3a11a94 1183->1186 1187 3a11a9a-3a11a9e 1183->1187 1190 3a11a26-3a11a39 SendMessageA 1184->1190 1191 3a11a4e-3a11a5d 1184->1191 1186->1187 1188 3a11aa0 1187->1188 1189 3a11aa6-3a11ab8 PostMessageA 1187->1189 1188->1189 1189->1179 1193 3a11a43-3a11a48 1190->1193 1194 3a11a3b-3a11a3d 1190->1194 1191->1181 1191->1184 1193->1191 1196 3a11a4a-3a11a4c 1193->1196 1194->1193 1195 3a11ac7-3a11acb 1194->1195 1197 3a11afd-3a11b07 call 3a11071 1195->1197 1198 3a11acd-3a11af7 GetWindowTextA MessageBoxA 1195->1198 1196->1191 1196->1195 1197->1182 1198->1197
                                          APIs
                                          • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 03A11A2F
                                          • CallWindowProcA.USER32(?,?,?,?), ref: 03A11A7D
                                          • PostMessageA.USER32(00000010,00000000,00000000), ref: 03A11AB8
                                          • GetWindowTextA.USER32(?,00000400,?), ref: 03A11ADF
                                          • MessageBoxA.USER32(00000000,?,00000030), ref: 03A11AF7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: Message$Window$CallPostProcSendText
                                          • String ID: x
                                          • API String ID: 630778482-2363233923
                                          • Opcode ID: 7f1b1604d9be6b02784bffc1674ff0c521b1c4ced2b6d53bb2ffbb28b8395263
                                          • Instruction ID: ea39d0a4fd146e2bacb7fa06f63d2fa4d95fbccd28ac57debc2091fb1e81bf9c
                                          • Opcode Fuzzy Hash: 7f1b1604d9be6b02784bffc1674ff0c521b1c4ced2b6d53bb2ffbb28b8395263
                                          • Instruction Fuzzy Hash: 28318935600206EBCF21EF55EE40B69BBBAFB00755F18452EEB42A51A4C371A9A6CF50

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1201 402531-402559 call 4062cd * 2 1206 402564-402567 1201->1206 1207 40255b-402561 call 402ea4 1201->1207 1209 402573-402576 1206->1209 1210 402569-402570 call 402ea4 1206->1210 1207->1206 1213 402582-4025aa call 402ea4 call 406747 WritePrivateProfileStringA 1209->1213 1214 402578-40257f call 402ea4 1209->1214 1210->1209 1214->1213
                                          APIs
                                            • Part of subcall function 004062CD: lstrcpynA.KERNEL32(?,?,00000400,00403795,LogicLinx 3.31 Uninstall,NSIS Error), ref: 004062DA
                                          • WritePrivateProfileStringA.KERNEL32(?,?,?,00000000), ref: 004025AA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: PrivateProfileStringWritelstrcpyn
                                          • String ID: <RM>$C:\Users\user\AppData\Local\Temp\nslC943.tmp$C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll$WriteINIStr: wrote [%s] %s=%s in %s$show
                                          • API String ID: 247603264-2381417605
                                          • Opcode ID: 761816c344bc7c14fad519cf076e7676c334ba530189723ea92024271b26ca30
                                          • Instruction ID: 330d2e4d02b989cca60e921ba8ea68942becdf5f63010b794772c6dbbebc1385
                                          • Opcode Fuzzy Hash: 761816c344bc7c14fad519cf076e7676c334ba530189723ea92024271b26ca30
                                          • Instruction Fuzzy Hash: B6012C71D40259BACF04BFA18E499AF7974AF44354F10443FB515761C2C7BC0A50CBAD
                                          APIs
                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004067B3
                                          • wsprintfA.USER32 ref: 004067EC
                                          • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00406800
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                          • String ID: %s%s.dll$UXTHEME$\
                                          • API String ID: 2200240437-4240819195
                                          • Opcode ID: 47418d738528084b0ee49106b6891bde69050c906b93663faea48a45202ea939
                                          • Instruction ID: 1df609921a5ab3350e05677d7081392002f03ef46e330c3fe87cf6dcec657825
                                          • Opcode Fuzzy Hash: 47418d738528084b0ee49106b6891bde69050c906b93663faea48a45202ea939
                                          • Instruction Fuzzy Hash: 9EF0F6305002196BEB159B64DD0DFEB376CEB08309F14047FA686F21C1EA78D9398B59
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00405FE6
                                          • GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 00406000
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: CountFileNameTempTick
                                          • String ID: "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                          • API String ID: 1716503409-4273898395
                                          • Opcode ID: 1ccc6076cc6f692e90f1f6ac9548860c4ee378c8d524266ab38a343d99036947
                                          • Instruction ID: 4ac0bde53fcefe63c64b79b14273c973a9021de8d5de8166d4f532f707e8062d
                                          • Opcode Fuzzy Hash: 1ccc6076cc6f692e90f1f6ac9548860c4ee378c8d524266ab38a343d99036947
                                          • Instruction Fuzzy Hash: 80F0A7363482487AE7108F55DC04BDB7F5DDFD1760F14C03BFA449E280D6B0999897A4
                                          APIs
                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00403372,000000FF,00000000,00000000,?,?), ref: 004033ED
                                          • ReadFile.KERNEL32(?,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00403372,000000FF,00000000,00000000,?), ref: 0040341A
                                          • ReadFile.KERNEL32(00414980,00004000,?,00000000,?,?,00403372,000000FF,00000000,00000000,?,?), ref: 00403474
                                          • WriteFile.KERNEL32(00000000,00414980,?,000000FF,00000000,?,00403372,000000FF,00000000,00000000,?,?), ref: 0040348C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: File$Read$PointerWrite
                                          • String ID:
                                          • API String ID: 2113905535-0
                                          • Opcode ID: 112533716f36a3d83ab0f8b5c1aa6b6122a43ce20d09c48fb3034a37057bef72
                                          • Instruction ID: fa80a256ba8ad7dbbe951804ed4cdf19961f9577527713a1418254d24a88ff6f
                                          • Opcode Fuzzy Hash: 112533716f36a3d83ab0f8b5c1aa6b6122a43ce20d09c48fb3034a37057bef72
                                          • Instruction Fuzzy Hash: D0314831500209EBCB22CF95DE80AAE7FBCEB41365B24403AF504AA190D7399A90DB69
                                          APIs
                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401E34
                                          • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401E4C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSend$Timeout
                                          • String ID: !
                                          • API String ID: 1777923405-2657877971
                                          • Opcode ID: 4dc8f70aa0e183750effb2cde1311245b6065c9c0ffff7879e43e580c0dc7d9c
                                          • Instruction ID: 183b73fb6a545bb1246e923ab68f4d664312321a500069d7f5b6b65c517e0d36
                                          • Opcode Fuzzy Hash: 4dc8f70aa0e183750effb2cde1311245b6065c9c0ffff7879e43e580c0dc7d9c
                                          • Instruction Fuzzy Hash: CC219071940149BFDF01AFB0C94AAAE7BB5EF44304F10407EFA41B61D1D7B84A41DB98
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00403506
                                            • Part of subcall function 0040369F: SetFilePointer.KERNEL32(00000000,00000000,00000000,0040334B,?), ref: 004036AD
                                          • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,004033FC,00000004,00000000,00000000,00000000,?,?,?,00403372,000000FF,00000000), ref: 00403539
                                          • WriteFile.KERNEL32(0040C980,0040E2C6,00000000,00000000,00414980,00004000,?,00000000,?,004033FC,00000004,00000000,00000000,00000000,?,?), ref: 004035F3
                                          • SetFilePointer.KERNEL32(0000FABE,00000000,00000000,00414980,00004000,?,00000000,?,004033FC,00000004,00000000,00000000,00000000,?,?), ref: 00403645
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: File$Pointer$CountTickWrite
                                          • String ID:
                                          • API String ID: 2146148272-0
                                          • Opcode ID: 1d643077d58e843cc00f83a3fa99e53f6c2b0296ddedef6d0ab7d02d506ede07
                                          • Instruction ID: 26932a1e78feeb0b77edab523d175b5838434cf18410dc30452224d4f843c6ae
                                          • Opcode Fuzzy Hash: 1d643077d58e843cc00f83a3fa99e53f6c2b0296ddedef6d0ab7d02d506ede07
                                          • Instruction Fuzzy Hash: EB41CFB2501205EFDB20EF28EE848263BACF785356705463FE841B32A1D7355A468F9D
                                          APIs
                                          • CreateDirectoryA.KERNEL32(0000005C,00000000,00000000), ref: 00405A65
                                          • GetLastError.KERNEL32 ref: 00405A79
                                          • SetFileSecurityA.ADVAPI32(0000005C,80000007,00000001), ref: 00405A8E
                                          • GetLastError.KERNEL32 ref: 00405A98
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                          • String ID:
                                          • API String ID: 3449924974-0
                                          • Opcode ID: b4292ae52da0fc50f84fd512a3e5f3cdca8938f352655cb7b0d8c38ac6c39cdd
                                          • Instruction ID: 8b3c49f02a17c259515d84f04faf51af5275248166455e8be91c75529944b3c1
                                          • Opcode Fuzzy Hash: b4292ae52da0fc50f84fd512a3e5f3cdca8938f352655cb7b0d8c38ac6c39cdd
                                          • Instruction Fuzzy Hash: 77010871D00619DADF009BA0D944BEFBBB8EB04344F00853AD545B6190D77896088F99
                                          APIs
                                            • Part of subcall function 004062CD: lstrcpynA.KERNEL32(?,?,00000400,00403795,LogicLinx 3.31 Uninstall,NSIS Error), ref: 004062DA
                                            • Part of subcall function 00405E54: CharNextA.USER32(00405BAD,?,C:\Users\user\AppData\Local\Temp\nslC943.tmp,00000000,00405EB8,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405E62
                                            • Part of subcall function 00405E54: CharNextA.USER32(00000000), ref: 00405E67
                                            • Part of subcall function 00405E54: CharNextA.USER32(00000000), ref: 00405E76
                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslC943.tmp,00000000,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405EF4
                                          • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,00000000,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405F04
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\nslC943.tmp
                                          • API String ID: 3248276644-76981094
                                          • Opcode ID: dbfd0eb15a0aee7a56b9524eaabc91726594297034a6f990c90e67fba31c6c96
                                          • Instruction ID: 0a9ec8cc8701c190d5637e4eaeae3a47b1d3f29b87e2c858e077ece57a352d20
                                          • Opcode Fuzzy Hash: dbfd0eb15a0aee7a56b9524eaabc91726594297034a6f990c90e67fba31c6c96
                                          • Instruction Fuzzy Hash: 8DF0F435115D6116D622333A9C09AAF2A18CE82328716053FF8E2B22D1DB3C8B4389FD
                                          APIs
                                          • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401FE4
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                          • EnableWindow.USER32(00000000,00000000), ref: 00401FEF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Window$EnableShowlstrlenwvsprintf
                                          • String ID: HideWindow
                                          • API String ID: 1249568736-780306582
                                          • Opcode ID: f0d48a8803fa8f0ca2c5ece0b97e20779280f43af8e2efb5e59398eeb2453848
                                          • Instruction ID: f9bbae7df7fa4fde6100788e383a183b323f94d17af37d41b00e3582981cb5ce
                                          • Opcode Fuzzy Hash: f0d48a8803fa8f0ca2c5ece0b97e20779280f43af8e2efb5e59398eeb2453848
                                          • Instruction Fuzzy Hash: 93E09232600201DBCB10ABF5EE4999EB2B0AF44359B60043FE441F60D2DB7D8C41D67D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 684942fe2b15b730065f226559e9be9e555d3a3d5e7fc0d9885530a7e2266171
                                          • Instruction ID: 8000226e84d3b017bc6d44c3bedd15163eea413bd8593d328e7b0baad47f3587
                                          • Opcode Fuzzy Hash: 684942fe2b15b730065f226559e9be9e555d3a3d5e7fc0d9885530a7e2266171
                                          • Instruction Fuzzy Hash: 58A15371E04229CBDF28CFA8C8447ADBBB1FB44305F15806ED856BB281D7786A86DF45
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bde7381304b81b3e09b27403b539467510d0fe95a90e5b4d7cfee1ed51f2236
                                          • Instruction ID: 759a5e24e10d50352dbc8de058c790801aa45a8a44818c86e8f054c705910e48
                                          • Opcode Fuzzy Hash: 6bde7381304b81b3e09b27403b539467510d0fe95a90e5b4d7cfee1ed51f2236
                                          • Instruction Fuzzy Hash: 1F913470D04229CBEF28CF98C8447ADBBB1FB44305F15816ED856BB281C778AA86DF45
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e39de615352b626232416b4053d525421749ef36ddd4b9844f136144ab3fe8ed
                                          • Instruction ID: 1b2002c04af769fb6654495406821102eaccec2ab4c63d4c1d8c12c5004552e8
                                          • Opcode Fuzzy Hash: e39de615352b626232416b4053d525421749ef36ddd4b9844f136144ab3fe8ed
                                          • Instruction Fuzzy Hash: B7815671E04228CFDF24CFA9C8447ADBBB1FB44305F25816AD856BB281C7389986DF55
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 509badd97ca0faa3f5d71b944ab43e2a447e2d4a76e4aeed0a6ea4a78de18d41
                                          • Instruction ID: 61fe4de2002a16c4612afb9d07323b890c67664fa2f3b9718a96419d1d375b0a
                                          • Opcode Fuzzy Hash: 509badd97ca0faa3f5d71b944ab43e2a447e2d4a76e4aeed0a6ea4a78de18d41
                                          • Instruction Fuzzy Hash: 42819971D04228DBEF24CFA9C8447ADBBB0FB44305F15816AD856BB2C1C778698ADF45
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 234d8de6b1a4825162bd56f0f275484faa6be4a536daf5717bc33d46969e13ad
                                          • Instruction ID: 41aba942b39599c1692c10913d65046045a3e4a9d9b4861b7f06a8ff37ecbfc8
                                          • Opcode Fuzzy Hash: 234d8de6b1a4825162bd56f0f275484faa6be4a536daf5717bc33d46969e13ad
                                          • Instruction Fuzzy Hash: E0713471E04228CBDF24CFA9C8447ADBBB1FB44305F15806AD856BB281D738A986DF15
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cb9a1c794173ec10a6f2dd2a1ae7cf519846913fbb24b072de2017ae18864e5d
                                          • Instruction ID: dbd92b475a9d0607fb1399eb60c35f34c7c8d9ad23197981acbd8ddbf59fdd3c
                                          • Opcode Fuzzy Hash: cb9a1c794173ec10a6f2dd2a1ae7cf519846913fbb24b072de2017ae18864e5d
                                          • Instruction Fuzzy Hash: AD714671E04228CBEF28CFA9C8447ADBBB1FF44305F15806AD816BB281C7389986DF55
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f551091bef97c8d90c96c086bb2fc810a191328d3c3cc4ee86ad8ead6d95e62
                                          • Instruction ID: 13446529a524af4b77d0006a34a1fb508395f1689c279074a8e075742fa5827d
                                          • Opcode Fuzzy Hash: 5f551091bef97c8d90c96c086bb2fc810a191328d3c3cc4ee86ad8ead6d95e62
                                          • Instruction Fuzzy Hash: CB715671E04229CBEF28CF99C8447ADBBB1FF44305F15806AD856BB281C738A986DF45
                                          APIs
                                          • SendMessageA.USER32(00000408,?,00000000,004040DB), ref: 00404497
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: x
                                          • API String ID: 3850602802-2363233923
                                          • Opcode ID: 612983b6fd4e749bcc0da6ef45d44fb209fd6786f015263cae2c46ce03c0a988
                                          • Instruction ID: d9b7b3ad1dfe9f77e15bdbe809bc3705bce75bff37a43b44b75ed23140966660
                                          • Opcode Fuzzy Hash: 612983b6fd4e749bcc0da6ef45d44fb209fd6786f015263cae2c46ce03c0a988
                                          • Instruction Fuzzy Hash: 30C012B1240201AECB209B00DE00F1A7A30ABA0702F12803DF390240B286301463EF1C
                                          APIs
                                          • GetPrivateProfileStringA.KERNEL32(03A113DE,03A16810,All Files|*.*,00002000,03A113DE,?), ref: 03A113CC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: PrivateProfileString
                                          • String ID: All Files|*.*
                                          • API String ID: 1096422788-1532680088
                                          • Opcode ID: d59bd1c9f41b6467fea3bbfb9850ee891fcbd1acf369eea0f7fbbed9d47872a7
                                          • Instruction ID: d0c11f014d1499dcc6a0a03b62b5e2af4bdc6c1bc8118ee56fc4bac49535a3a3
                                          • Opcode Fuzzy Hash: d59bd1c9f41b6467fea3bbfb9850ee891fcbd1acf369eea0f7fbbed9d47872a7
                                          • Instruction Fuzzy Hash: 15C012362A6340BEDE12EB08AE0AF083A72F315B04F250011B560A10BEC2A61036DA0D
                                          APIs
                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                          • SendMessageA.USER32(00000020,00000402,00000000), ref: 004013F4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 7668a4d104ee1e2660c2ade1f6a10461a08722824d04ec9df0da986e75ba1465
                                          • Instruction ID: 051d78f4f0b23444636c6ddd93e04e83276043679bc5e2b6ed60bb1dfd359a8a
                                          • Opcode Fuzzy Hash: 7668a4d104ee1e2660c2ade1f6a10461a08722824d04ec9df0da986e75ba1465
                                          • Instruction Fuzzy Hash: 3701F4317242109BE7195B389D04B2A369CE710719F54423FF951FA1F1D678DC039B4C
                                          APIs
                                          • HeapCreate.KERNEL32(00000000,00001000,00000000,039F19B5,00000001), ref: 039F2CA0
                                            • Part of subcall function 039F2B47: GetVersionExA.KERNEL32 ref: 039F2B66
                                          • HeapDestroy.KERNEL32 ref: 039F2CDF
                                            • Part of subcall function 039F3F3F: HeapAlloc.KERNEL32(00000000,00000140,039F2CC8,000003F8), ref: 039F3F4C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: Heap$AllocCreateDestroyVersion
                                          • String ID:
                                          • API String ID: 2507506473-0
                                          • Opcode ID: d00cc4959bfba22ac72c214bab8bdfea3c15f807f3022958f0b0d5a4fc032cd5
                                          • Instruction ID: 71e54c2076f44eefdab88a507c01d595cd1ca3bfb0c2f6f5de441f6098b06728
                                          • Opcode Fuzzy Hash: d00cc4959bfba22ac72c214bab8bdfea3c15f807f3022958f0b0d5a4fc032cd5
                                          • Instruction Fuzzy Hash: 78F065795683029FDF10AB31AC8576935ACEF857D2F244CA6F752CC194EB6180809712
                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,?,?,00403751,0000000D), ref: 0040681C
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406837
                                            • Part of subcall function 0040679C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004067B3
                                            • Part of subcall function 0040679C: wsprintfA.USER32 ref: 004067EC
                                            • Part of subcall function 0040679C: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00406800
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                          • String ID:
                                          • API String ID: 2547128583-0
                                          • Opcode ID: b387fddabcf67a220080d0a2e2d4b4e20bddb47d888f7d8368649e6ab8387ea4
                                          • Instruction ID: 2e1db5b2244f9e248c95e3a508c771c14dc2457370c723657138356a2d20bfb7
                                          • Opcode Fuzzy Hash: b387fddabcf67a220080d0a2e2d4b4e20bddb47d888f7d8368649e6ab8387ea4
                                          • Instruction Fuzzy Hash: D0E086336052205AD6116B745D04D3772A8AED8640306483EF542F2040DB38AC32A769
                                          APIs
                                          • SendMessageA.USER32(?,0000000B,?), ref: 00402D1F
                                          • InvalidateRect.USER32(?), ref: 00402D2F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: InvalidateMessageRectSend
                                          • String ID:
                                          • API String ID: 909852535-0
                                          • Opcode ID: 3c558f002e1f829953c4b9d9db2aa1ce726d5ef6208d2313b11a8e15a0fcc23c
                                          • Instruction ID: 7cbb0f2f2d3e60d22c3356138c9f84147da2cf220a65b694f43baffd426c5e81
                                          • Opcode Fuzzy Hash: 3c558f002e1f829953c4b9d9db2aa1ce726d5ef6208d2313b11a8e15a0fcc23c
                                          • Instruction Fuzzy Hash: 74E0B672A00105AFDB119B98EE8999E77B9EB44259B504436E111E1061D7744D51AA2C
                                          APIs
                                          • GetFileAttributesA.KERNEL32(00000003,00403163,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe,80000000,00000003), ref: 00405FA8
                                          • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405FCA
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: File$AttributesCreate
                                          • String ID:
                                          • API String ID: 415043291-0
                                          • Opcode ID: 3674cab34e86c9bb6ed208021152f8156afda3d0a6d4448f29a7fe7eff01a41d
                                          • Instruction ID: 99f0ed0b6f71b5c4d8d0263110580a9bc7934fab7bfe8a8d35efac0e687f4850
                                          • Opcode Fuzzy Hash: 3674cab34e86c9bb6ed208021152f8156afda3d0a6d4448f29a7fe7eff01a41d
                                          • Instruction Fuzzy Hash: 92D09E31654301EFFF098F20DE1AF2E7AA2EB84B00F11952CB682941E0DA7158599B15
                                          APIs
                                          • GetFileAttributesA.KERNEL32(?,00405D7D,?,?,?), ref: 00405F89
                                          • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F9B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: cab7027fe2f956e0cd714395d170ca4fa9830a0a0b9133fa410bfdf6c3ed988f
                                          • Instruction ID: 1c5f7441953791c5fa01a3ea396afadd277b1a60dedbaed694642c210a643b3b
                                          • Opcode Fuzzy Hash: cab7027fe2f956e0cd714395d170ca4fa9830a0a0b9133fa410bfdf6c3ed988f
                                          • Instruction Fuzzy Hash: CEC04CB1404505AFD6015B24DF0DC1F7B66EB50321B168A39F4A9E10F0CB354CAADA19
                                          APIs
                                          • CreateDirectoryA.KERNEL32(?,00000000,004036DA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 00405AA5
                                          • GetLastError.KERNEL32 ref: 00405AB3
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: CreateDirectoryErrorLast
                                          • String ID:
                                          • API String ID: 1375471231-0
                                          • Opcode ID: c0568d1a9d7a863155f8f57caddbba729ce21e02ac4465172204c49bf694c3b9
                                          • Instruction ID: 6d60ce6c2c78029c12fb4c6437a0e11bbe6e9f07fee022c993a6326ceae282bd
                                          • Opcode Fuzzy Hash: c0568d1a9d7a863155f8f57caddbba729ce21e02ac4465172204c49bf694c3b9
                                          • Instruction Fuzzy Hash: 6FC04C30745A019AEA115B709F48B177960AB50781F15893A6146E11B1DA348455DD6D
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,039F221D,00000000,00000000,00000000), ref: 039F312E
                                            • Part of subcall function 039F1BD4: InitializeCriticalSection.KERNEL32(00000000,00000000,039F221D,?,039F3624,00000009,00000000,00000000,00000000,039F6480,000000FF,?,039F221D,00000001,00000074), ref: 039F1C11
                                            • Part of subcall function 039F1BD4: EnterCriticalSection.KERNEL32(039F221D,039F221D,?,039F3624,00000009,00000000,00000000,00000000,039F6480,000000FF,?,039F221D,00000001,00000074), ref: 039F1C2C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: CriticalSection$AllocateEnterHeapInitialize
                                          • String ID:
                                          • API String ID: 1616793339-0
                                          • Opcode ID: 1f8745883c4b874f68d6da99212b7efbd301401d330d6d276372d60f5e4faf6d
                                          • Instruction ID: 2a991fcb36e1a045dd0254430a305fc3f34b76127b6969b03bc6eb8022c47720
                                          • Opcode Fuzzy Hash: 1f8745883c4b874f68d6da99212b7efbd301401d330d6d276372d60f5e4faf6d
                                          • Instruction Fuzzy Hash: B821A43AA04205AFDB10FB65DC82B9EB7B8EB407A4F194516F621EF2C0D77895418B54
                                          APIs
                                            • Part of subcall function 004044A0: SetDlgItemTextA.USER32(?,?,00000000), ref: 004044BA
                                          • SetDlgItemTextA.USER32(?,000003E8,?), ref: 004048C8
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: ItemText
                                          • String ID:
                                          • API String ID: 3367045223-0
                                          • Opcode ID: 261af79fab5b7dc8ce2f068e557d5768f56cb9665393e9999d5f27405f65598d
                                          • Instruction ID: a843ded51a6d09cdbb9593c4ca8cdf79baec121f013089212d5c9024a8b59cbf
                                          • Opcode Fuzzy Hash: 261af79fab5b7dc8ce2f068e557d5768f56cb9665393e9999d5f27405f65598d
                                          • Instruction Fuzzy Hash: AFE06D72110218BBCB127E05EC01E9B3BA9EB44324F408426BA08654A1C379BA209B98
                                          APIs
                                          • ReadFile.KERNEL32(?,00000000,00000000,00000000,00414980,0040C980,00403572,00414980,00004000,?,00000000,?,004033FC,00000004,00000000,00000000), ref: 00403684
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 4ccc4bbe2abcb677344719b3a5d559962fdee24b46b0939c7a596c127dcbc5e6
                                          • Instruction ID: ffaae792c95b3e74212be0c0ac91cf90d2f7abdb703311f5376c9916736d2436
                                          • Opcode Fuzzy Hash: 4ccc4bbe2abcb677344719b3a5d559962fdee24b46b0939c7a596c127dcbc5e6
                                          • Instruction Fuzzy Hash: 46E08631150119BBDF215E51DC04E973B5CDB05365F008433F945E6250D576D6119B94
                                          APIs
                                          • SetDlgItemTextA.USER32(?,?,00000000), ref: 004044BA
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: ItemText
                                          • String ID:
                                          • API String ID: 3367045223-0
                                          • Opcode ID: 0174db2d486c6bfae7298393e48cda5e15ab66f8026a1248b7333c230636131e
                                          • Instruction ID: abe3e604c5d728e86064822905ceb5988e74e83f7cf7314a4c8b33ebf5fa6c64
                                          • Opcode Fuzzy Hash: 0174db2d486c6bfae7298393e48cda5e15ab66f8026a1248b7333c230636131e
                                          • Instruction Fuzzy Hash: C1C08C31108200BFD382B704CC02F0FB3E8EFA0316F00C82EB05CA00E1CA34D4208A2A
                                          APIs
                                          • SendMessageA.USER32(00000028,?,00000001,00404306), ref: 004044E3
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: d090b695d6fb44a0cd3dacef707cbd21b2d05341d3268158e4e0eb8174100e81
                                          • Instruction ID: e8f24a2486c8cffb54426fc4b4ca7ca2a644e4b9ad51e628b7f9c73253747f55
                                          • Opcode Fuzzy Hash: d090b695d6fb44a0cd3dacef707cbd21b2d05341d3268158e4e0eb8174100e81
                                          • Instruction Fuzzy Hash: 85B09235280201AADE215B00DE09F857E62AB64701F028034B280680B2CAB200A2EB1C
                                          APIs
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,0040334B,?), ref: 004036AD
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: 10ef837ee4804bf9d7f3e3ca6725328f0d2a1cf4c29bc69e4f563ca935bf008a
                                          • Instruction ID: bbe28819b9c1f708c1bc01410fff550cfc21c648a57af447a5397392da283f69
                                          • Opcode Fuzzy Hash: 10ef837ee4804bf9d7f3e3ca6725328f0d2a1cf4c29bc69e4f563ca935bf008a
                                          • Instruction Fuzzy Hash: 02B01271240300BFEA128B00DF0AF057B72AB64700F108434B3C8380F08A721031DB0D
                                          APIs
                                          • GetPrivateProfileIntA.KERNEL32(?,?,03A11467,NumFields), ref: 03A11407
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: PrivateProfile
                                          • String ID:
                                          • API String ID: 1469295129-0
                                          • Opcode ID: fa1fae5972494f7cdc33c4511c99e42deb06b7da0d30c5bf72d02e9e9e9acdbc
                                          • Instruction ID: 8a08fcef0f5e76f68f747b7f801a8bf103b60a0399845afa0570436a10ce159f
                                          • Opcode Fuzzy Hash: fa1fae5972494f7cdc33c4511c99e42deb06b7da0d30c5bf72d02e9e9e9acdbc
                                          • Instruction Fuzzy Hash: 39C0483B005100AFCF026F80EA0480ABBB2FB99350B018408B6988003CC2328136EB01
                                          APIs
                                          • GetDlgItem.USER32(?,000003F9), ref: 00404E91
                                          • GetDlgItem.USER32(?,00000408), ref: 00404E9E
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404EEA
                                          • LoadBitmapA.USER32(0000006E), ref: 00404EFD
                                          • SetWindowLongA.USER32(?,000000FC,0040547B), ref: 00404F17
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F2B
                                          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404F3F
                                          • SendMessageA.USER32(?,00001109,00000002), ref: 00404F54
                                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404F60
                                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F72
                                          • DeleteObject.GDI32(?), ref: 00404F77
                                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404FA2
                                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404FAE
                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405043
                                          • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 0040506E
                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405082
                                          • GetWindowLongA.USER32(?,000000F0), ref: 004050B1
                                          • SetWindowLongA.USER32(?,000000F0,00000000), ref: 004050BF
                                          • ShowWindow.USER32(?,00000005), ref: 004050D0
                                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 004051D3
                                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00405238
                                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040524D
                                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405271
                                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405297
                                          • ImageList_Destroy.COMCTL32(?), ref: 004052AC
                                          • GlobalFree.KERNEL32(?), ref: 004052BC
                                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0040532C
                                          • SendMessageA.USER32(?,00001102,00000410,?), ref: 004053D5
                                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004053E4
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00405404
                                          • ShowWindow.USER32(?,00000000), ref: 00405452
                                          • GetDlgItem.USER32(?,000003FE), ref: 0040545D
                                          • ShowWindow.USER32(00000000), ref: 00405464
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                          • String ID: $M$N
                                          • API String ID: 1638840714-813528018
                                          • Opcode ID: ad34ad8691b17b25a9ccd6bb964da61cb4def815d2f23b5d4b3dc1c834c130e8
                                          • Instruction ID: c6f49fae16b786c00443764c83c26e904ee8db6dc28079495487e9681e8e48f0
                                          • Opcode Fuzzy Hash: ad34ad8691b17b25a9ccd6bb964da61cb4def815d2f23b5d4b3dc1c834c130e8
                                          • Instruction Fuzzy Hash: CD029B70A00608EFDB209F55DD45AAF7BB5FB84314F10817AF611BA2E1D7798A81CF58
                                          APIs
                                          • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,039F2EF1,?,Microsoft Visual C++ Runtime Library,00012010,?,039F6390,?,039F63E0,?,?,?,Runtime Error!Program: ), ref: 039F4DC6
                                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 039F4DDE
                                          • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 039F4DEF
                                          • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 039F4DFC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                          • API String ID: 2238633743-4044615076
                                          • Opcode ID: 61d7683526776bef657726efbb6c637817ae3e18f562229bed7dbf9cee40e86a
                                          • Instruction ID: 13f057febd5df48c8d57b39ff6e213993920ef61b79420c4ae5d570711602e5b
                                          • Opcode Fuzzy Hash: 61d7683526776bef657726efbb6c637817ae3e18f562229bed7dbf9cee40e86a
                                          • Instruction Fuzzy Hash: 32014F31708711AFC711FFBAACC0A6B7EECEAE96993080429A70DD6105DF748401CB60
                                          APIs
                                          • GetDlgCtrlID.USER32(?), ref: 03A11D55
                                          • OpenClipboard.USER32(?), ref: 03A11D87
                                          • GetClipboardData.USER32(00000001), ref: 03A11D98
                                          • GlobalLock.KERNEL32(00000000), ref: 03A11DA6
                                          • lstrlenA.KERNEL32(00000000), ref: 03A11DB4
                                          • SendMessageA.USER32(?,000000C2,00000001,00000000), ref: 03A11DF4
                                          • GlobalUnlock.KERNEL32(?), ref: 03A11E03
                                          • CloseClipboard.USER32 ref: 03A11E0A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: Clipboard$Global$CloseCtrlDataLockMessageOpenSendUnlocklstrlen
                                          • String ID:
                                          • API String ID: 639725540-0
                                          • Opcode ID: 85d45d65a31aca153514c4012ae039a2d23540a4a3481f35ec759691836e1664
                                          • Instruction ID: 4cff455d88e8ba6748f466a9a0fb62ff09988293bc1626c741ca9f7e7f9ebf04
                                          • Opcode Fuzzy Hash: 85d45d65a31aca153514c4012ae039a2d23540a4a3481f35ec759691836e1664
                                          • Instruction Fuzzy Hash: 58212939600205BBDF21EFB5DC08AAB7FAAFF44781B04412AFA46C9195DB75C9228B50
                                          APIs
                                          • GetDlgItem.USER32(?,00000403), ref: 004056E2
                                          • GetDlgItem.USER32(?,000003EE), ref: 004056F1
                                          • GetClientRect.USER32(?,?), ref: 00405749
                                          • GetSystemMetrics.USER32(00000015), ref: 00405751
                                          • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405772
                                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405783
                                          • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405796
                                          • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004057A4
                                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 004057B7
                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057D9
                                          • ShowWindow.USER32(?,00000008), ref: 004057ED
                                          • GetDlgItem.USER32(?,000003EC), ref: 0040580E
                                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040581E
                                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405837
                                          • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405843
                                          • GetDlgItem.USER32(?,000003F8), ref: 00405700
                                            • Part of subcall function 004044D5: SendMessageA.USER32(00000028,?,00000001,00404306), ref: 004044E3
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                          • GetDlgItem.USER32(?,000003EC), ref: 00405860
                                          • CreateThread.KERNEL32(00000000,00000000,Function_000055FD,00000000), ref: 0040586E
                                          • CloseHandle.KERNEL32(00000000), ref: 00405875
                                          • ShowWindow.USER32(00000000), ref: 00405899
                                          • ShowWindow.USER32(00000000,00000008), ref: 0040589E
                                          • ShowWindow.USER32(00000008), ref: 004058E5
                                          • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405917
                                          • CreatePopupMenu.USER32 ref: 00405928
                                          • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040593D
                                          • GetWindowRect.USER32(00000000,?), ref: 00405950
                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405974
                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004059AF
                                          • OpenClipboard.USER32(00000000), ref: 004059BF
                                          • EmptyClipboard.USER32 ref: 004059C5
                                          • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004059CE
                                          • GlobalLock.KERNEL32(00000000), ref: 004059D8
                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004059EC
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405A04
                                          • SetClipboardData.USER32(00000001,00000000), ref: 00405A0F
                                          • CloseClipboard.USER32 ref: 00405A15
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlenwvsprintf
                                          • String ID: C:\Users\user\Desktop\$New install of "%s" to "%s"${
                                          • API String ID: 430598769-1793259906
                                          • Opcode ID: 6e77eacb8004290fe6ed722c867037a8234ca31613d18bea79517b39ef928cc2
                                          • Instruction ID: 2fba88bd0456375d88f597e1db9ec2698228ff227e9935e042ad6112b8d1c173
                                          • Opcode Fuzzy Hash: 6e77eacb8004290fe6ed722c867037a8234ca31613d18bea79517b39ef928cc2
                                          • Instruction Fuzzy Hash: 3DB16AB1900608FFDB11AF60DD89EAE3F78EB04354F50803AFA45BA1A0CB755952DF68
                                          APIs
                                          • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404673
                                          • GetDlgItem.USER32(00000000,000003E8), ref: 00404687
                                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004046A5
                                          • GetSysColor.USER32(?), ref: 004046B6
                                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004046C5
                                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004046D4
                                          • lstrlenA.KERNEL32(?), ref: 004046DE
                                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004046EC
                                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004046FB
                                          • GetDlgItem.USER32(?,0000040A), ref: 0040475E
                                          • SendMessageA.USER32(00000000), ref: 00404761
                                          • GetDlgItem.USER32(?,000003E8), ref: 0040478C
                                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004047CC
                                          • LoadCursorA.USER32(00000000,00007F02), ref: 004047DB
                                          • SetCursor.USER32(00000000), ref: 004047E4
                                          • ShellExecuteA.SHELL32(0000070B,open,00424BA0,00000000,00000000,00000001), ref: 004047F7
                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00404804
                                          • SetCursor.USER32(00000000), ref: 00404807
                                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404833
                                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404847
                                          Strings
                                          • N, xrefs: 0040477A
                                          • open, xrefs: 004047EF
                                          • LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation., xrefs: 004047B7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                          • String ID: LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.$N$open
                                          • API String ID: 3615053054-1862747438
                                          • Opcode ID: 4acb1e7f699876b9b080a19da7d3748d224994641b86eb42dea44ec3c9bac124
                                          • Instruction ID: 7ac1e07cf673726af58d7051cd64680cda6ca82f3b090425a6ea0e09ab9c8800
                                          • Opcode Fuzzy Hash: 4acb1e7f699876b9b080a19da7d3748d224994641b86eb42dea44ec3c9bac124
                                          • Instruction Fuzzy Hash: 0361C2B1A40208BFEB10AF60DD45F6A3768FB84714F10843AFB05BB1D1C7B8A951CB98
                                          APIs
                                          • GetDlgItem.USER32(?,000003F0), ref: 0040492F
                                          • IsDlgButtonChecked.USER32(?,000003F0), ref: 0040493D
                                          • GetDlgItem.USER32(?,000003FB), ref: 0040495D
                                          • GetAsyncKeyState.USER32(00000010), ref: 00404964
                                          • GetDlgItem.USER32(?,000003F0), ref: 00404973
                                          • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404984
                                          • SetWindowTextA.USER32(?,?), ref: 004049B3
                                          • SHBrowseForFolderA.SHELL32(?,004219C0,?), ref: 00404A6A
                                          • lstrcmpiA.KERNEL32(LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.,00421DD8), ref: 00404AA7
                                          • lstrcatA.KERNEL32(?,LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.), ref: 00404AB3
                                          • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404AC3
                                          • CoTaskMemFree.OLE32(00000000), ref: 00404A75
                                            • Part of subcall function 00405B19: GetDlgItemTextA.USER32(?,?,00000400,00404AF6), ref: 00405B2C
                                            • Part of subcall function 0040652F: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004036C2,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 00406587
                                            • Part of subcall function 0040652F: CharNextA.USER32(?,?,?,00000000), ref: 00406594
                                            • Part of subcall function 0040652F: CharNextA.USER32(?,"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004036C2,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 00406599
                                            • Part of subcall function 0040652F: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004036C2,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 004065A9
                                            • Part of subcall function 00403BF6: lstrcatA.KERNEL32(00000000,00000000,00424780,C:\Users\user\Desktop\,install.log,00403D69,C:\Users\user\Desktop\,C:\Users\user\Desktop\,1033,00421DD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421DD8,00000000,00000003), ref: 00403C11
                                          • GetDiskFreeSpaceA.KERNEL32(004215B0,?,?,0000040F,?,004215B0,004215B0,?,00000001,004215B0,?,?,000003FB,?), ref: 00404B7C
                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404B97
                                          • SetDlgItemTextA.USER32(00000000,00000400,00420D98), ref: 00404C29
                                            • Part of subcall function 00404CF0: lstrlenA.KERNEL32(00421DD8,00421DD8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404C0B,000000DF,004215B0,00000400,00000000), ref: 00404D8E
                                            • Part of subcall function 00404CF0: wsprintfA.USER32 ref: 00404D96
                                            • Part of subcall function 00404CF0: SetDlgItemTextA.USER32(?,00421DD8), ref: 00404DA9
                                          Strings
                                          • A, xrefs: 00404A63
                                          • C:\Users\user\Desktop\, xrefs: 00404A90
                                          • LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation., xrefs: 00404AA1, 00404AA6, 00404AB1
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Item$Text$Char$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTasklstrcmpilstrlenwsprintf
                                          • String ID: A$C:\Users\user\Desktop\$LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.
                                          • API String ID: 323400435-3599253505
                                          • Opcode ID: 78c65bc590c1e235ef7a73e704ad4c428552a7094b56534d9291f6bd5556b852
                                          • Instruction ID: 53e1309a436ec8c8103ef3d9cb40cdd2e0d9dedad5aabb53aa7134592e3a1e93
                                          • Opcode Fuzzy Hash: 78c65bc590c1e235ef7a73e704ad4c428552a7094b56534d9291f6bd5556b852
                                          • Instruction Fuzzy Hash: B7B172B1A00218ABDB10AFA5CD85B9F7AB8EF84314F10843FF605B62D1D7789941CB6D
                                          APIs
                                          • lstrlenA.KERNEL32(?,?,?,?), ref: 03A11853
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000002,00000002,?,?,?), ref: 03A11870
                                          • SHGetDesktopFolder.SHELL32(00000045,?,?,?), ref: 03A1187A
                                          • SHBrowseForFolderA.SHELL32(?,?,?,?), ref: 03A118B6
                                          • SHGetPathFromIDListA.SHELL32(00000000,?,?,?,?), ref: 03A118CE
                                          • CoTaskMemFree.OLE32(00000000,?,?,?), ref: 03A118E8
                                          • GetWindowTextA.USER32(?,?,00000104), ref: 03A1193A
                                          • GetCurrentDirectoryA.KERNEL32(00002000,All Files|*.*,?,?,?), ref: 03A1194B
                                          • GetSaveFileNameA.COMDLG32(0000004C,?,?,?), ref: 03A1195B
                                          • GetOpenFileNameA.COMDLG32(0000004C,?,?,?), ref: 03A11963
                                          • CommDlgExtendedError.COMDLG32(?,?,?), ref: 03A11975
                                          • SetCurrentDirectoryA.KERNEL32(All Files|*.*,?,?,?,?,?), ref: 03A1199B
                                          • ShellExecuteA.SHELL32(00000000,?,00000000,00000000,0000000A), ref: 03A119B7
                                          • SendMessageA.USER32(00000408,00000001,00000000,?), ref: 03A119DB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: CurrentDirectoryFileFolderName$BrowseByteCharCommDesktopErrorExecuteExtendedFreeFromListMessageMultiOpenPathSaveSendShellTaskTextWideWindowlstrlen
                                          • String ID: All Files|*.*$E$L
                                          • API String ID: 3574472847-3122172703
                                          • Opcode ID: 161e49557bffaf3247dfcd08f238f1e7a13874bc2a2b7f43b776749af8c1ca2c
                                          • Instruction ID: db33d7fa9ded2ebc14a875a7848a9e6c1073b6489926acecfa557e46c44f95f0
                                          • Opcode Fuzzy Hash: 161e49557bffaf3247dfcd08f238f1e7a13874bc2a2b7f43b776749af8c1ca2c
                                          • Instruction Fuzzy Hash: FB71CE75900208AFDF20DFA5C988EAEBBF8FB49304F24456EE656E7290D7309951CF21
                                          APIs
                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                          • BeginPaint.USER32(?,?), ref: 00401047
                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                          • DeleteObject.GDI32(?), ref: 004010ED
                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                          • DrawTextA.USER32(00000000,LogicLinx 3.31 Uninstall,000000FF,00000010,00000820), ref: 00401156
                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                          • DeleteObject.GDI32(?), ref: 00401165
                                          • EndPaint.USER32(?,?), ref: 0040116E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                          • String ID: F$LogicLinx 3.31 Uninstall
                                          • API String ID: 941294808-1031558758
                                          • Opcode ID: 750255ee06490405d36d6d77af7e8d62f2e9bab9d2e9b601842e2a7d5fc750e5
                                          • Instruction ID: 1a047666a44e0bd53f927bcc358f11ad8581032b766642e5cfbbeb7700f4c1b8
                                          • Opcode Fuzzy Hash: 750255ee06490405d36d6d77af7e8d62f2e9bab9d2e9b601842e2a7d5fc750e5
                                          • Instruction Fuzzy Hash: A5418B71800219AFCF058F95DE459AF7BB9FF44314F00802AF5A1AA1A1CB38EA55DFA4
                                          APIs
                                            • Part of subcall function 0040680A: GetModuleHandleA.KERNEL32(?,?,?,00403751,0000000D), ref: 0040681C
                                            • Part of subcall function 0040680A: GetProcAddress.KERNEL32(00000000,?), ref: 00406837
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,00405DAA,?,00000000,000000F1,?), ref: 00406068
                                          • GetShortPathNameA.KERNEL32(?,00423F68,00000400), ref: 00406071
                                          • GetShortPathNameA.KERNEL32(00000000,004239E0,00000400), ref: 0040608E
                                          • wsprintfA.USER32 ref: 004060AC
                                          • GetFileSize.KERNEL32(00000000,00000000,004239E0,C0000000,00000004,004239E0,?,?,?,00000000,000000F1,?), ref: 004060E7
                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004060F6
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040610C
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,004235E0,00000000,-0000000A,0040ABD4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00406152
                                          • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00406164
                                          • GlobalFree.KERNEL32(00000000), ref: 0040616B
                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00406172
                                            • Part of subcall function 00405F19: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00406127,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405F20
                                            • Part of subcall function 00405F19: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00406127,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405F50
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
                                          • String ID: %s=%s$[Rename]$h?B$9B
                                          • API String ID: 3445103937-2390523675
                                          • Opcode ID: 21917f923af837da55185abc71840ce9c4339cf9359ea08ee4b8cb6fcd80affc
                                          • Instruction ID: 6fab4b1a5264387afcbcbc9c20e197d89b1de9b9f4b2b97f427ae02aeeda734e
                                          • Opcode Fuzzy Hash: 21917f923af837da55185abc71840ce9c4339cf9359ea08ee4b8cb6fcd80affc
                                          • Instruction Fuzzy Hash: 884115712007167BD7206B619E49F6B3A7CDF85755F06003AF946FA2C2EA3CD824C6AD
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 039F120A
                                            • Part of subcall function 039F1770: lstrcpyA.KERNEL32(?,?,?,039F1068,?), ref: 039F178F
                                            • Part of subcall function 039F1770: GlobalFree.KERNEL32 ref: 039F179F
                                          • FindWindowExA.USER32(?,00000000,#32770,039F9A68), ref: 039F1357
                                          • GetDlgItem.USER32(00000000,000003F8), ref: 039F1363
                                          • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 039F137B
                                          • SendMessageA.USER32 ref: 039F13AC
                                          • SendMessageA.USER32(00000000,00001013,00000000,00000000), ref: 039F13B7
                                          • FindWindowExA.USER32(?,00000000,#32770,039F9A68), ref: 039F13D6
                                          • GetDlgItem.USER32(00000000,000003EE), ref: 039F13E2
                                          • SetWindowTextA.USER32(00000000,00000000), ref: 039F13EA
                                          • GlobalFree.KERNEL32(00000000), ref: 039F13F1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: GlobalMessageSendWindow$FindFreeItem$AllocTextlstrcpy
                                          • String ID: #32770$false$true
                                          • API String ID: 1355337150-3820989678
                                          • Opcode ID: 3247d3d2e338542242fb4cc9665d4bb678d6e082809c7302c72768e61bc8d4c9
                                          • Instruction ID: d03352dfb3c4f42bd6df6d3001a42a80c0d47a47931eb147cab551f4cfd2a17e
                                          • Opcode Fuzzy Hash: 3247d3d2e338542242fb4cc9665d4bb678d6e082809c7302c72768e61bc8d4c9
                                          • Instruction Fuzzy Hash: 7351C435A48340AFD3109E798C60AABBBED9F9B680F1C4954FBD5DB381E267D4088790
                                          APIs
                                          • GetVersion.KERNEL32(?,00420DB0,00000000,00405563,00420DB0,00000000), ref: 00406397
                                          • GetSystemDirectoryA.KERNEL32(LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.,00000400), ref: 00406412
                                          • GetWindowsDirectoryA.KERNEL32(LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.,00000400), ref: 00406425
                                          • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00406461
                                          • SHGetPathFromIDListA.SHELL32(00000000,LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.), ref: 0040646F
                                          • CoTaskMemFree.OLE32(00000000), ref: 0040647A
                                          • lstrcatA.KERNEL32(LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.,\Microsoft\Internet Explorer\Quick Launch), ref: 0040649C
                                          • lstrlenA.KERNEL32(LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.,?,00420DB0,00000000,00405563,00420DB0,00000000), ref: 004064EE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                          • String ID: LogicLinx 3.31 will be uninstalled from the following folder. Click Uninstall to start the uninstallation.$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                          • API String ID: 900638850-1008386496
                                          • Opcode ID: e70c36c15463e11e4d98769463c39d75202b1930655f9bc1c58c23aaa8b76e0f
                                          • Instruction ID: 5020ced7e0235193b8239b63b3ec8dced8004e66b88da715bb9c8bf5f7faf145
                                          • Opcode Fuzzy Hash: e70c36c15463e11e4d98769463c39d75202b1930655f9bc1c58c23aaa8b76e0f
                                          • Instruction Fuzzy Hash: F8510530A00210AEDF216F64DD8477E3BA4AB55724F12423FE953B62D1D73D8962DB4D
                                          APIs
                                          • RegCreateKeyExA.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004026D7
                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslC943.tmp,00000023,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004026FA
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                          • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nslC943.tmp,00000000), ref: 004027B0
                                          • RegCloseKey.ADVAPI32(?), ref: 004028C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: lstrlen$CloseCreateValuewvsprintf
                                          • String ID: C:\Users\user\AppData\Local\Temp\nslC943.tmp$WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                          • API String ID: 1641139501-1397765597
                                          • Opcode ID: 0157898554790d50b0bdb3d9b809ae9a58bf82a69b619a8b99a66bf8be8ddc53
                                          • Instruction ID: 0d8f67e9f840f9fb8975a9187b81f617768a5146bfc4832fe9bc88b1c5f34d6b
                                          • Opcode Fuzzy Hash: 0157898554790d50b0bdb3d9b809ae9a58bf82a69b619a8b99a66bf8be8ddc53
                                          • Instruction Fuzzy Hash: 6D415BB2D00208BFDF11AFA1CD4AE9EBB78EF04348F11407AF505761D0D7BA4A619B69
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402B16
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402B32
                                          • GlobalFree.KERNEL32(?), ref: 00402B6B
                                          • WriteFile.KERNEL32(?,00000000,?,?), ref: 00402B7D
                                          • GlobalFree.KERNEL32(00000000), ref: 00402B84
                                          • CloseHandle.KERNEL32(?), ref: 00402B9C
                                          • DeleteFileA.KERNEL32(?), ref: 00402BC3
                                          Strings
                                          • created uninstaller: %d, "%s", xrefs: 00402BA8
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                          • String ID: created uninstaller: %d, "%s"
                                          • API String ID: 3294113728-3145124454
                                          • Opcode ID: fcd8c44232e72c7a519ab1b54606f4df5990d39ba661982b9417052821f24287
                                          • Instruction ID: f039b0f35b450dc7ee41e930bae157162e8a347937c2952a3d4cbe63db110461
                                          • Opcode Fuzzy Hash: fcd8c44232e72c7a519ab1b54606f4df5990d39ba661982b9417052821f24287
                                          • Instruction Fuzzy Hash: C031BE71800128BBCF20AFA5CE49DAE7F78EF04324F10423AF914762E1DB795D419BA9
                                          APIs
                                          • GetPropA.USER32(?,_Plugin_Static_Hyperlink_), ref: 1000101A
                                          • CallWindowProcA.USER32(?,00000138,?,?), ref: 10001039
                                          • SetTextColor.GDI32(?), ref: 1000104A
                                          • ShellExecuteA.SHELL32(?,open,https://www.gegridsolutions.com/multilin/,00000000,00000000,00000001), ref: 10001070
                                          • CallWindowProcA.USER32(?,?,00000404,?), ref: 1000108D
                                          Strings
                                          • open, xrefs: 10001068
                                          • _Plugin_Static_Hyperlink_, xrefs: 10001012
                                          • https://www.gegridsolutions.com/multilin/, xrefs: 10001063
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440554333.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000002.00000002.3440542193.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000002.00000002.3440566258.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000002.00000002.3440578387.0000000010003000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000002.00000002.3440590369.0000000010004000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_10000000_Au_.jbxd
                                          Similarity
                                          • API ID: CallProcWindow$ColorExecutePropShellText
                                          • String ID: _Plugin_Static_Hyperlink_$https://www.gegridsolutions.com/multilin/$open
                                          • API String ID: 336401315-593685993
                                          • Opcode ID: 902a60f43574fc8f765310f7a5a76097104947cc1a10f21921816571d1e45bd3
                                          • Instruction ID: 0c11c9d3a527daeec412f6f73a2044742557c87160cf49b8973faa6a56da489a
                                          • Opcode Fuzzy Hash: 902a60f43574fc8f765310f7a5a76097104947cc1a10f21921816571d1e45bd3
                                          • Instruction Fuzzy Hash: 90019732540259BBFF229F64DD99BDA7B66FB087D1F008410FB05650A9C7B299A0EB50
                                          APIs
                                            • Part of subcall function 039F1770: lstrcpyA.KERNEL32(?,?,?,039F1068,?), ref: 039F178F
                                            • Part of subcall function 039F1770: GlobalFree.KERNEL32 ref: 039F179F
                                          • CreateFileA.KERNEL32(?,00000001,00000000,00000000,00000003,00000080,00000000,00000000,00000000,?), ref: 039F159F
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 039F15DA
                                          • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 039F15F3
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000001,00000000), ref: 039F1605
                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 039F1682
                                          • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 039F16A0
                                          • WriteFile.KERNEL32(00000000,039F7048,00000002,?,00000000,?,?,00000000), ref: 039F16B6
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 039F16E6
                                          • CloseHandle.KERNEL32(00000000), ref: 039F16ED
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: File$Write$FreeVirtual$AllocCloseCreateGlobalHandleReadSizelstrcpy
                                          • String ID:
                                          • API String ID: 3062248370-0
                                          • Opcode ID: e35988c3c1564eb8218af2e019a20f8efb816799c9243242145cdb71437573f2
                                          • Instruction ID: 8631f63734d77928462751e0ca11c3266448ab5ea7d1a0ec27ded7bdd1b65007
                                          • Opcode Fuzzy Hash: e35988c3c1564eb8218af2e019a20f8efb816799c9243242145cdb71437573f2
                                          • Instruction Fuzzy Hash: EF81D4756083409FC324DF249C80B6BBBD9ABC9394F2C0A1DF6999B290DB75D948CBD1
                                          APIs
                                          • LCMapStringW.KERNEL32(00000000,00000100,039F6454,00000001,00000000,00000000,7622E860,039F9DD8,?,00000003,00000000,00000001,00000000,?,?,039F51E2), ref: 039F31CC
                                          • LCMapStringA.KERNEL32(00000000,00000100,039F6450,00000001,00000000,00000000,?,?,039F51E2,?), ref: 039F31E8
                                          • LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,7622E860,039F9DD8,?,00000003,00000000,00000001,00000000,?,?,039F51E2), ref: 039F3231
                                          • MultiByteToWideChar.KERNEL32(?,039F9DD9,00000000,00000001,00000000,00000000,7622E860,039F9DD8,?,00000003,00000000,00000001,00000000,?,?,039F51E2), ref: 039F3269
                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 039F32C1
                                          • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 039F32D7
                                          • LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 039F330A
                                          • LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 039F3372
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: String$ByteCharMultiWide
                                          • String ID:
                                          • API String ID: 352835431-0
                                          • Opcode ID: 4b476631254ff97df6c5c317b2b244e701fa4f3156b6d3609afb8031a10cb541
                                          • Instruction ID: 891da9ed2cd325fe7debe22a406005e6d1bcfa2293e6c9a8acae85e12e6902c9
                                          • Opcode Fuzzy Hash: 4b476631254ff97df6c5c317b2b244e701fa4f3156b6d3609afb8031a10cb541
                                          • Instruction Fuzzy Hash: 37516C35900209FFCF22EF55CC84ADE7FB9FB89750F184119FA14A6154C77A8910DBA0
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,039F221D), ref: 039F2E3A
                                          • GetStdHandle.KERNEL32(000000F4,039F6390,00000000,00000000,00000000,039F221D), ref: 039F2F10
                                          • WriteFile.KERNEL32(00000000), ref: 039F2F17
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: File$HandleModuleNameWrite
                                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                          • API String ID: 3784150691-4022980321
                                          • Opcode ID: 9034b3be83abd20a7facd4f6f9ad44b5ef2d6e589d7e905a50e0a4fdae734d94
                                          • Instruction ID: 33fbe98b2dd7386abd9adbb4f7ca1cc723ecf9e3b12eb131b9ddadf0bbdded27
                                          • Opcode Fuzzy Hash: 9034b3be83abd20a7facd4f6f9ad44b5ef2d6e589d7e905a50e0a4fdae734d94
                                          • Instruction Fuzzy Hash: 4B31B07AA003186FDF20EBA0CC85F9E77ADEB85340F640856F794DA140D7B4E5848B22
                                          APIs
                                          • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004036C2,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 00406587
                                          • CharNextA.USER32(?,?,?,00000000), ref: 00406594
                                          • CharNextA.USER32(?,"C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004036C2,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 00406599
                                          • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004036C2,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 004065A9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Char$Next$Prev
                                          • String ID: "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 589700163-1738386367
                                          • Opcode ID: 8096d849d1c9ce41e0346831cb37685f4dd6d64b26888903e7438f7d863a7a62
                                          • Instruction ID: 24dd96064d5417bc72e67d0c60cfec8ce53d8243db2d456a42809f7a95db7985
                                          • Opcode Fuzzy Hash: 8096d849d1c9ce41e0346831cb37685f4dd6d64b26888903e7438f7d863a7a62
                                          • Instruction Fuzzy Hash: 981134A180479039EB3216386C44B777F894F5B7A0F1A047BE4C2322C6DA7C5D62826D
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,039F1A0A), ref: 039F2A03
                                          • GetEnvironmentStrings.KERNEL32(?,?,?,?,039F1A0A), ref: 039F2A17
                                          • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,039F1A0A), ref: 039F2A43
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,039F1A0A), ref: 039F2A7B
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,039F1A0A), ref: 039F2A9D
                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,039F1A0A), ref: 039F2AB6
                                          • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,039F1A0A), ref: 039F2AC9
                                          • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 039F2B07
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                          • String ID:
                                          • API String ID: 1823725401-0
                                          • Opcode ID: 3a7a73a17a8973559d50079f47b909aced0a657a50d04517abd0bb6b44a38174
                                          • Instruction ID: 4df64560301971457fd66f48c0241861a91e7a069d3b3608d7f786647710bcc7
                                          • Opcode Fuzzy Hash: 3a7a73a17a8973559d50079f47b909aced0a657a50d04517abd0bb6b44a38174
                                          • Instruction Fuzzy Hash: EB31F2BA5083156FE730FF795C84A3BBB9CE64A29471D0E69FBD6C3180EA21CC418361
                                          APIs
                                          • GetWindowLongA.USER32(?,000000EB), ref: 00404524
                                          • GetSysColor.USER32(00000000), ref: 00404540
                                          • SetTextColor.GDI32(?,00000000), ref: 0040454C
                                          • SetBkMode.GDI32(?,?), ref: 00404558
                                          • GetSysColor.USER32(?), ref: 0040456B
                                          • SetBkColor.GDI32(?,?), ref: 0040457B
                                          • DeleteObject.GDI32(?), ref: 00404595
                                          • CreateBrushIndirect.GDI32(?), ref: 0040459F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                          • String ID:
                                          • API String ID: 2320649405-0
                                          • Opcode ID: ff550e039535750ddee094f50c47ca332dcff401595c3ffc2c3d1fe0adab4e51
                                          • Instruction ID: 5129247060fdf99fe8797dcd9aa0072a42d6f3bc0e200a186bc0a46124ada848
                                          • Opcode Fuzzy Hash: ff550e039535750ddee094f50c47ca332dcff401595c3ffc2c3d1fe0adab4e51
                                          • Instruction Fuzzy Hash: 002142B1501704ABCB219F68DD08B5BBBF8AF41714F04892DFA96A26E0D738E9488B54
                                          APIs
                                          • lstrlenA.KERNEL32(00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000,?), ref: 00405564
                                          • lstrlenA.KERNEL32(004030F8,00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000), ref: 00405574
                                          • lstrcatA.KERNEL32(00420DB0,004030F8,004030F8,00420DB0,00000000,00000000,00000000), ref: 00405587
                                          • SetWindowTextA.USER32(00420DB0,00420DB0), ref: 00405599
                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055BF
                                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004055D9
                                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 004055E7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                          • String ID:
                                          • API String ID: 2531174081-0
                                          • Opcode ID: cb0f79ab979e13bb22370c5c0aa667bb76c3ef8d0eed0eb48269c6a4122cdca1
                                          • Instruction ID: b5f13368894abbd72d2ef9bcc5aed1bc168452b499d58a4623565611e2026dd0
                                          • Opcode Fuzzy Hash: cb0f79ab979e13bb22370c5c0aa667bb76c3ef8d0eed0eb48269c6a4122cdca1
                                          • Instruction Fuzzy Hash: 71218C71900118BBCF119FA5CD80ADFBFB9EF04354F04807AF944B6291C7388A419FA8
                                          APIs
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000,?), ref: 00405564
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(004030F8,00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000), ref: 00405574
                                            • Part of subcall function 0040552B: lstrcatA.KERNEL32(00420DB0,004030F8,004030F8,00420DB0,00000000,00000000,00000000), ref: 00405587
                                            • Part of subcall function 0040552B: SetWindowTextA.USER32(00420DB0,00420DB0), ref: 00405599
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055BF
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004055D9
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001013,?,00000000), ref: 004055E7
                                            • Part of subcall function 00405AD4: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00423DE0,Error launching installer), ref: 00405AF9
                                            • Part of subcall function 00405AD4: CloseHandle.KERNEL32(?), ref: 00405B06
                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 004020C6
                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 004020D6
                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 004020FB
                                          Strings
                                          • Exec: command="%s", xrefs: 0040207F
                                          • Exec: failed createprocess ("%s"), xrefs: 0040210D
                                          • Exec: success ("%s"), xrefs: 004020A1
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                          • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                          • API String ID: 2014279497-3433828417
                                          • Opcode ID: cca3606ec2a77bb65dba5fcbdc20c5e0c7bca9831c84fe7d89b340ff56de6e2e
                                          • Instruction ID: f192cf5068fe721493c2ca47631b8fd5e11dfa55f6fb4389df25e9f95d382c2a
                                          • Opcode Fuzzy Hash: cca3606ec2a77bb65dba5fcbdc20c5e0c7bca9831c84fe7d89b340ff56de6e2e
                                          • Instruction Fuzzy Hash: 96119031505214EADB25AF91DE899AE7B61EF01318F20403FF501750D1CBBD0991EB6E
                                          APIs
                                          • CloseHandle.KERNEL32(FFFFFFFF,?,?,00406773,00000000), ref: 004065DE
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00424780,40000000,00000004,?,?,00406773,00000000), ref: 00406626
                                          • lstrcatA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),0040ABEC,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00406773,00000000), ref: 00406641
                                          • lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),0040ABEC,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00406773,00000000), ref: 0040664C
                                          • WriteFile.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),0040ABEC,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00406773,00000000), ref: 00406659
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: File$CloseHandlePointerWritelstrcatlstrlen
                                          • String ID: File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1)
                                          • API String ID: 4073665932-1688853826
                                          • Opcode ID: 6985dbf8a51587ff873b0807ef77b93063035b7dde659fa51b5ad4c8cc64aba6
                                          • Instruction ID: 8cb7850f754a91aea35530736be2dd68b046b28bd0b92714d99c360fc914dd09
                                          • Opcode Fuzzy Hash: 6985dbf8a51587ff873b0807ef77b93063035b7dde659fa51b5ad4c8cc64aba6
                                          • Instruction Fuzzy Hash: BD019671500306ABD720AF74BD85E573A5CDB01374B52433BF172B51E0C73998A29A5E
                                          APIs
                                          • DestroyWindow.USER32(00000000,00000000), ref: 00403099
                                          • GetTickCount.KERNEL32 ref: 004030B7
                                          • wsprintfA.USER32 ref: 004030E5
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000,?), ref: 00405564
                                            • Part of subcall function 0040552B: lstrlenA.KERNEL32(004030F8,00420DB0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030F8,00000000), ref: 00405574
                                            • Part of subcall function 0040552B: lstrcatA.KERNEL32(00420DB0,004030F8,004030F8,00420DB0,00000000,00000000,00000000), ref: 00405587
                                            • Part of subcall function 0040552B: SetWindowTextA.USER32(00420DB0,00420DB0), ref: 00405599
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055BF
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004055D9
                                            • Part of subcall function 0040552B: SendMessageA.USER32(?,00001013,?,00000000), ref: 004055E7
                                          • CreateDialogParamA.USER32(0000006F,00000000,00402FE9,00000000), ref: 00403109
                                          • ShowWindow.USER32(00000000,00000005), ref: 00403117
                                            • Part of subcall function 00403065: MulDiv.KERNEL32(00010000,00000064,00004E36), ref: 0040307A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                          • String ID: ... %d%%
                                          • API String ID: 722711167-2449383134
                                          • Opcode ID: ce67bc7cccbabcfd3d998f218857b4b480decfb62087f9010a91ecd6a2638fba
                                          • Instruction ID: 8a56325a0c249c51aeddb8beeb044339652cd635e3f90c4b3db5a9aada2ba764
                                          • Opcode Fuzzy Hash: ce67bc7cccbabcfd3d998f218857b4b480decfb62087f9010a91ecd6a2638fba
                                          • Instruction Fuzzy Hash: 6C01C870502624DBCB217F60BD09AAA7F6CAB05B46B04803BF441B11D5DB784A45CF9E
                                          APIs
                                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404E15
                                          • GetMessagePos.USER32 ref: 00404E1D
                                          • ScreenToClient.USER32(?,?), ref: 00404E37
                                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404E49
                                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404E6F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Message$Send$ClientScreen
                                          • String ID: f
                                          • API String ID: 41195575-1993550816
                                          • Opcode ID: 2de7cdc7de5e6d73f2f496e999baad3857bc1053d919e802e93d4047082e1f51
                                          • Instruction ID: 577475e6f0e9fc61b494f9fa51c3945aaa03660cb513c050f00af2c753d98fa9
                                          • Opcode Fuzzy Hash: 2de7cdc7de5e6d73f2f496e999baad3857bc1053d919e802e93d4047082e1f51
                                          • Instruction Fuzzy Hash: 78015271D00219BADB00DBA4DD45FFEBBBCAF55B11F10012BBA50B61D1C7B459458B94
                                          APIs
                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403004
                                          • wsprintfA.USER32 ref: 00403038
                                          • SetWindowTextA.USER32(?,?), ref: 00403048
                                          • SetDlgItemTextA.USER32(?,00000406,?), ref: 0040305A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Text$ItemTimerWindowwsprintf
                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                          • API String ID: 1451636040-1158693248
                                          • Opcode ID: 34aea8c237d9a6b4262babc5d15cb9ea65e997ceb4a27ace1c078bd2d2e193bf
                                          • Instruction ID: 20546e6ba832e1b3fab4aa97257a5f65f69261077b3f880adcbb49229734dd85
                                          • Opcode Fuzzy Hash: 34aea8c237d9a6b4262babc5d15cb9ea65e997ceb4a27ace1c078bd2d2e193bf
                                          • Instruction Fuzzy Hash: 3AF0817050020CBBDF20AF60DD06BAE3BBCAB04345F00843AFA56B51D5DBB99A558F99
                                          APIs
                                          • GetStringTypeW.KERNEL32(00000001,039F6454,00000001,039F701C,?,039F704C,039F701C,?,?), ref: 039F3418
                                          • GetStringTypeA.KERNEL32(00000000,00000001,039F6450,00000001,?,?,?), ref: 039F3432
                                          • GetStringTypeA.KERNEL32(039F701C,?,?,?,?,?,039F704C,039F701C,?,?), ref: 039F3466
                                          • MultiByteToWideChar.KERNEL32(?,039F704D,?,?,00000000,00000000,?,039F704C,039F701C,?,?), ref: 039F349E
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?), ref: 039F34F4
                                          • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?), ref: 039F3506
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: StringType$ByteCharMultiWide
                                          • String ID:
                                          • API String ID: 3852931651-0
                                          • Opcode ID: ed237b998f0ab5e46f534bc47d6fad6f9fa81bf308b08204e9c31c87edb7cc15
                                          • Instruction ID: b47a0d6ed1037aaa15c50f8f86ae18037e18154c2279d7dbc45b578f1116cf4e
                                          • Opcode Fuzzy Hash: ed237b998f0ab5e46f534bc47d6fad6f9fa81bf308b08204e9c31c87edb7cc15
                                          • Instruction Fuzzy Hash: 5141CCB6600219AFCF22EF95CC85EEE7FB9EB05790F240425FA15E6250C339C9548BA0
                                          APIs
                                          • SendMessageA.USER32(?,?,?), ref: 03A11B49
                                          • DrawTextA.USER32(?,-03A16804,000000FF,?,00000414), ref: 03A11BB0
                                          • GetWindowLongA.USER32(?,000000EB), ref: 03A11BE4
                                          • SetTextColor.GDI32(?,?), ref: 03A11BF7
                                          • DrawTextA.USER32(?,?,000000FF,?,?), ref: 03A11C1C
                                          • DrawFocusRect.USER32(?,00000010), ref: 03A11C37
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: DrawText$ColorFocusLongMessageRectSendWindow
                                          • String ID:
                                          • API String ID: 491839470-0
                                          • Opcode ID: 88cb6f57c1afaa3477d95774c926e4640fc98f473b9c8c1c22232ffce145b155
                                          • Instruction ID: d5a3cb5f599fb8f00700b97cecd732e31734429bd926751e013e7884500e1a33
                                          • Opcode Fuzzy Hash: 88cb6f57c1afaa3477d95774c926e4640fc98f473b9c8c1c22232ffce145b155
                                          • Instruction Fuzzy Hash: E041BA3560020AAFCF05DF68CD84AAB7BB6FB05300F08455AFE10DA2A6D375D962CB50
                                          APIs
                                          • GetDlgCtrlID.USER32(?), ref: 03A11C5E
                                          • CallWindowProcA.USER32(?,?,?,?,?), ref: 03A11CC3
                                          • MapWindowPoints.USER32(00000000,?,?,00000001), ref: 03A11D00
                                          • PtInRect.USER32(-03A16828,?,?), ref: 03A11D10
                                          • LoadCursorA.USER32(00000000,00007F89), ref: 03A11D31
                                          • SetCursor.USER32(00000000), ref: 03A11D40
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440450729.0000000003A11000.00000020.00000001.01000000.0000000B.sdmp, Offset: 03A10000, based on PE: true
                                          • Associated: 00000002.00000002.3440439222.0000000003A10000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440462301.0000000003A13000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440473932.0000000003A14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                          • Associated: 00000002.00000002.3440486457.0000000003A18000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3a10000_Au_.jbxd
                                          Similarity
                                          • API ID: CursorWindow$CallCtrlLoadPointsProcRect
                                          • String ID:
                                          • API String ID: 3496465773-0
                                          • Opcode ID: e4a25fa3759ba5b63ba4a36dd80ac7c71a90371c5c1054f84bf1390d4f4533ef
                                          • Instruction ID: 9c8144d6d4a210a2823ee756a2019d7bb90f31b51296b648632d203bc0dd6de2
                                          • Opcode Fuzzy Hash: e4a25fa3759ba5b63ba4a36dd80ac7c71a90371c5c1054f84bf1390d4f4533ef
                                          • Instruction Fuzzy Hash: FF21D076900216ABDF21CFB5DE4EBEA7BF8EB05240F04061AF742D6284E275D9628751
                                          APIs
                                          • VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,039F1A5B,039F1AAF,?,?,?), ref: 039F2D24
                                          • VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,039F1A5B,039F1AAF,?,?,?), ref: 039F2D2F
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,039F1A5B,039F1AAF,?,?,?), ref: 039F2D3C
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,039F1A5B,039F1AAF,?,?,?), ref: 039F2D58
                                          • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000,?,?,039F1A5B,039F1AAF,?,?,?), ref: 039F2D79
                                          • HeapDestroy.KERNEL32(?,?,039F1A5B,039F1AAF,?,?,?), ref: 039F2D8B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: Free$HeapVirtual$Destroy
                                          • String ID:
                                          • API String ID: 716807051-0
                                          • Opcode ID: 501e5bfdcfe1891c56ae77246e45a4aa14b94d1087ba58515aeefeddd0adbf3b
                                          • Instruction ID: 4494731d563b16a153e37c374173246e417c2aeb6f313ceac241b8b27658756e
                                          • Opcode Fuzzy Hash: 501e5bfdcfe1891c56ae77246e45a4aa14b94d1087ba58515aeefeddd0adbf3b
                                          • Instruction Fuzzy Hash: 65118E3B244205AFDB31EB10EC82F55B769FF85794F3A4814F7926B098C771A811DB54
                                          APIs
                                            • Part of subcall function 039F1770: lstrcpyA.KERNEL32(?,?,?,039F1068,?), ref: 039F178F
                                            • Part of subcall function 039F1770: GlobalFree.KERNEL32 ref: 039F179F
                                          • CreateFileA.KERNEL32(00000002,00000002,00000001,00000000,00000002,00000080,00000000,?,?), ref: 039F10C0
                                          • CreateFileA.KERNEL32(00000000,00000004,00000001,00000000,00000003,00000080,00000000,?), ref: 039F1133
                                          • CreateFileA.KERNEL32(00000001,00000002,00000001,00000000,00000002,00000080,00000000), ref: 039F1153
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: CreateFile$FreeGloballstrcpy
                                          • String ID: false$true
                                          • API String ID: 989768725-2658103896
                                          • Opcode ID: 087edaea3e3113eec94ef68e226293b270f326cecbb18225e3e50ced93bc87b3
                                          • Instruction ID: 4067de020874099cfe4e9419048f2eec3872c64da8015f37e52b3a9ec99fad4c
                                          • Opcode Fuzzy Hash: 087edaea3e3113eec94ef68e226293b270f326cecbb18225e3e50ced93bc87b3
                                          • Instruction Fuzzy Hash: 6541C475648340AFD320DA349CA2FA677EDAB89750F5C8959FBD49B3C0E2769008C781
                                          APIs
                                          • GetVersionExA.KERNEL32 ref: 039F2B66
                                          • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 039F2B9B
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 039F2BFB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: EnvironmentFileModuleNameVariableVersion
                                          • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                          • API String ID: 1385375860-4131005785
                                          • Opcode ID: bc4e84340e7fe6736aa1dbb804ec2d9d0169f5da77007b3b37cda2f84b413d9b
                                          • Instruction ID: 847dfa3eb248c67b2097fcd4937bdaed90551d677e65fb9da2db3823894a8f24
                                          • Opcode Fuzzy Hash: bc4e84340e7fe6736aa1dbb804ec2d9d0169f5da77007b3b37cda2f84b413d9b
                                          • Instruction Fuzzy Hash: F631243D90634A6EEB35DBB06C85BED776C9B02384F1C0CD9D3C5DA042E6328AC98B11
                                          APIs
                                            • Part of subcall function 00402FAE: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402FD6
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00402640
                                          • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402620
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\nslC943.tmp, xrefs: 00402627
                                          • DeleteRegKey: "%s\%s", xrefs: 00402655
                                          • DeleteRegValue: "%s\%s" "%s", xrefs: 00402632
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                          • String ID: C:\Users\user\AppData\Local\Temp\nslC943.tmp$DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                          • API String ID: 1697273262-43562286
                                          • Opcode ID: 51c68090e8a67a56892b3820ab81a8b8f22f375d76c0b7748482eb46e543d4f7
                                          • Instruction ID: a5f9fdcf4292228b50cc97bbae3325fbb2d9f6784c2398e720f3cfd803d35b6f
                                          • Opcode Fuzzy Hash: 51c68090e8a67a56892b3820ab81a8b8f22f375d76c0b7748482eb46e543d4f7
                                          • Instruction Fuzzy Hash: C411CE72A00210BBDB10AFA1DE4AEBE7A74EF44358F11043FF405B61C1DBBD49119AAE
                                          APIs
                                          • GetDC.USER32(?), ref: 00401F49
                                          • GetDeviceCaps.GDI32(00000000), ref: 00401F50
                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401F5F
                                          • CreateFontIndirectA.GDI32(0040C8B4), ref: 00401FB1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: CapsCreateDeviceFontIndirect
                                          • String ID: MS Shell Dlg
                                          • API String ID: 3272661963-76309092
                                          • Opcode ID: 291d0e57388edc1b08859d94a8efc30bfd93f616262f4cc1ff9ef029793b8a23
                                          • Instruction ID: b63daee5e4490fecacf728a327702699109581dcf8ad524f23a780e713d248c9
                                          • Opcode Fuzzy Hash: 291d0e57388edc1b08859d94a8efc30bfd93f616262f4cc1ff9ef029793b8a23
                                          • Instruction Fuzzy Hash: B1F04473954684EFE7017760AF9ABAA3FA4A715306F148579E5C1B61E3C6B80008972D
                                          APIs
                                          • GetStartupInfoA.KERNEL32(?), ref: 039F2530
                                          • GetFileType.KERNEL32(00000480), ref: 039F25DB
                                          • GetStdHandle.KERNEL32(-000000F6), ref: 039F263E
                                          • GetFileType.KERNEL32(00000000), ref: 039F264C
                                          • SetHandleCount.KERNEL32 ref: 039F2683
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: FileHandleType$CountInfoStartup
                                          • String ID:
                                          • API String ID: 1710529072-0
                                          • Opcode ID: 9b1335927ab92d6f7c3e3c44a3ead95a105f340aa5c9d3a88f980fcd30653ee8
                                          • Instruction ID: 3044133fc504ff35ebfb7003894147cd6d67fab0b0ff0d97821b25fcdbb9c534
                                          • Opcode Fuzzy Hash: 9b1335927ab92d6f7c3e3c44a3ead95a105f340aa5c9d3a88f980fcd30653ee8
                                          • Instruction Fuzzy Hash: 7451E2795043018FC720EB78D498B697BE8FB41768F2D8E69D6E28F2E4DB309805CB50
                                          APIs
                                            • Part of subcall function 004062CD: lstrcpynA.KERNEL32(?,?,00000400,00403795,LogicLinx 3.31 Uninstall,NSIS Error), ref: 004062DA
                                          • GlobalFree.KERNEL32(00000000), ref: 00401D9C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: FreeGloballstrcpyn
                                          • String ID: Exch: stack < %d elements$Pop: stack empty$show
                                          • API String ID: 1459762280-4034689739
                                          • Opcode ID: cf8f085dc2dfd7742efe7c5db672cc57a5990e017400db5c87f51672aee65fbc
                                          • Instruction ID: 25a31974a44f7f3c9bc4a7fc565ada83b9efa98a6fb8f9df3e5ad5d088b76f6c
                                          • Opcode Fuzzy Hash: cf8f085dc2dfd7742efe7c5db672cc57a5990e017400db5c87f51672aee65fbc
                                          • Instruction Fuzzy Hash: CC21B3B2604141EBD710BF94DE85A5F73A4AF48319721493FF512B32D1EB7CA8119B2D
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402F05
                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402F41
                                          • RegCloseKey.ADVAPI32(?), ref: 00402F4A
                                          • RegCloseKey.ADVAPI32(?), ref: 00402F6F
                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402F8D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Close$DeleteEnumOpen
                                          • String ID:
                                          • API String ID: 1912718029-0
                                          • Opcode ID: b028ecec1d78a200503dadcefe2bc22e0f6fb028ff25e3f61a2c7c57b1882060
                                          • Instruction ID: 1bd9878c7ef2e45ac55117cc9ab264197938e8746315a7d31758d375fefd0929
                                          • Opcode Fuzzy Hash: b028ecec1d78a200503dadcefe2bc22e0f6fb028ff25e3f61a2c7c57b1882060
                                          • Instruction Fuzzy Hash: 0E117C7150000AFFDF10AFA0DE48DAA3B7DEB44389B404036FA45B01E0D7B49E55BB69
                                          APIs
                                          • GetDlgItem.USER32(?), ref: 00401EEC
                                          • GetClientRect.USER32(00000000,?), ref: 00401EF9
                                          • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401F1A
                                          • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401F28
                                          • DeleteObject.GDI32(00000000), ref: 00401F37
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                          • String ID:
                                          • API String ID: 1849352358-0
                                          • Opcode ID: 191427d0f54b16ed138330cd81feea0b1476f265f1ad51fa5151b3207bd7eed6
                                          • Instruction ID: 21f7915a8cdd7433989eb4cccbd80dcd7ad255e5dc09bc42d858887927c334f1
                                          • Opcode Fuzzy Hash: 191427d0f54b16ed138330cd81feea0b1476f265f1ad51fa5151b3207bd7eed6
                                          • Instruction Fuzzy Hash: 70F0ECB2500105AFD700EBA4EF88CAFB7BCEB48345B11447AF641F6191CA789D018B38
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,039F186D,00000000,00000000,00000000), ref: 039F21FA
                                          • TlsGetValue.KERNEL32 ref: 039F2208
                                          • SetLastError.KERNEL32(00000000), ref: 039F2254
                                            • Part of subcall function 039F356E: HeapAlloc.KERNEL32(00000008,039F221D,00000000,00000000,00000000,039F6480,000000FF,?,039F221D,00000001,00000074), ref: 039F3664
                                          • TlsSetValue.KERNEL32(00000000), ref: 039F222C
                                          • GetCurrentThreadId.KERNEL32 ref: 039F223D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue$AllocCurrentHeapThread
                                          • String ID:
                                          • API String ID: 2020098873-0
                                          • Opcode ID: 86165a4d255d9bd0f4b9d78483dbdfc6cffccdfe9b70cf484a3ff7af82649bde
                                          • Instruction ID: 2de70cf33cdf45a906f9d97b7df1ca44df67288b2381ca1ade5b49ee960fe68a
                                          • Opcode Fuzzy Hash: 86165a4d255d9bd0f4b9d78483dbdfc6cffccdfe9b70cf484a3ff7af82649bde
                                          • Instruction Fuzzy Hash: DFF0903AA057219FC7357B65B809B9A3F64FF817A1B284D14F7869E198CB64C80187A0
                                          APIs
                                          • DeleteCriticalSection.KERNEL32(00000000,?,?,039F21CC,039F1A56,039F1AAF,?,?,?), ref: 039F1B9C
                                            • Part of subcall function 039F2F20: HeapFree.KERNEL32(00000000,00000000,00000000,039F221D,00000000,?,039F3624,00000009,00000000,00000000,00000000,039F6480,000000FF,?,039F221D,00000001), ref: 039F2FF4
                                          • DeleteCriticalSection.KERNEL32(?,?,039F21CC,039F1A56,039F1AAF,?,?,?), ref: 039F1BB7
                                          • DeleteCriticalSection.KERNEL32 ref: 039F1BBF
                                          • DeleteCriticalSection.KERNEL32 ref: 039F1BC7
                                          • DeleteCriticalSection.KERNEL32 ref: 039F1BCF
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: CriticalDeleteSection$FreeHeap
                                          • String ID:
                                          • API String ID: 447823528-0
                                          • Opcode ID: 2f7f872b6afa661d57212c0c7e5d3e0fee7fa7385115d433c0c776d7a1bddd60
                                          • Instruction ID: 91b8d4618d95553ad11a8b0d1a32cd8e51b0bdd5dabb51ff1906b961dc97e9df
                                          • Opcode Fuzzy Hash: 2f7f872b6afa661d57212c0c7e5d3e0fee7fa7385115d433c0c776d7a1bddd60
                                          • Instruction Fuzzy Hash: 36F05436C04151DF8B31FA69EC48D59AA99DEC47E130E003DDF586616895318CA98BD0
                                          APIs
                                          • CoCreateInstance.OLE32(00408400,?,00000001,004083F0,?), ref: 00402371
                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,0040ACA8,00000400,?,00000001,004083F0,?), ref: 00402429
                                          Strings
                                          • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402353
                                          • C:\Users\user\Desktop\, xrefs: 004023AB
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: ByteCharCreateInstanceMultiWide
                                          • String ID: C:\Users\user\Desktop\$CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                          • API String ID: 123533781-1442144967
                                          • Opcode ID: ad980c83200af27b32296972477564cb0cbea8762c98e87083d2b3fbecaef2c0
                                          • Instruction ID: 458830b68615384cc5dcfd7975f20282d1088c50676892df8a4bfa2d63e4f4ae
                                          • Opcode Fuzzy Hash: ad980c83200af27b32296972477564cb0cbea8762c98e87083d2b3fbecaef2c0
                                          • Instruction Fuzzy Hash: A2515D71A00105BFCB04DFA4CD88DAE7BB5EF44314B20416AF815EB2D1DBB99941CB64
                                          APIs
                                          • lstrlenA.KERNEL32(00421DD8,00421DD8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404C0B,000000DF,004215B0,00000400,00000000), ref: 00404D8E
                                          • wsprintfA.USER32 ref: 00404D96
                                          • SetDlgItemTextA.USER32(?,00421DD8), ref: 00404DA9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: ItemTextlstrlenwsprintf
                                          • String ID: %u.%u%s%s
                                          • API String ID: 3540041739-3551169577
                                          • Opcode ID: fb960496eb737e3345640ab9aa1b750d987e596b68fc784b6d450b4f24d22922
                                          • Instruction ID: fef6342639dcf3a39bf3010210a5e3f1a67f436211564216b1c935a3cd24951c
                                          • Opcode Fuzzy Hash: fb960496eb737e3345640ab9aa1b750d987e596b68fc784b6d450b4f24d22922
                                          • Instruction Fuzzy Hash: FA11B77360412827DB0065699C41EAE3298DF85775F25023BFA26F71D5E978DC1242A9
                                          APIs
                                          • SetWindowTextA.USER32(00000000,LogicLinx 3.31 Uninstall), ref: 00403F98
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: TextWindow
                                          • String ID: "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" $1033$LogicLinx 3.31 Uninstall
                                          • API String ID: 530164218-2959590292
                                          • Opcode ID: 824abd7a98796db34fe8f0091d41f8f78567243a6a7f46d0f054108d974f342d
                                          • Instruction ID: c0cba1e1e52928c29bb6f4708aec44978d016cd28d93ecea9319bf13156573fa
                                          • Opcode Fuzzy Hash: 824abd7a98796db34fe8f0091d41f8f78567243a6a7f46d0f054108d974f342d
                                          • Instruction Fuzzy Hash: 0111C375F046129BC720AF15DC90A777BBCEB8975A369417FE801AB3A0C6399D02866C
                                          APIs
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                            • Part of subcall function 00406775: FindFirstFileA.KERNEL32(?,00423E28,C:\Users\user\AppData\Local\Temp\nslC943.tmp,00405EE4,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,00000000,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00406780
                                            • Part of subcall function 00406775: FindClose.KERNEL32(00000000), ref: 0040678C
                                          • lstrlenA.KERNEL32 ref: 004024BF
                                          • lstrlenA.KERNEL32(00000000), ref: 004024C9
                                          • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004024F1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                          • String ID: CopyFiles "%s"->"%s"
                                          • API String ID: 2577523808-3778932970
                                          • Opcode ID: dbd2ce84fe86277a7fe77c547b3350a30209b166dd41be93e3949f7943bff834
                                          • Instruction ID: 0832a6020f1036a0726e8da95463cb7d6bb66b9f43395e8b0a18584e12aaf647
                                          • Opcode Fuzzy Hash: dbd2ce84fe86277a7fe77c547b3350a30209b166dd41be93e3949f7943bff834
                                          • Instruction Fuzzy Hash: 06115171D04244BACB10EFF5DE49A8EBBB89F05318F10403BB405B72C1D6BCC9018769
                                          APIs
                                          • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\Desktop\,?), ref: 00402040
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                          Strings
                                          • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402064
                                          • C:\Users\user\Desktop\, xrefs: 0040202B
                                          • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 0040204F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: ExecuteShelllstrlenwvsprintf
                                          • String ID: C:\Users\user\Desktop\$ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                          • API String ID: 2380004146-1697473297
                                          • Opcode ID: 4331fc396d1e37fc14f55263f28b15bc948bf85afbb856549c2d96993d882713
                                          • Instruction ID: 9f4db21a6b6a14a70f0226e5947bfc74daeb421406b5451b347b61cec48b8855
                                          • Opcode Fuzzy Hash: 4331fc396d1e37fc14f55263f28b15bc948bf85afbb856549c2d96993d882713
                                          • Instruction Fuzzy Hash: 7D01D4B1B442007EDB206AB6DD4EE6B6A68DF4575CB60043BF401F61C2DAFD8C119279
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: lstrcatwsprintf
                                          • String ID: %02x%c$...
                                          • API String ID: 3065427908-1057055748
                                          • Opcode ID: daa42dd9d71092567bb90f5aa1bf8f8b213d546467a0c39d0d39aa66ca362de9
                                          • Instruction ID: d62a74e215861be07d80cfa2a74bb9186ec53be61cd52c9054fc739eae054529
                                          • Opcode Fuzzy Hash: daa42dd9d71092567bb90f5aa1bf8f8b213d546467a0c39d0d39aa66ca362de9
                                          • Instruction Fuzzy Hash: 5601F531904214AFD711DF99C985BDEBBE9EB84704F21413BF805F7280D3759EA087A8
                                          APIs
                                          • OleInitialize.OLE32(00000000), ref: 0040560D
                                            • Part of subcall function 004044EC: SendMessageA.USER32(00020448,00000000,00000000,00000000), ref: 004044FE
                                          • OleUninitialize.OLE32(00000404,00000000), ref: 0040565B
                                            • Part of subcall function 00406747: lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                            • Part of subcall function 00406747: wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                          • String ID: Section: "%s"$Skipping section: "%s"
                                          • API String ID: 2266616436-4211696005
                                          • Opcode ID: c1e2c449bcc68b352cf79dcfb7db83265b1627727e3ad06e037315caf05dff02
                                          • Instruction ID: b6033417647ee4c6c9867fb094380a517277432fe9fbf8781098b48ebfeefd64
                                          • Opcode Fuzzy Hash: c1e2c449bcc68b352cf79dcfb7db83265b1627727e3ad06e037315caf05dff02
                                          • Instruction Fuzzy Hash: 4CF028732446009AE7243762AD0AF167794DF80324FA6443FFE88731E1CF7E48428A6D
                                          APIs
                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004036D4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 00405DC6
                                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004036D4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 00405DCF
                                          • lstrcatA.KERNEL32(?,0040A28C), ref: 00405DE0
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrcatlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 2659869361-3936084776
                                          • Opcode ID: 474ca4425f08dcfbce71dbb0ed893910abc24d850d6d34f35572f5f56a012a6b
                                          • Instruction ID: 0734be1ac4b4e6ef13ff8d97b6b7742c695e07c626293a3ddb6dea9da1bc223f
                                          • Opcode Fuzzy Hash: 474ca4425f08dcfbce71dbb0ed893910abc24d850d6d34f35572f5f56a012a6b
                                          • Instruction Fuzzy Hash: 88D0A7625019306AD10132555C09DCF1B089F0234170500BFF101B3191C77C4D5187FE
                                          APIs
                                          • HeapAlloc.KERNEL32(00000000,00002020,039F7580,039F7580,?,039F221D,039F4C5C,00000000,00000010,00000000,00000009,00000009,?,039F30F3,00000010,00000000), ref: 039F47B1
                                          • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,039F221D,039F4C5C,00000000,00000010,00000000,00000009,00000009,?,039F30F3,00000010,00000000), ref: 039F47D5
                                          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,039F221D,039F4C5C,00000000,00000010,00000000,00000009,00000009,?,039F30F3,00000010,00000000), ref: 039F47EF
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,039F221D,039F4C5C,00000000,00000010,00000000,00000009,00000009,?,039F30F3,00000010,00000000,039F221D), ref: 039F48B0
                                          • HeapFree.KERNEL32(00000000,00000000,?,039F221D,039F4C5C,00000000,00000010,00000000,00000009,00000009,?,039F30F3,00000010,00000000,039F221D,00000000), ref: 039F48C7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: AllocVirtual$FreeHeap
                                          • String ID:
                                          • API String ID: 714016831-0
                                          • Opcode ID: 841162fd37570d5723168c34153a442d330586308f20f0f90dbcbeb80b190b2e
                                          • Instruction ID: 995631548e15780f416f3cc2ebce4ae3341e762fa6890c1b9e664a9dfe23dd6c
                                          • Opcode Fuzzy Hash: 841162fd37570d5723168c34153a442d330586308f20f0f90dbcbeb80b190b2e
                                          • Instruction Fuzzy Hash: 3D310471A447019FD330DF2ADC40B32B7E8EB857A4F144639E76A9B2C4E770A444CB44
                                          APIs
                                          • CharNextA.USER32(00405BAD,?,C:\Users\user\AppData\Local\Temp\nslC943.tmp,00000000,00405EB8,C:\Users\user\AppData\Local\Temp\nslC943.tmp,C:\Users\user\AppData\Local\Temp\nslC943.tmp,?,?,76232EE0,00405BAD,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405E62
                                          • CharNextA.USER32(00000000), ref: 00405E67
                                          • CharNextA.USER32(00000000), ref: 00405E76
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\nslC943.tmp, xrefs: 00405E55
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: CharNext
                                          • String ID: C:\Users\user\AppData\Local\Temp\nslC943.tmp
                                          • API String ID: 3213498283-76981094
                                          • Opcode ID: 54424ee5da26782a37665bbc102068cc15b5f81190ee1e33e4b0b968b8303093
                                          • Instruction ID: 11a343e31c9d60752f54db4d23f309ce601ad8d6a71b69d801754e6f1b581227
                                          • Opcode Fuzzy Hash: 54424ee5da26782a37665bbc102068cc15b5f81190ee1e33e4b0b968b8303093
                                          • Instruction Fuzzy Hash: E6F027B1904E2565EB3223649C44F7B5B9CDB54310F04003BE680B61D183BC4D828FD9
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: Info
                                          • String ID: $
                                          • API String ID: 1807457897-3032137957
                                          • Opcode ID: c5058f6f2c3887d6dcea2c2a5986310882c7f258f9a01014d13bb716f313481e
                                          • Instruction ID: c05236d7e350828c11d493c6e6a9a30d536618e939871dae5b86aa70c5bee0a6
                                          • Opcode Fuzzy Hash: c5058f6f2c3887d6dcea2c2a5986310882c7f258f9a01014d13bb716f313481e
                                          • Instruction Fuzzy Hash: B14189321082585FD721D718DC49BEB7F9CEB02700F2C09E4DA89CB192C3654985CBA2
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 004054B1
                                          • CallWindowProcA.USER32(?,00000200,?,?), ref: 0040551F
                                            • Part of subcall function 004044EC: SendMessageA.USER32(00020448,00000000,00000000,00000000), ref: 004044FE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Window$CallMessageProcSendVisible
                                          • String ID:
                                          • API String ID: 3748168415-3916222277
                                          • Opcode ID: a97747d4f20b58a5a8246378c350f1c08e6f5488a267fa018f0172030650b825
                                          • Instruction ID: 166d6715e7ab60c55adc75bb3d5397455d2db949af7a45014f951e8b9f02b12e
                                          • Opcode Fuzzy Hash: a97747d4f20b58a5a8246378c350f1c08e6f5488a267fa018f0172030650b825
                                          • Instruction Fuzzy Hash: 2C118C31200608BBDB216F52DC40A9B3B6AEF15365F00843BF609792A2C7788D51CFA9
                                          APIs
                                          • lstrlenA.KERNEL32(00000000,00000011), ref: 00402922
                                          • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll,00000000,?,?,00000000,00000011), ref: 00402941
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll, xrefs: 00402910, 00402935
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: FileWritelstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll
                                          • API String ID: 427699356-1437982054
                                          • Opcode ID: bcbf014360f17b4c072ef3e4100504422a2a3de39269110d03a8084a7a26d8e5
                                          • Instruction ID: 81bf12f3e497c37cfbdb7e66173dd3580eab781fa494c6dd951371effea59d05
                                          • Opcode Fuzzy Hash: bcbf014360f17b4c072ef3e4100504422a2a3de39269110d03a8084a7a26d8e5
                                          • Instruction Fuzzy Hash: E8F0B472604144AED700FBB09E09AAB7268DB04309F10443BE142B60C1D7BC494297AD
                                          APIs
                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,false,?,039F133F,00000000,00000000), ref: 039F1751
                                          • WriteFile.KERNEL32(00000000,039F7048,00000002,?,00000000,?,?,00000000,00000000,false,?,039F133F,00000000,00000000), ref: 039F1767
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID: false
                                          • API String ID: 3934441357-734881840
                                          • Opcode ID: 07ff4a68960446508fb28e860ae5b07863bee65339dc280fa738ee9ab8986601
                                          • Instruction ID: 1cf361d01a8a16872f2dd7aab871decc324104e4c8da1be6680f2044082d17be
                                          • Opcode Fuzzy Hash: 07ff4a68960446508fb28e860ae5b07863bee65339dc280fa738ee9ab8986601
                                          • Instruction Fuzzy Hash: D3F030B62582117FD324DA68EC01F5B7BE8DBC8761F204A1DB219D71D4C7B0A8048764
                                          APIs
                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00423DE0,Error launching installer), ref: 00405AF9
                                          • CloseHandle.KERNEL32(?), ref: 00405B06
                                          Strings
                                          • Error launching installer, xrefs: 00405AE7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: CloseCreateHandleProcess
                                          • String ID: Error launching installer
                                          • API String ID: 3712363035-66219284
                                          • Opcode ID: 3b66473eb4771c68d0353ea43fb647f521c8516ae3fc4b703c5bf4ba3abd35a8
                                          • Instruction ID: 1d70755ca8eb642d96ec23e61d28b209352ba4559abde40ea63553acab106949
                                          • Opcode Fuzzy Hash: 3b66473eb4771c68d0353ea43fb647f521c8516ae3fc4b703c5bf4ba3abd35a8
                                          • Instruction Fuzzy Hash: 1DE0ECB4610209ABDB10DF65ED09EAF7BBCEB00345F808435A915E2150E779E514CA68
                                          APIs
                                          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76232EE0,00403B38,?,0040392A,00000020), ref: 00403B7B
                                          • GlobalFree.KERNEL32(005C3588), ref: 00403B82
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B73
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: Free$GlobalLibrary
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 1100898210-3936084776
                                          • Opcode ID: 4a26028100cf0ca1eb7320d9d5861408e20f1dc8c6947a4482afe346d8307102
                                          • Instruction ID: fc000f3235394a2863270d4c988953181e2e652df1d5c43234967270b233dd50
                                          • Opcode Fuzzy Hash: 4a26028100cf0ca1eb7320d9d5861408e20f1dc8c6947a4482afe346d8307102
                                          • Instruction Fuzzy Hash: 2BE08C3352102097C6211F45A904B5AB7BCAF45B26F06853BE884772A287742C428BCC
                                          APIs
                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,0040318C,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe,80000000,00000003), ref: 00405E0D
                                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,0040318C,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe,C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe,80000000,00000003), ref: 00405E1B
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\~nsuA.tmp, xrefs: 00405E07
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\~nsuA.tmp
                                          • API String ID: 2709904686-97582353
                                          • Opcode ID: 0e813410e8fe4af35f1e42066ab3310dcd072c640338dbde9885af6b97860c84
                                          • Instruction ID: 23fada268802dc59446a59c67ae78adf9070c91ebc4bc7db9eb0e03d7b787ba1
                                          • Opcode Fuzzy Hash: 0e813410e8fe4af35f1e42066ab3310dcd072c640338dbde9885af6b97860c84
                                          • Instruction Fuzzy Hash: A3D0A772408D701EE3036310DC04B8F6B48DF16300F0900A7F1C1AA1D0C6784D424BFD
                                          APIs
                                          • lstrlenA.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?,?,00000000,00405D75,RMDir: RemoveDirectory("%s"),?,?,?), ref: 0040675E
                                          • wvsprintfA.USER32(00000000,File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1),?), ref: 00406766
                                            • Part of subcall function 004065C8: CloseHandle.KERNEL32(FFFFFFFF,?,?,00406773,00000000), ref: 004065DE
                                          Strings
                                          • File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1), xrefs: 00406747, 00406758, 0040675D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: CloseHandlelstrlenwvsprintf
                                          • String ID: File: skipped: "C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll" (overwriteflag=1)
                                          • API String ID: 3509786178-1688853826
                                          • Opcode ID: 37f07c27298e82f33cc4ea35b45c4898f6a3a97ae3bf8fd59e0fb2dd5667139f
                                          • Instruction ID: be19833288726f4bc11686dc6ee22efb9c47c58bb1c6306399fb84dec137b1c2
                                          • Opcode Fuzzy Hash: 37f07c27298e82f33cc4ea35b45c4898f6a3a97ae3bf8fd59e0fb2dd5667139f
                                          • Instruction Fuzzy Hash: 63D0A9329086203EC201A361FC09BDB2F9C9F083A0FC1407BF848E2091CBB88501C6AE
                                          APIs
                                            • Part of subcall function 004062CD: lstrcpynA.KERNEL32(?,?,00000400,00403795,LogicLinx 3.31 Uninstall,NSIS Error), ref: 004062DA
                                            • Part of subcall function 00405DC0: lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004036D4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 00405DC6
                                            • Part of subcall function 00405DC0: CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004036D4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00403875), ref: 00405DCF
                                            • Part of subcall function 00405DC0: lstrcatA.KERNEL32(?,0040A28C), ref: 00405DE0
                                          • lstrcatA.KERNEL32(00000000,00000000,00424780,C:\Users\user\Desktop\,install.log,00403D69,C:\Users\user\Desktop\,C:\Users\user\Desktop\,1033,00421DD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421DD8,00000000,00000003), ref: 00403C11
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: lstrcat$CharPrevlstrcpynlstrlen
                                          • String ID: C:\Users\user\Desktop\$install.log
                                          • API String ID: 2126114531-2537383190
                                          • Opcode ID: 4b77a2e339eb68ff388b82575c8e29bbe101c667e65de6cbe57859233cde245b
                                          • Instruction ID: 573e70e16c7f3eccbdc253e2bea591d89099f51d3e6e710ae79217221ee15991
                                          • Opcode Fuzzy Hash: 4b77a2e339eb68ff388b82575c8e29bbe101c667e65de6cbe57859233cde245b
                                          • Instruction Fuzzy Hash: 27B00265BA075160D80436B32D5BF1E051C5C81B2C3F689BFB011710C259BCA065546D
                                          APIs
                                          • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,039F43AC,00000000,00000000,00000000,039F3095,00000000,00000000,039F221D,00000000,00000000,00000000), ref: 039F460C
                                          • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,039F43AC,00000000,00000000,00000000,039F3095,00000000,00000000,039F221D,00000000,00000000,00000000), ref: 039F4640
                                          • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 039F465A
                                          • HeapFree.KERNEL32(00000000,?), ref: 039F4671
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: AllocHeap$FreeVirtual
                                          • String ID:
                                          • API String ID: 3499195154-0
                                          • Opcode ID: ca85b1d7ca20f5b5500e7e91d2cbe1d7a8db1547aaea1ed18273ec41c731678f
                                          • Instruction ID: 303e8fb8aa580cb053436b4c1213025e2fb93dfb4da50c5edf98c01b3b70072d
                                          • Opcode Fuzzy Hash: ca85b1d7ca20f5b5500e7e91d2cbe1d7a8db1547aaea1ed18273ec41c731678f
                                          • Instruction Fuzzy Hash: F2113031208201AFD720EF2AEC85E267BB9FF85755725491AF662CB194D7719412CF10
                                          APIs
                                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00406127,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405F20
                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F39
                                          • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405F47
                                          • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00406127,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405F50
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3439475743.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000002.00000002.3439462217.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439489435.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000423000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.000000000042C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439503883.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.3439589373.0000000000436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Au_.jbxd
                                          Similarity
                                          • API ID: lstrlen$CharNextlstrcmpi
                                          • String ID:
                                          • API String ID: 190613189-0
                                          • Opcode ID: 799b41214dee5a3a207c986fb220c019988a50b8bc6b7bac04f470c9780bf706
                                          • Instruction ID: a929261b065623d84111eb1ef98f27e3caca39442dc5c5f552f944d16b5be969
                                          • Opcode Fuzzy Hash: 799b41214dee5a3a207c986fb220c019988a50b8bc6b7bac04f470c9780bf706
                                          • Instruction Fuzzy Hash: 84F0A736209D52ABC202AB355C04A6B6B94EF86315B14047EF041F2240D73A98259BBE
                                          APIs
                                          • InitializeCriticalSection.KERNEL32(?,039F2179,?,039F19ED), ref: 039F1B4C
                                          • InitializeCriticalSection.KERNEL32 ref: 039F1B54
                                          • InitializeCriticalSection.KERNEL32 ref: 039F1B5C
                                          • InitializeCriticalSection.KERNEL32 ref: 039F1B64
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.3440368393.00000000039F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 039F0000, based on PE: true
                                          • Associated: 00000002.00000002.3440356341.00000000039F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440380688.00000000039F6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440392347.00000000039F7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440404042.00000000039F9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                          • Associated: 00000002.00000002.3440415852.00000000039FB000.00000002.00000001.01000000.00000008.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_39f0000_Au_.jbxd
                                          Similarity
                                          • API ID: CriticalInitializeSection
                                          • String ID:
                                          • API String ID: 32694325-0
                                          • Opcode ID: ec320d9b043571910ef564d7ba05400468327a5588897493f392803aef3d329b
                                          • Instruction ID: c3d7e01340a91190d97ae2e7fefba471c3e577460c5775e88bf3b81308758303
                                          • Opcode Fuzzy Hash: ec320d9b043571910ef564d7ba05400468327a5588897493f392803aef3d329b
                                          • Instruction Fuzzy Hash: D4C0E931819024AFCB113BA5FC04C553F26EF042E13090066A50C59178863158B6DF80