Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Document_084462.scr.exe

Overview

General Information

Sample name:Document_084462.scr.exe
Analysis ID:1567687
MD5:b4e362177a0e0836dd04831fe456255b
SHA1:de7a47519e45386fd0b0f2ff4ab6fbdb5b81716e
SHA256:0ccf347c204f022f6cf118c653ccb248e41cfc71593217b9ed5bfc7ef13fcbc7
Tags:exeuser-TeamDreier
Infos:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Sample has a suspicious name (potential lure to open the executable)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Stores files to the Windows start menu directory
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • Document_084462.scr.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\Document_084462.scr.exe" MD5: B4E362177A0E0836DD04831FE456255B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3825309518.0000000009710000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: Document_084462.scr.exeReversingLabs: Detection: 34%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: Document_084462.scr.exeJoe Sandbox ML: detected
    Source: Document_084462.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: Document_084462.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_0040674C FindFirstFileW,FindClose,0_2_0040674C
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405B00
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
    Source: Document_084462.scr.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_00405595 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405595

    System Summary

    barindex
    Initial sample is a PE file and has a suspicious name
    Source: initial sampleStatic PE information: Filename: Document_084462.scr.exe
    Sample has a suspicious name (potential lure to open the executable)
    Source: Document_084462.scr.exeStatic file information: Suspicious name
    Source: C:\Users\user\Desktop\Document_084462.scr.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A2
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_6E331B5F0_2_6E331B5F
    Source: Document_084462.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal76.troj.evad.winEXE@1/5@0/0
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A2
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_00404835 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404835
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_004021A2 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,0_2_004021A2
    Source: C:\Users\user\Desktop\Document_084462.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspiresJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nsqD1EC.tmpJump to behavior
    Source: Document_084462.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Document_084462.scr.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Document_084462.scr.exeReversingLabs: Detection: 34%
    Source: C:\Users\user\Desktop\Document_084462.scr.exeFile read: C:\Users\user\Desktop\Document_084462.scr.exeJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: Document_084462.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.3825309518.0000000009710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_6E331B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6E331B5F
    Source: C:\Users\user\Desktop\Document_084462.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nswD393.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Document_084462.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspiresJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Reconsolidates.IndJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Sulfoforbindelserne.chlJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Umpiress240.bivJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\potmaker.stiJump to behavior
    Source: C:\Users\user\Desktop\Document_084462.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\Document_084462.scr.exeRDTSC instruction interceptor: First address: 991B71B second address: 991B71B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F781D3A59B8h 0x00000006 test bl, dl 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Document_084462.scr.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswD393.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_0040674C FindFirstFileW,FindClose,0_2_0040674C
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405B00
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
    Source: C:\Users\user\Desktop\Document_084462.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-4553
    Source: C:\Users\user\Desktop\Document_084462.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-4401
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_00405456 GetTickCount,lstrlenW,lstrlenW,lstrcatW,SetWindowTextW,SendMessageW,SendMessageW,LdrInitializeThunk,SendMessageW,SendMessageW,0_2_00405456
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_6E331B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6E331B5F
    Source: C:\Users\user\Desktop\Document_084462.scr.exeCode function: 0_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A2

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    Registry Run Keys / Startup Folder    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		LSASS Memory2
    File and Directory Discovery    		Remote Desktop Protocol1
    Clipboard Data    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    Registry Run Keys / Startup Folder    		1
    DLL Side-Loading    		Security Account Manager13
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Document_084462.scr.exe34%ReversingLabsWin32.Trojan.Guloader
    Document_084462.scr.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nswD393.tmp\System.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_ErrorErrorDocument_084462.scr.exefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1567687
      Start date and time:2024-12-03 18:43:13 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 7m 31s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:8
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:Document_084462.scr.exe
      Detection:MAL
      Classification:mal76.troj.evad.winEXE@1/5@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 98%
      • Number of executed functions: 39
      • Number of non-executed functions: 34
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Override analysis time to 240s for sample files taking high CPU consumption

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: Document_084462.scr.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\Users\user\AppData\Local\Temp\nswD393.tmp\System.dllPO.exeGet hashmaliciousGuLoaderBrowse
        PO.exeGet hashmaliciousGuLoaderBrowse
          yuc1Jwlkh5.exeGet hashmaliciousGuLoaderBrowse
            yuc1Jwlkh5.exeGet hashmaliciousGuLoaderBrowse
              IMAGE000Pdf.exeGet hashmaliciousGuLoaderBrowse
                stormskridtets.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  IMAGE000Pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                    orders_PI 008-01.exeGet hashmaliciousRemcos, GuLoaderBrowse
                      RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                        8737738_19082024.vbsGet hashmaliciousFormBook, GuLoaderBrowse

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Temp\nswD393.tmp\System.dll

                          Download File
                          Process:C:\Users\user\Desktop\Document_084462.scr.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):12288
                          Entropy (8bit):5.737556724687435
                          Encrypted:false
                          SSDEEP:192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
                          MD5:6E55A6E7C3FDBD244042EB15CB1EC739
                          SHA1:070EA80E2192ABC42F358D47B276990B5FA285A9
                          SHA-256:ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
                          SHA-512:2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Joe Sandbox View:
                          • Filename: PO.exe, Detection: malicious, Browse
                          • Filename: PO.exe, Detection: malicious, Browse
                          • Filename: yuc1Jwlkh5.exe, Detection: malicious, Browse
                          • Filename: yuc1Jwlkh5.exe, Detection: malicious, Browse
                          • Filename: IMAGE000Pdf.exe, Detection: malicious, Browse
                          • Filename: stormskridtets.exe, Detection: malicious, Browse
                          • Filename: IMAGE000Pdf.exe, Detection: malicious, Browse
                          • Filename: orders_PI 008-01.exe, Detection: malicious, Browse
                          • Filename: RemotePCViewer.exe, Detection: malicious, Browse
                          • Filename: 8737738_19082024.vbs, Detection: malicious, Browse
                          Reputation:moderate, very likely benign file
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Reconsolidates.Ind

                          Download File
                          Process:C:\Users\user\Desktop\Document_084462.scr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):304925
                          Entropy (8bit):7.634681653349571
                          Encrypted:false
                          SSDEEP:6144:xIzwYKF20lQ11epuJK247DJXcttrow2pc7pIiZrFP0B:xIzw0mj5t7q3sw2pc7eiZrFM
                          MD5:441D2CEA6B12B330064FADB3BAAC31E4
                          SHA1:3FAD8D74BFFB31012A1B22C682388D4DBA848040
                          SHA-256:F10E813A698E1536AE7BFCDEC3479AD699D464378E786BB53B3566E3FDF13A76
                          SHA-512:8B84C3FACBE9DC9C8821F00E896A920B6F8359A9C10A170456E94A6CE749C7184DBC0772C9553813BCD91EB72FE0046CC68D8194698ECA4A20A4F33011C27920
                          Malicious:false
                          Reputation:low
                          Preview:............(..............--......LL............dd......?.$.)...............S....6..)..MMM.[[.............$....6............)...............................b..Y....T.^^^...........L......................(....&............./.........j..............-..++.XXXX.....O..........................F...........................................#####....1..........5555.zz......22......QQ.......HH....EEEEEE......h.......eeeee..........0...{..PP.......:.{{.z..0..w.v..cccc.PP............................................................F.;;.......YYY.........1....77.......xxxxxx.........pp.jj.....""""...............c.``````.mmmmmmmm...............W.......................KK..................<......3.........t........55...............88..........xx.......................=...m............e....."....H...ooo...........U...............====..M....j..............6......K....................____.RRR..............................33333........eee..m.........---.............h........=.X.....G.[.....................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Sulfoforbindelserne.chl

                          Download File
                          Process:C:\Users\user\Desktop\Document_084462.scr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):116773
                          Entropy (8bit):1.2617404262864118
                          Encrypted:false
                          SSDEEP:768:4yTqkjNz46YyMqMTGZGi7vk59sktCQ3am6ZRN8rOFlS70dhEr:0avCLJ
                          MD5:753C4F9B2F84095556E2C65E2569D814
                          SHA1:3F878C44B311B8C34B2A6E09F49324D42FAD1437
                          SHA-256:E6DCE06287ACEBCFB23DA58EAC6AAA36E253BADB493125F47E801B99C4E48B25
                          SHA-512:8C19F357F4A59D5CB493F418C82B0D06ECED25EC9D05E9B1CFF943A6A79232DC6B2EBC3552B0BFBA76018A7FCEFE8A0410ADEE739151640F149884A4FC3DF651
                          Malicious:false
                          Reputation:low
                          Preview:..................................................V...................Y..Y................................................................................................................M.......................................................................................*.......................`...............................................A................D....D....................................................."................................................l.............\.....%....:......*.......................................................................................c.....M........?......................5........G...................................................U.........................................................................5.8...s................[.....m.....{...........................)$..................................................lm.....................................................}................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Umpiress240.biv

                          Download File
                          Process:C:\Users\user\Desktop\Document_084462.scr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):222131
                          Entropy (8bit):1.2548431305039245
                          Encrypted:false
                          SSDEEP:768:I2mmH3AhfHp+POGgRSRFZHl2bxYLbBjJ4tFGZjDyYqIx3x9+6yiKk+vlK5u5DF+G:UoNwkuoHtyiKJlQVD
                          MD5:C018B5D87F38B0DBA90AFE75F72B6798
                          SHA1:9B43AE84826B712BB8152D70D2D7B929DB5CE3E2
                          SHA-256:323B7D5F0C7A4F9FA87D8F6DD9A18E81F4284C31DA4FDD5FFE7022501445FD1C
                          SHA-512:D4D6A99EBA1F594BA4052F4C83C93946749EE7524D5765CFD67C0CD34BBA3F1ABBDEA259EBE155A3767898AAE806E29E42BE6539C4A2DC067730EC6D9655ECD5
                          Malicious:false
                          Reputation:low
                          Preview:.....................................%..................................................................................................................L....B..............................I...........]...........i.........A............\............................................................................................................................................................................................&..............s............................................................................(........].........................................................................,..............]...............F..............G....+..............................................F..............9...........,........i.............................................................................................h...k........................Y......k..........................................................U..........R..................................C...........e..................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\potmaker.sti

                          Download File
                          Process:C:\Users\user\Desktop\Document_084462.scr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):477418
                          Entropy (8bit):1.2516735777117096
                          Encrypted:false
                          SSDEEP:1536:BugSY71rrh1lxz0ZSyCjm0eydI6Vl73+ByRgN:F7Zrh4SvQy3SBGgN
                          MD5:B86B0A4CFA46775BAEEE023CCECA54E1
                          SHA1:16BABC347EBFC80762D73A12FF39E5ADE55EC7DB
                          SHA-256:7B1E45A0398C8428C6CF476DAE264102A842FACC20930B57688960046FF087F6
                          SHA-512:42787A7037E7D117D82AF3580306C7C10854B279CEC0B38956217B4E04222B34EAC50763B0DB850454DC0AA43B5238297D39FC8E5A681C805966E0BCCD4E7C0D
                          Malicious:false
                          Reputation:low
                          Preview:.................................E..............................................................................................................................F......................................./..............#...........n...t..>..........]...............".................|................................4...........s...z......................................................................................U......................................................................J...............................................................j......................-......."...._..............;.............X........................3.H....................................P........#...............L.....................................,......................................R........&..............................................................................................................`<.....f......E..al.....................S..........................................V..............

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Entropy (8bit):7.959977071883598
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:Document_084462.scr.exe
                          File size:456'022 bytes
                          MD5:b4e362177a0e0836dd04831fe456255b
                          SHA1:de7a47519e45386fd0b0f2ff4ab6fbdb5b81716e
                          SHA256:0ccf347c204f022f6cf118c653ccb248e41cfc71593217b9ed5bfc7ef13fcbc7
                          SHA512:fd3cb279c3211260afaffd7e1976231456fbd00cbec0bab95204740b64fc499d059688d609495bd6a87cd8df3fab9f9c8ddcf13c67b83e1ea38414080e8dc749
                          SSDEEP:6144:B3hqLBhFuob3eN4CXo9l4z97QqPwTvOw+7P+cf1rr6USu1DG1FM1MYNTXW:B3UXhb0WlO97QqP0Odmcf1KUS0zT
                          TLSH:98A423C55140333BC9A61F34A4393715EFACCD213814A35B9B54FB4C667B682AB4A7A3
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L......`.................f....:....

                          File Icon

                          Icon Hash:3d2e0f95332b3399

                          Static PE Info

                          General

                          Entrypoint:0x4034a2
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x60FC90D1 [Sat Jul 24 22:14:41 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:6e7f9a29f2c85394521a08b9f31f6275

                          Entrypoint Preview

                          Instruction
                          sub esp, 000002D4h
                          push ebx
                          push esi
                          push edi
                          push 00000020h
                          pop edi
                          xor ebx, ebx
                          push 00008001h
                          mov dword ptr [esp+14h], ebx
                          mov dword ptr [esp+10h], 0040A2E0h
                          mov dword ptr [esp+1Ch], ebx
                          call dword ptr [004080CCh]
                          call dword ptr [004080D0h]
                          and eax, BFFFFFFFh
                          cmp ax, 00000006h
                          mov dword ptr [007A8A6Ch], eax
                          je 00007F781D1965A3h
                          push ebx
                          call 00007F781D199891h
                          cmp eax, ebx
                          je 00007F781D196599h
                          push 00000C00h
                          call eax
                          mov esi, 004082B0h
                          push esi
                          call 00007F781D19980Bh
                          push esi
                          call dword ptr [00408154h]
                          lea esi, dword ptr [esi+eax+01h]
                          cmp byte ptr [esi], 00000000h
                          jne 00007F781D19657Ch
                          push 0000000Bh
                          call 00007F781D199864h
                          push 00000009h
                          call 00007F781D19985Dh
                          push 00000007h
                          mov dword ptr [007A8A64h], eax
                          call 00007F781D199851h
                          cmp eax, ebx
                          je 00007F781D1965A1h
                          push 0000001Eh
                          call eax
                          test eax, eax
                          je 00007F781D196599h
                          or byte ptr [007A8A6Fh], 00000040h
                          push ebp
                          call dword ptr [00408038h]
                          push ebx
                          call dword ptr [00408298h]
                          mov dword ptr [007A8B38h], eax
                          push ebx
                          lea eax, dword ptr [esp+34h]
                          push 000002B4h
                          push eax
                          push ebx
                          push 0079FF08h
                          call dword ptr [0040818Ch]
                          push 0040A2C8h

                          Rich Headers

                          Programming Language:
                          • [EXP] VC++ 6.0 SP5 build 8804

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c70000xb48.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x656c0x660012117ad2476c7a7912407af0dcfcb8a7False0.6737515318627451data6.47208759712619IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x80000x13980x1400e3e8d62e1d2308b175349eb9daa266c8False0.4494140625data5.137750894959169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0xa0000x39eb780x6002020ca26e010546720fd467c5d087b57unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .ndata0x3a90000x1e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x3c70000xb480xc0013d9a87cc14830e1f01c641a62386bbeFalse0.4215494791666667data4.357284806500026IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0x3c71c00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.42473118279569894
                          RT_DIALOG0x3c74a80x100dataEnglishUnited States0.5234375
                          RT_DIALOG0x3c75a80x11cdataEnglishUnited States0.6056338028169014
                          RT_DIALOG0x3c76c80xc4dataEnglishUnited States0.5918367346938775
                          RT_DIALOG0x3c77900x60dataEnglishUnited States0.7291666666666666
                          RT_GROUP_ICON0x3c77f00x14dataEnglishUnited States1.2
                          RT_MANIFEST0x3c78080x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                          Imports

                          DLLImport
                          ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                          SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                          USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:12:44:18
                          Start date:03/12/2024
                          Path:C:\Users\user\Desktop\Document_084462.scr.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Document_084462.scr.exe"
                          Imagebase:0x400000
                          File size:456'022 bytes
                          MD5 hash:B4E362177A0E0836DD04831FE456255B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3825309518.0000000009710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:false

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:18.1%
                            Dynamic/Decrypted Code Coverage:13.6%
                            Signature Coverage:16.5%
                            Total number of Nodes:1579
                            Total number of Limit Nodes:31
                            execution_graph 4105 401941 4106 401943 4105->4106 4111 402d3e 4106->4111 4112 402d4a 4111->4112 4156 40642b 4112->4156 4115 401948 4117 405b00 4115->4117 4198 405dcb 4117->4198 4120 405b28 DeleteFileW 4127 401951 4120->4127 4121 405b3f 4122 405c6a 4121->4122 4212 4063ee lstrcpynW 4121->4212 4122->4127 4241 40674c FindFirstFileW 4122->4241 4124 405b65 4125 405b78 4124->4125 4126 405b6b lstrcatW 4124->4126 4213 405d0f lstrlenW 4125->4213 4128 405b7e 4126->4128 4131 405b8e lstrcatW 4128->4131 4133 405b99 lstrlenW FindFirstFileW 4128->4133 4131->4133 4135 405c5f 4133->4135 4154 405bbb 4133->4154 4134 405c88 4244 405cc3 lstrlenW CharPrevW 4134->4244 4135->4122 4138 405c42 FindNextFileW 4142 405c58 FindClose 4138->4142 4138->4154 4139 405ab8 5 API calls 4141 405c9a 4139->4141 4143 405cb4 4141->4143 4144 405c9e 4141->4144 4142->4135 4146 405456 24 API calls 4143->4146 4144->4127 4148 405456 24 API calls 4144->4148 4146->4127 4147 405b00 60 API calls 4147->4154 4149 405cab 4148->4149 4150 4061b4 36 API calls 4149->4150 4152 405cb2 4150->4152 4151 405456 24 API calls 4151->4138 4152->4127 4154->4138 4154->4147 4154->4151 4217 4063ee lstrcpynW 4154->4217 4218 405ab8 4154->4218 4226 405456 4154->4226 4237 4061b4 MoveFileExW 4154->4237 4168 406438 4156->4168 4157 406683 4158 402d6b 4157->4158 4189 4063ee lstrcpynW 4157->4189 4158->4115 4173 40669d 4158->4173 4160 406651 lstrlenW 4160->4168 4163 40642b 10 API calls 4163->4160 4164 406566 GetSystemDirectoryW 4164->4168 4166 406579 GetWindowsDirectoryW 4166->4168 4167 40669d 5 API calls 4167->4168 4168->4157 4168->4160 4168->4163 4168->4164 4168->4166 4168->4167 4169 4065ad SHGetSpecialFolderLocation 4168->4169 4170 40642b 10 API calls 4168->4170 4171 4065f4 lstrcatW 4168->4171 4182 4062bc 4168->4182 4187 406335 wsprintfW 4168->4187 4188 4063ee lstrcpynW 4168->4188 4169->4168 4172 4065c5 SHGetPathFromIDListW CoTaskMemFree 4169->4172 4170->4168 4171->4168 4172->4168 4180 4066aa 4173->4180 4174 406720 4175 406725 CharPrevW 4174->4175 4177 406746 4174->4177 4175->4174 4176 406713 CharNextW 4176->4174 4176->4180 4177->4115 4179 4066ff CharNextW 4179->4180 4180->4174 4180->4176 4180->4179 4181 40670e CharNextW 4180->4181 4194 405cf0 4180->4194 4181->4176 4190 40625b 4182->4190 4185 4062f0 RegQueryValueExW RegCloseKey 4186 406320 4185->4186 4186->4168 4187->4168 4188->4168 4189->4158 4191 40626a 4190->4191 4192 406273 RegOpenKeyExW 4191->4192 4193 40626e 4191->4193 4192->4193 4193->4185 4193->4186 4195 405cf6 4194->4195 4196 405d0c 4195->4196 4197 405cfd CharNextW 4195->4197 4196->4180 4197->4195 4247 4063ee lstrcpynW 4198->4247 4200 405ddc 4248 405d6e CharNextW CharNextW 4200->4248 4203 405b20 4203->4120 4203->4121 4204 40669d 5 API calls 4210 405df2 4204->4210 4205 405e23 lstrlenW 4206 405e2e 4205->4206 4205->4210 4208 405cc3 3 API calls 4206->4208 4207 40674c 2 API calls 4207->4210 4209 405e33 GetFileAttributesW 4208->4209 4209->4203 4210->4203 4210->4205 4210->4207 4211 405d0f 2 API calls 4210->4211 4211->4205 4212->4124 4214 405d1d 4213->4214 4215 405d23 CharPrevW 4214->4215 4216 405d2f 4214->4216 4215->4214 4215->4216 4216->4128 4217->4154 4254 405ebf GetFileAttributesW 4218->4254 4221 405ad3 RemoveDirectoryW 4224 405ae1 4221->4224 4222 405adb DeleteFileW 4222->4224 4223 405ae5 4223->4154 4224->4223 4225 405af1 SetFileAttributesW 4224->4225 4225->4223 4227 405471 4226->4227 4228 405513 4226->4228 4229 40548d lstrlenW 4227->4229 4232 40642b 17 API calls 4227->4232 4228->4154 4230 4054b6 4229->4230 4231 40549b lstrlenW 4229->4231 4234 4054c9 4230->4234 4235 4054bc SetWindowTextW 4230->4235 4231->4228 4233 4054ad lstrcatW 4231->4233 4232->4229 4233->4230 4234->4228 4236 4054cf SendMessageW SendMessageW SendMessageW 4234->4236 4235->4234 4236->4228 4238 4061c8 4237->4238 4240 4061d5 4237->4240 4257 40603a 4238->4257 4240->4154 4242 406762 FindClose 4241->4242 4243 405c84 4241->4243 4242->4243 4243->4127 4243->4134 4245 405c8e 4244->4245 4246 405cdf lstrcatW 4244->4246 4245->4139 4246->4245 4247->4200 4249 405d8b 4248->4249 4250 405d9d 4248->4250 4249->4250 4251 405d98 CharNextW 4249->4251 4252 405cf0 CharNextW 4250->4252 4253 405dc1 4250->4253 4251->4253 4252->4250 4253->4203 4253->4204 4255 405ed1 SetFileAttributesW 4254->4255 4256 405ac4 4254->4256 4255->4256 4256->4221 4256->4222 4256->4223 4258 406090 GetShortPathNameW 4257->4258 4259 40606a 4257->4259 4260 4060a5 4258->4260 4261 4061af 4258->4261 4284 405ee4 GetFileAttributesW CreateFileW 4259->4284 4260->4261 4263 4060ad wsprintfA 4260->4263 4261->4240 4266 40642b 17 API calls 4263->4266 4264 406074 CloseHandle GetShortPathNameW 4264->4261 4265 406088 4264->4265 4265->4258 4265->4261 4267 4060d5 4266->4267 4285 405ee4 GetFileAttributesW CreateFileW 4267->4285 4269 4060e2 4269->4261 4270 4060f1 GetFileSize GlobalAlloc 4269->4270 4271 406113 4270->4271 4272 4061a8 CloseHandle 4270->4272 4286 405f67 ReadFile 4271->4286 4272->4261 4277 406132 lstrcpyA 4280 406154 4277->4280 4278 406146 4279 405e49 4 API calls 4278->4279 4279->4280 4281 40618b SetFilePointer 4280->4281 4293 405f96 WriteFile 4281->4293 4284->4264 4285->4269 4287 405f85 4286->4287 4287->4272 4288 405e49 lstrlenA 4287->4288 4289 405e8a lstrlenA 4288->4289 4290 405e92 4289->4290 4291 405e63 lstrcmpiA 4289->4291 4290->4277 4290->4278 4291->4290 4292 405e81 CharNextA 4291->4292 4292->4289 4294 405fb4 GlobalFree 4293->4294 4294->4272 4295 4015c1 4296 402d3e 17 API calls 4295->4296 4297 4015c8 4296->4297 4298 405d6e 4 API calls 4297->4298 4310 4015d1 4298->4310 4299 401631 4301 401663 4299->4301 4302 401636 4299->4302 4300 405cf0 CharNextW 4300->4310 4304 401423 24 API calls 4301->4304 4322 401423 4302->4322 4312 40165b 4304->4312 4308 40164a SetCurrentDirectoryW 4308->4312 4310->4299 4310->4300 4311 401617 GetFileAttributesW 4310->4311 4314 4059bf 4310->4314 4317 405925 CreateDirectoryW 4310->4317 4326 4059a2 CreateDirectoryW 4310->4326 4311->4310 4329 4067e3 GetModuleHandleA 4314->4329 4318 405972 4317->4318 4319 405976 GetLastError 4317->4319 4318->4310 4319->4318 4320 405985 SetFileSecurityW 4319->4320 4320->4318 4321 40599b GetLastError 4320->4321 4321->4318 4323 405456 24 API calls 4322->4323 4324 401431 4323->4324 4325 4063ee lstrcpynW 4324->4325 4325->4308 4327 4059b2 4326->4327 4328 4059b6 GetLastError 4326->4328 4327->4310 4328->4327 4330 406809 GetProcAddress 4329->4330 4331 4067ff 4329->4331 4332 4059c6 4330->4332 4335 406773 GetSystemDirectoryW 4331->4335 4332->4310 4334 406805 4334->4330 4334->4332 4336 406795 wsprintfW LoadLibraryExW 4335->4336 4336->4334 5106 402a42 5107 402d1c 17 API calls 5106->5107 5108 402a48 5107->5108 5109 402a88 5108->5109 5110 402a6f 5108->5110 5119 402925 5108->5119 5111 402aa2 5109->5111 5112 402a92 5109->5112 5115 402a74 5110->5115 5116 402a85 5110->5116 5114 40642b 17 API calls 5111->5114 5113 402d1c 17 API calls 5112->5113 5113->5119 5114->5119 5120 4063ee lstrcpynW 5115->5120 5121 406335 wsprintfW 5116->5121 5120->5119 5121->5119 5122 401c43 5123 402d1c 17 API calls 5122->5123 5124 401c4a 5123->5124 5125 402d1c 17 API calls 5124->5125 5126 401c57 5125->5126 5127 401c6c 5126->5127 5128 402d3e 17 API calls 5126->5128 5129 401c7c 5127->5129 5130 402d3e 17 API calls 5127->5130 5128->5127 5131 401cd3 5129->5131 5132 401c87 5129->5132 5130->5129 5133 402d3e 17 API calls 5131->5133 5134 402d1c 17 API calls 5132->5134 5135 401cd8 5133->5135 5136 401c8c 5134->5136 5138 402d3e 17 API calls 5135->5138 5137 402d1c 17 API calls 5136->5137 5139 401c98 5137->5139 5140 401ce1 FindWindowExW 5138->5140 5141 401cc3 SendMessageW 5139->5141 5142 401ca5 SendMessageTimeoutW 5139->5142 5143 401d03 5140->5143 5141->5143 5142->5143 5144 402b43 5145 4067e3 5 API calls 5144->5145 5146 402b4a 5145->5146 5147 402d3e 17 API calls 5146->5147 5148 402b53 5147->5148 5149 402b57 IIDFromString 5148->5149 5150 402b8e 5148->5150 5149->5150 5151 402b66 5149->5151 5151->5150 5154 4063ee lstrcpynW 5151->5154 5153 402b83 CoTaskMemFree 5153->5150 5154->5153 5155 402947 5156 402d3e 17 API calls 5155->5156 5157 402955 5156->5157 5158 40296b 5157->5158 5159 402d3e 17 API calls 5157->5159 5160 405ebf 2 API calls 5158->5160 5159->5158 5161 402971 5160->5161 5183 405ee4 GetFileAttributesW CreateFileW 5161->5183 5163 40297e 5164 402a21 5163->5164 5165 40298a GlobalAlloc 5163->5165 5168 402a29 DeleteFileW 5164->5168 5169 402a3c 5164->5169 5166 4029a3 5165->5166 5167 402a18 CloseHandle 5165->5167 5184 40345a SetFilePointer 5166->5184 5167->5164 5168->5169 5171 4029a9 5172 403444 ReadFile 5171->5172 5173 4029b2 GlobalAlloc 5172->5173 5174 4029c2 5173->5174 5175 4029f6 5173->5175 5177 40324c 31 API calls 5174->5177 5176 405f96 WriteFile 5175->5176 5178 402a02 GlobalFree 5176->5178 5182 4029cf 5177->5182 5179 40324c 31 API calls 5178->5179 5180 402a15 5179->5180 5180->5167 5181 4029ed GlobalFree 5181->5175 5182->5181 5183->5163 5184->5171 5553 4053ca 5554 4053da 5553->5554 5555 4053ee 5553->5555 5556 4053e0 5554->5556 5557 405437 5554->5557 5558 4053f6 IsWindowVisible 5555->5558 5564 40540d 5555->5564 5560 404390 SendMessageW 5556->5560 5559 40543c CallWindowProcW 5557->5559 5558->5557 5561 405403 5558->5561 5562 4053ea 5559->5562 5560->5562 5566 404cff SendMessageW 5561->5566 5564->5559 5571 404d7f 5564->5571 5567 404d22 GetMessagePos ScreenToClient SendMessageW 5566->5567 5568 404d5e SendMessageW 5566->5568 5569 404d56 5567->5569 5570 404d5b 5567->5570 5568->5569 5569->5564 5570->5568 5580 4063ee lstrcpynW 5571->5580 5573 404d92 5581 406335 wsprintfW 5573->5581 5575 404d9c 5576 40140b 2 API calls 5575->5576 5577 404da5 5576->5577 5582 4063ee lstrcpynW 5577->5582 5579 404dac 5579->5557 5580->5573 5581->5575 5582->5579 5586 4016cc 5587 402d3e 17 API calls 5586->5587 5588 4016d2 GetFullPathNameW 5587->5588 5589 4016ec 5588->5589 5595 40170e 5588->5595 5592 40674c 2 API calls 5589->5592 5589->5595 5590 402bc2 5591 401723 GetShortPathNameW 5591->5590 5593 4016fe 5592->5593 5593->5595 5596 4063ee lstrcpynW 5593->5596 5595->5590 5595->5591 5596->5595 5185 6e33103d 5188 6e33101b 5185->5188 5195 6e331516 5188->5195 5190 6e331020 5191 6e331027 GlobalAlloc 5190->5191 5192 6e331024 5190->5192 5191->5192 5193 6e33153d 3 API calls 5192->5193 5194 6e33103b 5193->5194 5197 6e33151c 5195->5197 5196 6e331522 5196->5190 5197->5196 5198 6e33152e GlobalFree 5197->5198 5198->5190 5199 401e4e GetDC 5200 402d1c 17 API calls 5199->5200 5201 401e60 GetDeviceCaps MulDiv ReleaseDC 5200->5201 5202 402d1c 17 API calls 5201->5202 5203 401e91 5202->5203 5204 40642b 17 API calls 5203->5204 5205 401ece CreateFontIndirectW 5204->5205 5206 402630 5205->5206 5597 402acf 5598 402d1c 17 API calls 5597->5598 5599 402ad5 5598->5599 5600 402b12 5599->5600 5601 402ae7 5599->5601 5603 402925 5599->5603 5602 40642b 17 API calls 5600->5602 5600->5603 5601->5603 5605 406335 wsprintfW 5601->5605 5602->5603 5605->5603 4812 4020d0 4813 4020e2 4812->4813 4814 402194 4812->4814 4815 402d3e 17 API calls 4813->4815 4817 401423 24 API calls 4814->4817 4816 4020e9 4815->4816 4818 402d3e 17 API calls 4816->4818 4823 4022ee 4817->4823 4819 4020f2 4818->4819 4820 402108 LoadLibraryExW 4819->4820 4821 4020fa GetModuleHandleW 4819->4821 4820->4814 4822 402119 4820->4822 4821->4820 4821->4822 4835 406852 4822->4835 4826 402163 4828 405456 24 API calls 4826->4828 4827 40212a 4829 402132 4827->4829 4830 402149 4827->4830 4831 40213a 4828->4831 4832 401423 24 API calls 4829->4832 4840 6e331777 4830->4840 4831->4823 4833 402186 FreeLibrary 4831->4833 4832->4831 4833->4823 4882 406410 WideCharToMultiByte 4835->4882 4837 40686f 4838 406876 GetProcAddress 4837->4838 4839 402124 4837->4839 4838->4839 4839->4826 4839->4827 4841 6e3317aa 4840->4841 4883 6e331b5f 4841->4883 4843 6e3318d6 4843->4831 4844 6e3317b1 4844->4843 4845 6e3317c2 4844->4845 4846 6e3317c9 4844->4846 4933 6e33239e 4845->4933 4917 6e3323e0 4846->4917 4851 6e33180f 4946 6e3325b5 4851->4946 4852 6e33182d 4855 6e331833 4852->4855 4856 6e33187e 4852->4856 4853 6e3317f8 4869 6e3317ee 4853->4869 4943 6e332d83 4853->4943 4854 6e3317df 4858 6e3317e5 4854->4858 4863 6e3317f0 4854->4863 4965 6e3315c6 4855->4965 4861 6e3325b5 10 API calls 4856->4861 4858->4869 4927 6e332af8 4858->4927 4867 6e33186f 4861->4867 4862 6e331815 4957 6e3315b4 4862->4957 4937 6e332770 4863->4937 4873 6e3318c5 4867->4873 4971 6e332578 4867->4971 4869->4851 4869->4852 4870 6e3317f6 4870->4869 4871 6e3325b5 10 API calls 4871->4867 4873->4843 4875 6e3318cf GlobalFree 4873->4875 4875->4843 4879 6e3318b1 4879->4873 4975 6e33153d wsprintfW 4879->4975 4881 6e3318aa FreeLibrary 4881->4879 4882->4837 4978 6e33121b GlobalAlloc 4883->4978 4885 6e331b86 4979 6e33121b GlobalAlloc 4885->4979 4887 6e331dcb GlobalFree GlobalFree GlobalFree 4888 6e331de8 4887->4888 4901 6e331e32 4887->4901 4889 6e3321de 4888->4889 4896 6e331dfd 4888->4896 4888->4901 4891 6e332200 GetModuleHandleW 4889->4891 4889->4901 4890 6e331c86 GlobalAlloc 4902 6e331b91 4890->4902 4893 6e332211 LoadLibraryW 4891->4893 4894 6e332226 4891->4894 4892 6e331cef GlobalFree 4892->4902 4893->4894 4893->4901 4986 6e33161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4894->4986 4895 6e331cd1 lstrcpyW 4898 6e331cdb lstrcpyW 4895->4898 4896->4901 4982 6e33122c 4896->4982 4898->4902 4899 6e332278 4899->4901 4906 6e332285 lstrlenW 4899->4906 4900 6e332086 4985 6e33121b GlobalAlloc 4900->4985 4901->4844 4902->4887 4902->4890 4902->4892 4902->4895 4902->4898 4902->4900 4902->4901 4908 6e331fc7 GlobalFree 4902->4908 4909 6e33210e 4902->4909 4910 6e33122c 2 API calls 4902->4910 4915 6e331d2d 4902->4915 4904 6e332238 4904->4899 4916 6e332262 GetProcAddress 4904->4916 4987 6e33161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4906->4987 4908->4902 4909->4901 4914 6e332176 lstrcpyW 4909->4914 4910->4902 4911 6e33208f 4911->4844 4912 6e33229f 4912->4901 4914->4901 4915->4902 4980 6e33158f GlobalSize GlobalAlloc 4915->4980 4916->4899 4924 6e3323f8 4917->4924 4918 6e33122c GlobalAlloc lstrcpynW 4918->4924 4920 6e332521 GlobalFree 4921 6e3317cf 4920->4921 4920->4924 4921->4853 4921->4854 4921->4869 4922 6e3324a0 GlobalAlloc WideCharToMultiByte 4922->4920 4923 6e3324cb GlobalAlloc CLSIDFromString 4923->4920 4924->4918 4924->4920 4924->4922 4924->4923 4926 6e3324ea 4924->4926 4989 6e3312ba 4924->4989 4926->4920 4993 6e332704 4926->4993 4929 6e332b0a 4927->4929 4928 6e332baf ReadFile 4932 6e332bcd 4928->4932 4929->4928 4931 6e332c99 4931->4869 4996 6e332aa2 4932->4996 4934 6e3323b3 4933->4934 4935 6e3317c8 4934->4935 4936 6e3323be GlobalAlloc 4934->4936 4935->4846 4936->4934 4941 6e3327a0 4937->4941 4938 6e33283b GlobalAlloc 4942 6e33285e 4938->4942 4939 6e33284e 4940 6e332854 GlobalSize 4939->4940 4939->4942 4940->4942 4941->4938 4941->4939 4942->4870 4945 6e332d8e 4943->4945 4944 6e332dce GlobalFree 4945->4944 5000 6e33121b GlobalAlloc 4946->5000 4948 6e33266b lstrcpynW 4951 6e3325bf 4948->4951 4949 6e33265a StringFromGUID2 4949->4951 4950 6e332638 MultiByteToWideChar 4950->4951 4951->4948 4951->4949 4951->4950 4952 6e33267e wsprintfW 4951->4952 4953 6e3326a2 GlobalFree 4951->4953 4954 6e3326d7 GlobalFree 4951->4954 4955 6e331272 2 API calls 4951->4955 5001 6e3312e1 4951->5001 4952->4951 4953->4951 4954->4862 4955->4951 5005 6e33121b GlobalAlloc 4957->5005 4959 6e3315b9 4960 6e3315c6 2 API calls 4959->4960 4961 6e3315c3 4960->4961 4962 6e331272 4961->4962 4963 6e3312b5 GlobalFree 4962->4963 4964 6e33127b GlobalAlloc lstrcpynW 4962->4964 4963->4867 4964->4963 4966 6e3315d2 wsprintfW 4965->4966 4967 6e3315ff lstrcpyW 4965->4967 4970 6e331618 4966->4970 4967->4970 4970->4871 4972 6e332586 4971->4972 4973 6e331891 4971->4973 4972->4973 4974 6e3325a2 GlobalFree 4972->4974 4973->4879 4973->4881 4974->4972 4976 6e331272 2 API calls 4975->4976 4977 6e33155e 4976->4977 4977->4873 4978->4885 4979->4902 4981 6e3315ad 4980->4981 4981->4915 4988 6e33121b GlobalAlloc 4982->4988 4984 6e33123b lstrcpynW 4984->4901 4985->4911 4986->4904 4987->4912 4988->4984 4990 6e3312c1 4989->4990 4991 6e33122c 2 API calls 4990->4991 4992 6e3312df 4991->4992 4992->4924 4994 6e332712 VirtualAlloc 4993->4994 4995 6e332768 4993->4995 4994->4995 4995->4926 4997 6e332aad 4996->4997 4998 6e332ab2 GetLastError 4997->4998 4999 6e332abd 4997->4999 4998->4999 4999->4931 5000->4951 5002 6e3312ea 5001->5002 5003 6e33130c 5001->5003 5002->5003 5004 6e3312f0 lstrcpyW 5002->5004 5003->4951 5004->5003 5005->4959 5606 6e332ca3 5607 6e332cbb 5606->5607 5608 6e33158f 2 API calls 5607->5608 5609 6e332cd6 5608->5609 5610 4028d5 5611 4028dd 5610->5611 5612 4028e1 FindNextFileW 5611->5612 5615 4028f3 5611->5615 5613 40293a 5612->5613 5612->5615 5616 4063ee lstrcpynW 5613->5616 5616->5615 5207 401956 5208 402d3e 17 API calls 5207->5208 5209 40195d lstrlenW 5208->5209 5210 402630 5209->5210 5061 4014d7 5066 402d1c 5061->5066 5063 4014dd Sleep 5065 402bc2 5063->5065 5067 40642b 17 API calls 5066->5067 5068 402d31 5067->5068 5068->5063 5092 40175c 5093 402d3e 17 API calls 5092->5093 5094 401763 5093->5094 5095 405f13 2 API calls 5094->5095 5096 40176a 5095->5096 5097 405f13 2 API calls 5096->5097 5097->5096 5211 401d5d 5212 402d1c 17 API calls 5211->5212 5213 401d6e SetWindowLongW 5212->5213 5214 402bc2 5213->5214 5098 401ede 5099 402d1c 17 API calls 5098->5099 5100 401ee4 5099->5100 5101 402d1c 17 API calls 5100->5101 5102 401ef0 5101->5102 5103 401f07 EnableWindow 5102->5103 5104 401efc ShowWindow 5102->5104 5105 402bc2 5103->5105 5104->5105 5215 401563 5216 402b08 5215->5216 5219 406335 wsprintfW 5216->5219 5218 402b0d 5219->5218 5617 4026e4 5618 402d1c 17 API calls 5617->5618 5619 4026f3 5618->5619 5620 40273d ReadFile 5619->5620 5621 405f67 ReadFile 5619->5621 5622 402832 5619->5622 5623 40277d MultiByteToWideChar 5619->5623 5624 405fc5 5 API calls 5619->5624 5626 4027a3 SetFilePointer MultiByteToWideChar 5619->5626 5627 402843 5619->5627 5629 402830 5619->5629 5620->5619 5620->5629 5621->5619 5630 406335 wsprintfW 5622->5630 5623->5619 5624->5619 5626->5619 5628 402864 SetFilePointer 5627->5628 5627->5629 5628->5629 5630->5629 5220 401968 5221 402d1c 17 API calls 5220->5221 5222 40196f 5221->5222 5223 402d1c 17 API calls 5222->5223 5224 40197c 5223->5224 5225 402d3e 17 API calls 5224->5225 5226 401993 lstrlenW 5225->5226 5227 4019a4 5226->5227 5228 4019e5 5227->5228 5232 4063ee lstrcpynW 5227->5232 5230 4019d5 5230->5228 5231 4019da lstrlenW 5230->5231 5231->5228 5232->5230 5233 40166a 5234 402d3e 17 API calls 5233->5234 5235 401670 5234->5235 5236 40674c 2 API calls 5235->5236 5237 401676 5236->5237 4643 403e6b 4644 403e83 4643->4644 4645 403fbe 4643->4645 4644->4645 4646 403e8f 4644->4646 4647 403fcf GetDlgItem GetDlgItem 4645->4647 4662 40400f 4645->4662 4648 403e9a SetWindowPos 4646->4648 4649 403ead 4646->4649 4650 404344 18 API calls 4647->4650 4648->4649 4651 403eb2 ShowWindow 4649->4651 4652 403eca 4649->4652 4653 403ff9 SetClassLongW 4650->4653 4651->4652 4656 403ed2 DestroyWindow 4652->4656 4657 403eec 4652->4657 4658 40140b 2 API calls 4653->4658 4654 404069 4655 404390 SendMessageW 4654->4655 4660 403fb9 4654->4660 4683 40407b 4655->4683 4661 4042cd 4656->4661 4663 403ef1 SetWindowLongW 4657->4663 4664 403f02 4657->4664 4658->4662 4659 401389 2 API calls 4665 404041 4659->4665 4661->4660 4671 4042fe ShowWindow 4661->4671 4662->4654 4662->4659 4663->4660 4668 403fab 4664->4668 4669 403f0e GetDlgItem 4664->4669 4665->4654 4670 404045 SendMessageW 4665->4670 4666 40140b 2 API calls 4666->4683 4667 4042cf DestroyWindow EndDialog 4667->4661 4723 4043ab 4668->4723 4672 403f21 SendMessageW IsWindowEnabled 4669->4672 4673 403f3e 4669->4673 4670->4660 4671->4660 4672->4660 4672->4673 4676 403f4b 4673->4676 4677 403f92 SendMessageW 4673->4677 4678 403f5e 4673->4678 4687 403f43 4673->4687 4675 40642b 17 API calls 4675->4683 4676->4677 4676->4687 4677->4668 4680 403f66 4678->4680 4681 403f7b 4678->4681 4684 40140b 2 API calls 4680->4684 4685 40140b 2 API calls 4681->4685 4682 403f79 4682->4668 4683->4660 4683->4666 4683->4667 4683->4675 4686 404344 18 API calls 4683->4686 4705 40420f DestroyWindow 4683->4705 4714 404344 4683->4714 4684->4687 4688 403f82 4685->4688 4686->4683 4720 40431d 4687->4720 4688->4668 4688->4687 4690 4040f6 GetDlgItem 4691 404113 ShowWindow KiUserCallbackDispatcher 4690->4691 4692 40410b 4690->4692 4717 404366 KiUserCallbackDispatcher 4691->4717 4692->4691 4694 40413d EnableWindow 4699 404151 4694->4699 4695 404156 GetSystemMenu EnableMenuItem SendMessageW 4696 404186 SendMessageW 4695->4696 4695->4699 4696->4699 4698 403e4c 18 API calls 4698->4699 4699->4695 4699->4698 4718 404379 SendMessageW 4699->4718 4719 4063ee lstrcpynW 4699->4719 4701 4041b5 lstrlenW 4702 40642b 17 API calls 4701->4702 4703 4041cb SetWindowTextW 4702->4703 4704 401389 2 API calls 4703->4704 4704->4683 4705->4661 4706 404229 CreateDialogParamW 4705->4706 4706->4661 4707 40425c 4706->4707 4708 404344 18 API calls 4707->4708 4709 404267 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4708->4709 4710 401389 2 API calls 4709->4710 4711 4042ad 4710->4711 4711->4660 4712 4042b5 ShowWindow 4711->4712 4713 404390 SendMessageW 4712->4713 4713->4661 4715 40642b 17 API calls 4714->4715 4716 40434f SetDlgItemTextW 4715->4716 4716->4690 4717->4694 4718->4699 4719->4701 4721 404324 4720->4721 4722 40432a SendMessageW 4720->4722 4721->4722 4722->4682 4724 40446e 4723->4724 4725 4043c3 GetWindowLongW 4723->4725 4724->4660 4725->4724 4726 4043d8 4725->4726 4726->4724 4727 404405 GetSysColor 4726->4727 4728 404408 4726->4728 4727->4728 4729 404418 SetBkMode 4728->4729 4730 40440e SetTextColor 4728->4730 4731 404430 GetSysColor 4729->4731 4732 404436 4729->4732 4730->4729 4731->4732 4733 404447 4732->4733 4734 40443d SetBkColor 4732->4734 4733->4724 4735 404461 CreateBrushIndirect 4733->4735 4736 40445a DeleteObject 4733->4736 4734->4733 4735->4724 4736->4735 5631 4023ec 5632 402d3e 17 API calls 5631->5632 5633 4023fb 5632->5633 5634 402d3e 17 API calls 5633->5634 5635 402404 5634->5635 5636 402d3e 17 API calls 5635->5636 5637 40240e GetPrivateProfileStringW 5636->5637 5638 4047ee 5639 404824 5638->5639 5640 4047fe 5638->5640 5642 4043ab 8 API calls 5639->5642 5641 404344 18 API calls 5640->5641 5643 40480b SetDlgItemTextW 5641->5643 5644 404830 5642->5644 5643->5639 4771 40176f 4772 402d3e 17 API calls 4771->4772 4773 401776 4772->4773 4774 401796 4773->4774 4775 40179e 4773->4775 4810 4063ee lstrcpynW 4774->4810 4811 4063ee lstrcpynW 4775->4811 4778 4017a9 4780 405cc3 3 API calls 4778->4780 4779 40179c 4782 40669d 5 API calls 4779->4782 4781 4017af lstrcatW 4780->4781 4781->4779 4798 4017bb 4782->4798 4783 40674c 2 API calls 4783->4798 4784 405ebf 2 API calls 4784->4798 4786 4017cd CompareFileTime 4786->4798 4787 40188d 4789 405456 24 API calls 4787->4789 4788 401864 4791 405456 24 API calls 4788->4791 4807 401879 4788->4807 4790 401897 4789->4790 4793 40324c 31 API calls 4790->4793 4791->4807 4792 4063ee lstrcpynW 4792->4798 4794 4018aa 4793->4794 4795 4018be SetFileTime 4794->4795 4797 4018d0 CloseHandle 4794->4797 4795->4797 4796 40642b 17 API calls 4796->4798 4799 4018e1 4797->4799 4797->4807 4798->4783 4798->4784 4798->4786 4798->4787 4798->4788 4798->4792 4798->4796 4804 405a54 MessageBoxIndirectW 4798->4804 4809 405ee4 GetFileAttributesW CreateFileW 4798->4809 4800 4018e6 4799->4800 4801 4018f9 4799->4801 4802 40642b 17 API calls 4800->4802 4803 40642b 17 API calls 4801->4803 4805 4018ee lstrcatW 4802->4805 4806 401901 4803->4806 4804->4798 4805->4806 4806->4807 4808 405a54 MessageBoxIndirectW 4806->4808 4808->4807 4809->4798 4810->4779 4811->4778 5238 401a72 5239 402d1c 17 API calls 5238->5239 5240 401a7b 5239->5240 5241 402d1c 17 API calls 5240->5241 5242 401a20 5241->5242 5006 401573 5007 401583 ShowWindow 5006->5007 5008 40158c 5006->5008 5007->5008 5009 402bc2 5008->5009 5010 40159a ShowWindow 5008->5010 5010->5009 5243 6e331000 5244 6e33101b 5 API calls 5243->5244 5245 6e331019 5244->5245 5645 4014f5 SetForegroundWindow 5646 402bc2 5645->5646 5647 401ff6 5648 402d3e 17 API calls 5647->5648 5649 401ffd 5648->5649 5650 40674c 2 API calls 5649->5650 5651 402003 5650->5651 5653 402014 5651->5653 5654 406335 wsprintfW 5651->5654 5654->5653 5246 401b77 5247 402d3e 17 API calls 5246->5247 5248 401b7e 5247->5248 5249 402d1c 17 API calls 5248->5249 5250 401b87 wsprintfW 5249->5250 5251 402bc2 5250->5251 5655 4022f7 5656 402d3e 17 API calls 5655->5656 5657 4022fd 5656->5657 5658 402d3e 17 API calls 5657->5658 5659 402306 5658->5659 5660 402d3e 17 API calls 5659->5660 5661 40230f 5660->5661 5662 40674c 2 API calls 5661->5662 5663 402318 5662->5663 5664 402329 lstrlenW lstrlenW 5663->5664 5665 40231c 5663->5665 5667 405456 24 API calls 5664->5667 5666 405456 24 API calls 5665->5666 5669 402324 5665->5669 5666->5669 5668 402367 SHFileOperationW 5667->5668 5668->5665 5668->5669 5252 40447a lstrcpynW lstrlenW 5253 40167b 5254 402d3e 17 API calls 5253->5254 5255 401682 5254->5255 5256 402d3e 17 API calls 5255->5256 5257 40168b 5256->5257 5258 402d3e 17 API calls 5257->5258 5259 401694 MoveFileW 5258->5259 5260 4016a0 5259->5260 5261 4016a7 5259->5261 5263 401423 24 API calls 5260->5263 5262 40674c 2 API calls 5261->5262 5265 4022ee 5261->5265 5264 4016b6 5262->5264 5263->5265 5264->5265 5266 4061b4 36 API calls 5264->5266 5266->5260 5267 403a7b 5268 403a86 5267->5268 5269 403a8a 5268->5269 5270 403a8d GlobalAlloc 5268->5270 5270->5269 5271 40237b 5272 402382 5271->5272 5275 402395 5271->5275 5273 40642b 17 API calls 5272->5273 5274 40238f 5273->5274 5274->5275 5276 405a54 MessageBoxIndirectW 5274->5276 5276->5275 5670 4019ff 5671 402d3e 17 API calls 5670->5671 5672 401a06 5671->5672 5673 402d3e 17 API calls 5672->5673 5674 401a0f 5673->5674 5675 401a16 lstrcmpiW 5674->5675 5676 401a28 lstrcmpW 5674->5676 5677 401a1c 5675->5677 5676->5677 5277 401000 5278 401037 BeginPaint GetClientRect 5277->5278 5279 40100c DefWindowProcW 5277->5279 5280 4010f3 5278->5280 5282 401179 5279->5282 5283 401073 CreateBrushIndirect FillRect DeleteObject 5280->5283 5284 4010fc 5280->5284 5283->5280 5285 401102 CreateFontIndirectW 5284->5285 5286 401167 EndPaint 5284->5286 5285->5286 5287 401112 6 API calls 5285->5287 5286->5282 5287->5286 5678 401d81 5679 401d94 GetDlgItem 5678->5679 5680 401d87 5678->5680 5682 401d8e 5679->5682 5681 402d1c 17 API calls 5680->5681 5681->5682 5683 401dd5 GetClientRect LoadImageW SendMessageW 5682->5683 5684 402d3e 17 API calls 5682->5684 5686 401e33 5683->5686 5688 401e3f 5683->5688 5684->5683 5687 401e38 DeleteObject 5686->5687 5686->5688 5687->5688 5288 402902 5289 402d3e 17 API calls 5288->5289 5290 402909 FindFirstFileW 5289->5290 5291 402931 5290->5291 5295 40291c 5290->5295 5292 40293a 5291->5292 5296 406335 wsprintfW 5291->5296 5297 4063ee lstrcpynW 5292->5297 5296->5292 5297->5295 5689 402482 5690 402d3e 17 API calls 5689->5690 5691 402494 5690->5691 5692 402d3e 17 API calls 5691->5692 5693 40249e 5692->5693 5706 402dce 5693->5706 5696 402bc2 5697 4024d6 5699 4024e2 5697->5699 5701 402d1c 17 API calls 5697->5701 5698 402d3e 17 API calls 5700 4024cc lstrlenW 5698->5700 5702 402501 RegSetValueExW 5699->5702 5703 40324c 31 API calls 5699->5703 5700->5697 5701->5699 5704 402517 RegCloseKey 5702->5704 5703->5702 5704->5696 5707 402de9 5706->5707 5710 406289 5707->5710 5711 406298 5710->5711 5712 4062a3 RegCreateKeyExW 5711->5712 5713 4024ae 5711->5713 5712->5713 5713->5696 5713->5697 5713->5698 5298 404503 5299 40451b 5298->5299 5306 404635 5298->5306 5303 404344 18 API calls 5299->5303 5300 40469f 5301 404769 5300->5301 5302 4046a9 GetDlgItem 5300->5302 5308 4043ab 8 API calls 5301->5308 5304 4046c3 5302->5304 5305 40472a 5302->5305 5307 404582 5303->5307 5304->5305 5313 4046e9 SendMessageW LoadCursorW SetCursor 5304->5313 5305->5301 5314 40473c 5305->5314 5306->5300 5306->5301 5309 404670 GetDlgItem SendMessageW 5306->5309 5311 404344 18 API calls 5307->5311 5312 404764 5308->5312 5331 404366 KiUserCallbackDispatcher 5309->5331 5316 40458f CheckDlgButton 5311->5316 5335 4047b2 5313->5335 5318 404752 5314->5318 5319 404742 SendMessageW 5314->5319 5315 40469a 5332 40478e 5315->5332 5329 404366 KiUserCallbackDispatcher 5316->5329 5318->5312 5323 404758 SendMessageW 5318->5323 5319->5318 5323->5312 5324 4045ad GetDlgItem 5330 404379 SendMessageW 5324->5330 5326 4045c3 SendMessageW 5327 4045e0 GetSysColor 5326->5327 5328 4045e9 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5326->5328 5327->5328 5328->5312 5329->5324 5330->5326 5331->5315 5333 4047a1 SendMessageW 5332->5333 5334 40479c 5332->5334 5333->5300 5334->5333 5338 405a1a ShellExecuteExW 5335->5338 5337 404718 LoadCursorW SetCursor 5337->5305 5338->5337 5339 401503 5340 40150b 5339->5340 5342 40151e 5339->5342 5341 402d1c 17 API calls 5340->5341 5341->5342 5714 402889 5715 402890 5714->5715 5718 402b0d 5714->5718 5716 402d1c 17 API calls 5715->5716 5717 402897 5716->5717 5719 4028a6 SetFilePointer 5717->5719 5719->5718 5720 4028b6 5719->5720 5722 406335 wsprintfW 5720->5722 5722->5718 5723 404b8b 5724 404bb7 5723->5724 5725 404b9b 5723->5725 5727 404bea 5724->5727 5728 404bbd SHGetPathFromIDListW 5724->5728 5734 405a38 GetDlgItemTextW 5725->5734 5730 404bcd 5728->5730 5733 404bd4 SendMessageW 5728->5733 5729 404ba8 SendMessageW 5729->5724 5731 40140b 2 API calls 5730->5731 5731->5733 5733->5727 5734->5729 5343 40190c 5344 401943 5343->5344 5345 402d3e 17 API calls 5344->5345 5346 401948 5345->5346 5347 405b00 67 API calls 5346->5347 5348 401951 5347->5348 5349 40190f 5350 402d3e 17 API calls 5349->5350 5351 401916 5350->5351 5352 405a54 MessageBoxIndirectW 5351->5352 5353 40191f 5352->5353 5735 401491 5736 405456 24 API calls 5735->5736 5737 401498 5736->5737 5354 401f12 5355 402d3e 17 API calls 5354->5355 5356 401f18 5355->5356 5357 402d3e 17 API calls 5356->5357 5358 401f21 5357->5358 5359 402d3e 17 API calls 5358->5359 5360 401f2a 5359->5360 5361 402d3e 17 API calls 5360->5361 5362 401f33 5361->5362 5363 401423 24 API calls 5362->5363 5364 401f3a 5363->5364 5371 405a1a ShellExecuteExW 5364->5371 5366 401f82 5369 402925 5366->5369 5372 40688e WaitForSingleObject 5366->5372 5368 401f9f CloseHandle 5368->5369 5371->5366 5373 4068a8 5372->5373 5374 4068ba GetExitCodeProcess 5373->5374 5375 40681f 2 API calls 5373->5375 5374->5368 5376 4068af WaitForSingleObject 5375->5376 5376->5373 5738 6e3310e1 5747 6e331111 5738->5747 5739 6e3311d8 GlobalFree 5740 6e3312ba 2 API calls 5740->5747 5741 6e3311d3 5741->5739 5742 6e331164 GlobalAlloc 5742->5747 5743 6e3311f8 GlobalFree 5743->5747 5744 6e331272 2 API calls 5745 6e3311c4 GlobalFree 5744->5745 5745->5747 5746 6e3312e1 lstrcpyW 5746->5747 5747->5739 5747->5740 5747->5741 5747->5742 5747->5743 5747->5744 5747->5745 5747->5746 5377 402614 5378 402d3e 17 API calls 5377->5378 5379 40261b 5378->5379 5382 405ee4 GetFileAttributesW CreateFileW 5379->5382 5381 402627 5382->5381 5011 405595 5012 4055b6 GetDlgItem GetDlgItem GetDlgItem 5011->5012 5013 40573f 5011->5013 5057 404379 SendMessageW 5012->5057 5015 405770 5013->5015 5016 405748 GetDlgItem CreateThread CloseHandle 5013->5016 5018 40579b 5015->5018 5019 4057c0 5015->5019 5020 405787 ShowWindow ShowWindow 5015->5020 5016->5015 5060 405529 5 API calls 5016->5060 5017 405626 5024 40562d GetClientRect GetSystemMetrics SendMessageW SendMessageW 5017->5024 5021 4057a7 5018->5021 5022 4057fb 5018->5022 5023 4043ab 8 API calls 5019->5023 5059 404379 SendMessageW 5020->5059 5026 4057d5 ShowWindow 5021->5026 5027 4057af 5021->5027 5022->5019 5032 405809 SendMessageW 5022->5032 5039 4057ce 5023->5039 5030 40569b 5024->5030 5031 40567f SendMessageW SendMessageW 5024->5031 5028 4057f5 5026->5028 5029 4057e7 5026->5029 5033 40431d SendMessageW 5027->5033 5035 40431d SendMessageW 5028->5035 5034 405456 24 API calls 5029->5034 5036 4056a0 SendMessageW 5030->5036 5037 4056ae 5030->5037 5031->5030 5038 405822 CreatePopupMenu 5032->5038 5032->5039 5033->5019 5034->5028 5035->5022 5036->5037 5041 404344 18 API calls 5037->5041 5040 40642b 17 API calls 5038->5040 5042 405832 AppendMenuW 5040->5042 5043 4056be 5041->5043 5044 405862 TrackPopupMenu 5042->5044 5045 40584f GetWindowRect 5042->5045 5046 4056c7 ShowWindow 5043->5046 5047 4056fb GetDlgItem SendMessageW 5043->5047 5044->5039 5049 40587d 5044->5049 5045->5044 5050 4056ea 5046->5050 5051 4056dd ShowWindow 5046->5051 5047->5039 5048 405722 SendMessageW SendMessageW 5047->5048 5048->5039 5052 405899 SendMessageW 5049->5052 5058 404379 SendMessageW 5050->5058 5051->5050 5052->5052 5053 4058b6 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5052->5053 5055 4058db SendMessageW 5053->5055 5055->5055 5056 405904 GlobalUnlock SetClipboardData CloseClipboard 5055->5056 5056->5039 5057->5017 5058->5047 5059->5018 5748 402596 5749 402d7e 17 API calls 5748->5749 5750 4025a0 5749->5750 5751 402d1c 17 API calls 5750->5751 5752 4025a9 5751->5752 5753 4025d1 RegEnumValueW 5752->5753 5754 4025c5 RegEnumKeyW 5752->5754 5756 402925 5752->5756 5755 4025e6 RegCloseKey 5753->5755 5754->5755 5755->5756 5383 401d17 5384 402d1c 17 API calls 5383->5384 5385 401d1d IsWindow 5384->5385 5386 401a20 5385->5386 5069 401b9b 5070 401ba8 5069->5070 5071 401bec 5069->5071 5078 401c31 5070->5078 5079 401bbf 5070->5079 5072 401bf1 5071->5072 5073 401c16 GlobalAlloc 5071->5073 5081 402395 5072->5081 5090 4063ee lstrcpynW 5072->5090 5075 40642b 17 API calls 5073->5075 5074 40642b 17 API calls 5077 40238f 5074->5077 5075->5078 5077->5081 5083 405a54 MessageBoxIndirectW 5077->5083 5078->5074 5078->5081 5088 4063ee lstrcpynW 5079->5088 5080 401c03 GlobalFree 5080->5081 5083->5081 5084 401bce 5089 4063ee lstrcpynW 5084->5089 5086 401bdd 5091 4063ee lstrcpynW 5086->5091 5088->5084 5089->5086 5090->5080 5091->5081 5758 402b9d SendMessageW 5759 402bc2 5758->5759 5760 402bb7 InvalidateRect 5758->5760 5760->5759 5387 6e33166d 5388 6e331516 GlobalFree 5387->5388 5390 6e331685 5388->5390 5389 6e3316cb GlobalFree 5390->5389 5391 6e3316a0 5390->5391 5392 6e3316b7 VirtualFree 5390->5392 5391->5389 5392->5389 5761 40149e 5762 402395 5761->5762 5763 4014ac PostQuitMessage 5761->5763 5763->5762 4338 402522 4349 402d7e 4338->4349 4341 402d3e 17 API calls 4342 402535 4341->4342 4343 402540 RegQueryValueExW 4342->4343 4348 402925 4342->4348 4344 402560 4343->4344 4345 402566 RegCloseKey 4343->4345 4344->4345 4354 406335 wsprintfW 4344->4354 4345->4348 4350 402d3e 17 API calls 4349->4350 4351 402d95 4350->4351 4352 40625b RegOpenKeyExW 4351->4352 4353 40252c 4352->4353 4353->4341 4354->4345 4355 4034a2 SetErrorMode GetVersion 4356 4034e1 4355->4356 4357 4034e7 4355->4357 4358 4067e3 5 API calls 4356->4358 4359 406773 3 API calls 4357->4359 4358->4357 4360 4034fd lstrlenA 4359->4360 4360->4357 4361 40350d 4360->4361 4362 4067e3 5 API calls 4361->4362 4363 403514 4362->4363 4364 4067e3 5 API calls 4363->4364 4365 40351b 4364->4365 4366 4067e3 5 API calls 4365->4366 4367 403527 #17 OleInitialize SHGetFileInfoW 4366->4367 4445 4063ee lstrcpynW 4367->4445 4370 403573 GetCommandLineW 4446 4063ee lstrcpynW 4370->4446 4372 403585 4373 405cf0 CharNextW 4372->4373 4374 4035aa CharNextW 4373->4374 4375 4036d4 GetTempPathW 4374->4375 4380 4035c3 4374->4380 4447 403471 4375->4447 4377 4036ec 4378 4036f0 GetWindowsDirectoryW lstrcatW 4377->4378 4379 403746 DeleteFileW 4377->4379 4381 403471 12 API calls 4378->4381 4457 403015 GetTickCount GetModuleFileNameW 4379->4457 4382 405cf0 CharNextW 4380->4382 4386 4036bd 4380->4386 4390 4036bf 4380->4390 4384 40370c 4381->4384 4382->4380 4384->4379 4385 403710 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4384->4385 4391 403471 12 API calls 4385->4391 4386->4375 4387 4037fd 4485 403abd 4387->4485 4388 40375a 4388->4387 4392 405cf0 CharNextW 4388->4392 4397 40380d 4388->4397 4541 4063ee lstrcpynW 4390->4541 4396 40373e 4391->4396 4410 403779 4392->4410 4396->4379 4396->4397 4544 4039e3 4397->4544 4398 403947 4401 4039cb ExitProcess 4398->4401 4402 40394f GetCurrentProcess OpenProcessToken 4398->4402 4399 403827 4551 405a54 4399->4551 4407 403967 LookupPrivilegeValueW AdjustTokenPrivileges 4402->4407 4408 40399b 4402->4408 4404 4037d7 4411 405dcb 18 API calls 4404->4411 4405 40383d 4412 4059bf 5 API calls 4405->4412 4407->4408 4409 4067e3 5 API calls 4408->4409 4413 4039a2 4409->4413 4410->4404 4410->4405 4414 4037e3 4411->4414 4415 403842 lstrcatW 4412->4415 4416 4039b7 ExitWindowsEx 4413->4416 4420 4039c4 4413->4420 4414->4397 4542 4063ee lstrcpynW 4414->4542 4417 403853 lstrcatW 4415->4417 4418 40385e lstrcatW lstrcmpiW 4415->4418 4416->4401 4416->4420 4417->4418 4418->4397 4419 40387a 4418->4419 4422 403886 4419->4422 4423 40387f 4419->4423 4560 40140b 4420->4560 4428 4059a2 2 API calls 4422->4428 4427 405925 4 API calls 4423->4427 4425 4037f2 4543 4063ee lstrcpynW 4425->4543 4429 403884 4427->4429 4430 40388b SetCurrentDirectoryW 4428->4430 4429->4430 4431 4038a6 4430->4431 4432 40389b 4430->4432 4556 4063ee lstrcpynW 4431->4556 4555 4063ee lstrcpynW 4432->4555 4435 40642b 17 API calls 4436 4038e5 DeleteFileW 4435->4436 4437 4038f2 CopyFileW 4436->4437 4442 4038b4 4436->4442 4437->4442 4438 40393b 4440 4061b4 36 API calls 4438->4440 4439 4061b4 36 API calls 4439->4442 4440->4397 4441 40642b 17 API calls 4441->4442 4442->4435 4442->4438 4442->4439 4442->4441 4444 403926 CloseHandle 4442->4444 4557 4059d7 CreateProcessW 4442->4557 4444->4442 4445->4370 4446->4372 4448 40669d 5 API calls 4447->4448 4449 40347d 4448->4449 4450 403487 4449->4450 4451 405cc3 3 API calls 4449->4451 4450->4377 4452 40348f 4451->4452 4453 4059a2 2 API calls 4452->4453 4454 403495 4453->4454 4563 405f13 4454->4563 4567 405ee4 GetFileAttributesW CreateFileW 4457->4567 4459 403055 4484 403065 4459->4484 4568 4063ee lstrcpynW 4459->4568 4461 40307b 4462 405d0f 2 API calls 4461->4462 4463 403081 4462->4463 4569 4063ee lstrcpynW 4463->4569 4465 40308c GetFileSize 4477 4030a3 4465->4477 4481 403186 4465->4481 4467 40318f 4469 4031bf GlobalAlloc 4467->4469 4467->4484 4605 40345a SetFilePointer 4467->4605 4581 40345a SetFilePointer 4469->4581 4471 4031f2 4475 402fb1 6 API calls 4471->4475 4473 4031a8 4476 403444 ReadFile 4473->4476 4474 4031da 4582 40324c 4474->4582 4475->4484 4479 4031b3 4476->4479 4477->4471 4480 402fb1 6 API calls 4477->4480 4477->4481 4477->4484 4602 403444 4477->4602 4479->4469 4479->4484 4480->4477 4570 402fb1 4481->4570 4482 4031e6 4482->4482 4483 403223 SetFilePointer 4482->4483 4482->4484 4483->4484 4484->4388 4486 4067e3 5 API calls 4485->4486 4487 403ad1 4486->4487 4488 403ad7 GetUserDefaultUILanguage 4487->4488 4489 403ae9 4487->4489 4611 406335 wsprintfW 4488->4611 4491 4062bc 3 API calls 4489->4491 4493 403b19 4491->4493 4492 403ae7 4612 403d93 4492->4612 4494 403b38 lstrcatW 4493->4494 4495 4062bc 3 API calls 4493->4495 4494->4492 4495->4494 4498 405dcb 18 API calls 4499 403b6a 4498->4499 4500 403bfe 4499->4500 4502 4062bc 3 API calls 4499->4502 4501 405dcb 18 API calls 4500->4501 4503 403c04 4501->4503 4504 403b9c 4502->4504 4505 403c14 LoadImageW 4503->4505 4506 40642b 17 API calls 4503->4506 4504->4500 4509 403bbd lstrlenW 4504->4509 4513 405cf0 CharNextW 4504->4513 4507 403cba 4505->4507 4508 403c3b RegisterClassW 4505->4508 4506->4505 4512 40140b 2 API calls 4507->4512 4510 403c71 SystemParametersInfoW CreateWindowExW 4508->4510 4511 403cc4 4508->4511 4514 403bf1 4509->4514 4515 403bcb lstrcmpiW 4509->4515 4510->4507 4511->4397 4516 403cc0 4512->4516 4518 403bba 4513->4518 4517 405cc3 3 API calls 4514->4517 4515->4514 4519 403bdb GetFileAttributesW 4515->4519 4516->4511 4520 403d93 18 API calls 4516->4520 4521 403bf7 4517->4521 4518->4509 4522 403be7 4519->4522 4524 403cd1 4520->4524 4627 4063ee lstrcpynW 4521->4627 4522->4514 4523 405d0f 2 API calls 4522->4523 4523->4514 4526 403d60 4524->4526 4527 403cdd ShowWindow 4524->4527 4620 405529 OleInitialize 4526->4620 4529 406773 3 API calls 4527->4529 4531 403cf5 4529->4531 4530 403d66 4532 403d82 4530->4532 4533 403d6a 4530->4533 4534 403d03 GetClassInfoW 4531->4534 4536 406773 3 API calls 4531->4536 4535 40140b 2 API calls 4532->4535 4533->4511 4539 40140b 2 API calls 4533->4539 4537 403d17 GetClassInfoW RegisterClassW 4534->4537 4538 403d2d DialogBoxParamW 4534->4538 4535->4511 4536->4534 4537->4538 4540 40140b 2 API calls 4538->4540 4539->4511 4540->4511 4541->4386 4542->4425 4543->4387 4545 4039fb 4544->4545 4546 4039ed CloseHandle 4544->4546 4639 403a28 4545->4639 4546->4545 4549 405b00 67 API calls 4550 403816 OleUninitialize 4549->4550 4550->4398 4550->4399 4552 405a69 4551->4552 4553 403835 ExitProcess 4552->4553 4554 405a7d MessageBoxIndirectW 4552->4554 4554->4553 4555->4431 4556->4442 4558 405a16 4557->4558 4559 405a0a CloseHandle 4557->4559 4558->4442 4559->4558 4561 401389 2 API calls 4560->4561 4562 401420 4561->4562 4562->4401 4564 405f20 GetTickCount GetTempFileNameW 4563->4564 4565 4034a0 4564->4565 4566 405f56 4564->4566 4565->4377 4566->4564 4566->4565 4567->4459 4568->4461 4569->4465 4571 402fd2 4570->4571 4572 402fba 4570->4572 4575 402fe2 GetTickCount 4571->4575 4576 402fda 4571->4576 4573 402fc3 DestroyWindow 4572->4573 4574 402fca 4572->4574 4573->4574 4574->4467 4577 402ff0 CreateDialogParamW ShowWindow 4575->4577 4578 403013 4575->4578 4606 40681f 4576->4606 4577->4578 4578->4467 4581->4474 4584 403265 4582->4584 4583 403293 4586 403444 ReadFile 4583->4586 4584->4583 4610 40345a SetFilePointer 4584->4610 4587 40329e 4586->4587 4588 4032b0 GetTickCount 4587->4588 4589 4033dd 4587->4589 4595 4033c7 4587->4595 4592 4032dc 4588->4592 4588->4595 4590 4033e1 4589->4590 4591 40341f 4589->4591 4590->4595 4596 403444 ReadFile 4590->4596 4597 405f96 WriteFile 4590->4597 4593 403444 ReadFile 4591->4593 4594 403444 ReadFile 4592->4594 4592->4595 4598 403332 GetTickCount 4592->4598 4599 403357 MulDiv wsprintfW 4592->4599 4601 405f96 WriteFile 4592->4601 4593->4595 4594->4592 4595->4482 4596->4590 4597->4590 4598->4592 4600 405456 24 API calls 4599->4600 4600->4592 4601->4592 4603 405f67 ReadFile 4602->4603 4604 403457 4603->4604 4604->4477 4605->4473 4607 40683c PeekMessageW 4606->4607 4608 406832 DispatchMessageW 4607->4608 4609 402fe0 4607->4609 4608->4607 4609->4467 4610->4583 4611->4492 4613 403da7 4612->4613 4628 406335 wsprintfW 4613->4628 4615 403e18 4629 403e4c 4615->4629 4617 403b48 4617->4498 4618 403e1d 4618->4617 4619 40642b 17 API calls 4618->4619 4619->4618 4632 404390 4620->4632 4622 40554c 4626 405573 4622->4626 4635 401389 4622->4635 4623 404390 SendMessageW 4624 405585 OleUninitialize 4623->4624 4624->4530 4626->4623 4627->4500 4628->4615 4630 40642b 17 API calls 4629->4630 4631 403e5a SetWindowTextW 4630->4631 4631->4618 4633 4043a8 4632->4633 4634 404399 SendMessageW 4632->4634 4633->4622 4634->4633 4637 401390 4635->4637 4636 4013fe 4636->4622 4637->4636 4638 4013cb MulDiv SendMessageW 4637->4638 4638->4637 4640 403a36 4639->4640 4641 403a3b FreeLibrary GlobalFree 4640->4641 4642 403a00 4640->4642 4641->4641 4641->4642 4642->4549 5764 4021a2 5765 402d3e 17 API calls 5764->5765 5766 4021a9 5765->5766 5767 402d3e 17 API calls 5766->5767 5768 4021b3 5767->5768 5769 402d3e 17 API calls 5768->5769 5770 4021bd 5769->5770 5771 402d3e 17 API calls 5770->5771 5772 4021c7 5771->5772 5773 402d3e 17 API calls 5772->5773 5775 4021d1 5773->5775 5774 402210 CoCreateInstance 5778 40222f 5774->5778 5775->5774 5776 402d3e 17 API calls 5775->5776 5776->5774 5777 401423 24 API calls 5779 4022ee 5777->5779 5778->5777 5778->5779 5780 4015a3 5781 402d3e 17 API calls 5780->5781 5782 4015aa SetFileAttributesW 5781->5782 5783 4015bc 5782->5783 5784 401fa4 5785 402d3e 17 API calls 5784->5785 5786 401faa 5785->5786 5787 405456 24 API calls 5786->5787 5788 401fb4 5787->5788 5789 4059d7 2 API calls 5788->5789 5790 401fba 5789->5790 5791 40688e 5 API calls 5790->5791 5793 402925 5790->5793 5795 401fdd CloseHandle 5790->5795 5794 401fcf 5791->5794 5794->5795 5797 406335 wsprintfW 5794->5797 5795->5793 5797->5795 5798 6e3316d4 5799 6e331703 5798->5799 5800 6e331b5f 22 API calls 5799->5800 5801 6e33170a 5800->5801 5802 6e331711 5801->5802 5803 6e33171d 5801->5803 5804 6e331272 2 API calls 5802->5804 5805 6e331727 5803->5805 5806 6e331744 5803->5806 5810 6e33171b 5804->5810 5807 6e33153d 3 API calls 5805->5807 5808 6e33174a 5806->5808 5809 6e33176e 5806->5809 5812 6e33172c 5807->5812 5813 6e3315b4 3 API calls 5808->5813 5811 6e33153d 3 API calls 5809->5811 5811->5810 5814 6e3315b4 3 API calls 5812->5814 5815 6e33174f 5813->5815 5816 6e331732 5814->5816 5817 6e331272 2 API calls 5815->5817 5819 6e331272 2 API calls 5816->5819 5818 6e331755 GlobalFree 5817->5818 5818->5810 5820 6e331769 GlobalFree 5818->5820 5821 6e331738 GlobalFree 5819->5821 5820->5810 5821->5810 5393 40202a 5394 402d3e 17 API calls 5393->5394 5395 402031 5394->5395 5396 4067e3 5 API calls 5395->5396 5397 402040 5396->5397 5398 40205c GlobalAlloc 5397->5398 5401 4020c4 5397->5401 5399 402070 5398->5399 5398->5401 5400 4067e3 5 API calls 5399->5400 5402 402077 5400->5402 5403 4067e3 5 API calls 5402->5403 5404 402081 5403->5404 5404->5401 5408 406335 wsprintfW 5404->5408 5406 4020b6 5409 406335 wsprintfW 5406->5409 5408->5406 5409->5401 5822 6e3318d9 5823 6e3318fc 5822->5823 5824 6e331931 GlobalFree 5823->5824 5825 6e331943 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5823->5825 5824->5825 5826 6e331272 2 API calls 5825->5826 5827 6e331ace GlobalFree GlobalFree 5826->5827 5828 4023aa 5829 4023b2 5828->5829 5831 4023b8 5828->5831 5830 402d3e 17 API calls 5829->5830 5830->5831 5832 402d3e 17 API calls 5831->5832 5834 4023c6 5831->5834 5832->5834 5833 4023d4 5836 402d3e 17 API calls 5833->5836 5834->5833 5835 402d3e 17 API calls 5834->5835 5835->5833 5837 4023dd WritePrivateProfileStringW 5836->5837 5410 6e331058 5412 6e331074 5410->5412 5411 6e3310dd 5412->5411 5413 6e331516 GlobalFree 5412->5413 5414 6e331092 5412->5414 5413->5414 5415 6e331516 GlobalFree 5414->5415 5416 6e3310a2 5415->5416 5417 6e3310b2 5416->5417 5418 6e3310a9 GlobalSize 5416->5418 5419 6e3310b6 GlobalAlloc 5417->5419 5421 6e3310c7 5417->5421 5418->5417 5420 6e33153d 3 API calls 5419->5420 5420->5421 5422 6e3310d2 GlobalFree 5421->5422 5422->5411 5423 402f2b 5424 402f56 5423->5424 5425 402f3d SetTimer 5423->5425 5426 402fab 5424->5426 5427 402f70 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5424->5427 5425->5424 5427->5426 4737 40242c 4738 402434 4737->4738 4739 40245f 4737->4739 4741 402d7e 17 API calls 4738->4741 4740 402d3e 17 API calls 4739->4740 4742 402466 4740->4742 4743 40243b 4741->4743 4749 402dfc 4742->4749 4745 402445 4743->4745 4748 402473 4743->4748 4746 402d3e 17 API calls 4745->4746 4747 40244c RegDeleteValueW RegCloseKey 4746->4747 4747->4748 4750 402e09 4749->4750 4751 402e10 4749->4751 4750->4748 4751->4750 4753 402e41 4751->4753 4754 40625b RegOpenKeyExW 4753->4754 4755 402e6f 4754->4755 4756 402f24 4755->4756 4757 402e79 4755->4757 4756->4750 4758 402e7f RegEnumValueW 4757->4758 4762 402ea2 4757->4762 4759 402f09 RegCloseKey 4758->4759 4758->4762 4759->4756 4760 402ede RegEnumKeyW 4761 402ee7 RegCloseKey 4760->4761 4760->4762 4763 4067e3 5 API calls 4761->4763 4762->4759 4762->4760 4762->4761 4764 402e41 6 API calls 4762->4764 4765 402ef7 4763->4765 4764->4762 4766 402f19 4765->4766 4767 402efb RegDeleteKeyW 4765->4767 4766->4756 4767->4756 4768 6e3329df 4769 6e332a2f 4768->4769 4770 6e3329ef VirtualProtect 4768->4770 4770->4769 5428 401a30 5429 402d3e 17 API calls 5428->5429 5430 401a39 ExpandEnvironmentStringsW 5429->5430 5431 401a4d 5430->5431 5433 401a60 5430->5433 5432 401a52 lstrcmpW 5431->5432 5431->5433 5432->5433 5838 404db1 GetDlgItem GetDlgItem 5839 404e05 7 API calls 5838->5839 5842 40502f 5838->5842 5840 404ea2 SendMessageW 5839->5840 5841 404eaf DeleteObject 5839->5841 5840->5841 5843 404eba 5841->5843 5857 404cff 5 API calls 5842->5857 5860 405117 5842->5860 5870 4050a1 5842->5870 5844 404ef1 5843->5844 5846 40642b 17 API calls 5843->5846 5847 404344 18 API calls 5844->5847 5845 4051c0 5850 4051d5 5845->5850 5851 4051c9 SendMessageW 5845->5851 5852 404ed3 SendMessageW SendMessageW 5846->5852 5848 404f05 5847->5848 5853 404344 18 API calls 5848->5853 5849 405022 5856 4043ab 8 API calls 5849->5856 5862 4051e7 ImageList_Destroy 5850->5862 5863 4051ee 5850->5863 5867 4051fe 5850->5867 5851->5850 5852->5843 5871 404f16 5853->5871 5854 40516d SendMessageW 5854->5849 5859 405182 SendMessageW 5854->5859 5855 405109 SendMessageW 5855->5860 5861 4053c3 5856->5861 5857->5870 5858 405377 5858->5849 5868 405389 ShowWindow GetDlgItem ShowWindow 5858->5868 5866 405195 5859->5866 5860->5845 5860->5849 5860->5854 5862->5863 5864 4051f7 GlobalFree 5863->5864 5863->5867 5864->5867 5865 404ff1 GetWindowLongW SetWindowLongW 5869 40500a 5865->5869 5876 4051a6 SendMessageW 5866->5876 5867->5858 5881 404d7f 4 API calls 5867->5881 5885 405239 5867->5885 5868->5849 5872 405027 5869->5872 5873 40500f ShowWindow 5869->5873 5870->5855 5870->5860 5871->5865 5875 404f69 SendMessageW 5871->5875 5877 404fec 5871->5877 5879 404fa7 SendMessageW 5871->5879 5880 404fbb SendMessageW 5871->5880 5891 404379 SendMessageW 5872->5891 5890 404379 SendMessageW 5873->5890 5875->5871 5876->5845 5877->5865 5877->5869 5879->5871 5880->5871 5881->5885 5882 405343 5883 40534d InvalidateRect 5882->5883 5886 405359 5882->5886 5883->5886 5884 405267 SendMessageW 5889 40527d 5884->5889 5885->5884 5885->5889 5886->5858 5887 404cba 20 API calls 5886->5887 5887->5858 5888 4052f1 SendMessageW SendMessageW 5888->5889 5889->5882 5889->5888 5890->5849 5891->5842 5897 4044b4 lstrlenW 5898 4044d3 5897->5898 5899 4044d5 WideCharToMultiByte 5897->5899 5898->5899 5434 404835 5435 404861 5434->5435 5436 404872 5434->5436 5495 405a38 GetDlgItemTextW 5435->5495 5438 40487e GetDlgItem 5436->5438 5443 4048dd 5436->5443 5440 404892 5438->5440 5439 40486c 5442 40669d 5 API calls 5439->5442 5445 4048a6 SetWindowTextW 5440->5445 5450 405d6e 4 API calls 5440->5450 5441 4049c1 5493 404b70 5441->5493 5497 405a38 GetDlgItemTextW 5441->5497 5442->5436 5443->5441 5446 40642b 17 API calls 5443->5446 5443->5493 5448 404344 18 API calls 5445->5448 5452 404951 SHBrowseForFolderW 5446->5452 5447 4049f1 5453 405dcb 18 API calls 5447->5453 5454 4048c2 5448->5454 5449 4043ab 8 API calls 5455 404b84 5449->5455 5451 40489c 5450->5451 5451->5445 5459 405cc3 3 API calls 5451->5459 5452->5441 5456 404969 CoTaskMemFree 5452->5456 5457 4049f7 5453->5457 5458 404344 18 API calls 5454->5458 5460 405cc3 3 API calls 5456->5460 5498 4063ee lstrcpynW 5457->5498 5461 4048d0 5458->5461 5459->5445 5462 404976 5460->5462 5496 404379 SendMessageW 5461->5496 5465 4049ad SetDlgItemTextW 5462->5465 5470 40642b 17 API calls 5462->5470 5465->5441 5466 4048d6 5468 4067e3 5 API calls 5466->5468 5467 404a0e 5469 4067e3 5 API calls 5467->5469 5468->5443 5481 404a15 5469->5481 5471 404995 lstrcmpiW 5470->5471 5471->5465 5474 4049a6 lstrcatW 5471->5474 5472 404a56 5499 4063ee lstrcpynW 5472->5499 5474->5465 5475 404a5d 5476 405d6e 4 API calls 5475->5476 5477 404a63 GetDiskFreeSpaceW 5476->5477 5480 404a87 MulDiv 5477->5480 5482 404aae 5477->5482 5479 405d0f 2 API calls 5479->5481 5480->5482 5481->5472 5481->5479 5481->5482 5483 404b1f 5482->5483 5500 404cba 5482->5500 5484 404b42 5483->5484 5486 40140b 2 API calls 5483->5486 5511 404366 KiUserCallbackDispatcher 5484->5511 5486->5484 5489 404b21 SetDlgItemTextW 5489->5483 5490 404b11 5503 404bf1 5490->5503 5491 404b5e 5491->5493 5494 40478e SendMessageW 5491->5494 5493->5449 5494->5493 5495->5439 5496->5466 5497->5447 5498->5467 5499->5475 5501 404bf1 20 API calls 5500->5501 5502 404b0c 5501->5502 5502->5489 5502->5490 5504 404c0a 5503->5504 5505 40642b 17 API calls 5504->5505 5506 404c6e 5505->5506 5507 40642b 17 API calls 5506->5507 5508 404c79 5507->5508 5509 40642b 17 API calls 5508->5509 5510 404c8f lstrlenW wsprintfW SetDlgItemTextW 5509->5510 5510->5483 5511->5491 5512 401735 5513 402d3e 17 API calls 5512->5513 5514 40173c SearchPathW 5513->5514 5515 401757 5514->5515 5516 402636 5517 402665 5516->5517 5518 40264a 5516->5518 5520 402695 5517->5520 5521 40266a 5517->5521 5519 402d1c 17 API calls 5518->5519 5529 402651 5519->5529 5523 402d3e 17 API calls 5520->5523 5522 402d3e 17 API calls 5521->5522 5524 402671 5522->5524 5525 40269c lstrlenW 5523->5525 5533 406410 WideCharToMultiByte 5524->5533 5525->5529 5527 402685 lstrlenA 5527->5529 5528 4026df 5529->5528 5532 4026c9 5529->5532 5534 405fc5 SetFilePointer 5529->5534 5530 405f96 WriteFile 5530->5528 5532->5528 5532->5530 5533->5527 5535 405fe1 5534->5535 5540 405ff9 5534->5540 5536 405f67 ReadFile 5535->5536 5537 405fed 5536->5537 5538 406002 SetFilePointer 5537->5538 5539 40602a SetFilePointer 5537->5539 5537->5540 5538->5539 5541 40600d 5538->5541 5539->5540 5540->5532 5542 405f96 WriteFile 5541->5542 5542->5540 5543 401d38 5544 402d1c 17 API calls 5543->5544 5545 401d3f 5544->5545 5546 402d1c 17 API calls 5545->5546 5547 401d4b GetDlgItem 5546->5547 5548 402630 5547->5548 5900 4014b8 5901 4014be 5900->5901 5902 401389 2 API calls 5901->5902 5903 4014c6 5902->5903 5549 6e332349 5550 6e3323b3 5549->5550 5551 6e3323dd 5550->5551 5552 6e3323be GlobalAlloc 5550->5552 5552->5550 5904 4028bb 5905 4028c1 5904->5905 5906 402bc2 5905->5906 5907 4028c9 FindClose 5905->5907 5907->5906

                            Executed Functions

                            Function 004034A2 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410stringfilecomCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 4034a2-4034df SetErrorMode GetVersion 1 4034e1-4034e9 call 4067e3 0->1 2 4034f2 0->2 1->2 7 4034eb 1->7 3 4034f7-40350b call 406773 lstrlenA 2->3 9 40350d-403529 call 4067e3 * 3 3->9 7->2 16 40353a-403599 #17 OleInitialize SHGetFileInfoW call 4063ee GetCommandLineW call 4063ee 9->16 17 40352b-403531 9->17 24 4035a3-4035bd call 405cf0 CharNextW 16->24 25 40359b-4035a2 16->25 17->16 21 403533 17->21 21->16 28 4035c3-4035c9 24->28 29 4036d4-4036ee GetTempPathW call 403471 24->29 25->24 31 4035d2-4035d6 28->31 32 4035cb-4035d0 28->32 38 4036f0-40370e GetWindowsDirectoryW lstrcatW call 403471 29->38 39 403746-403760 DeleteFileW call 403015 29->39 34 4035d8-4035dc 31->34 35 4035dd-4035e1 31->35 32->31 32->32 34->35 36 4036a0-4036ad call 405cf0 35->36 37 4035e7-4035ed 35->37 57 4036b1-4036b7 36->57 58 4036af-4036b0 36->58 40 403608-403641 37->40 41 4035ef-4035f7 37->41 38->39 56 403710-403740 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403471 38->56 52 403811-403821 call 4039e3 OleUninitialize 39->52 53 403766-40376c 39->53 47 403643-403648 40->47 48 40365e-403698 40->48 45 4035f9-4035fc 41->45 46 4035fe 41->46 45->40 45->46 46->40 47->48 54 40364a-403652 47->54 48->36 55 40369a-40369e 48->55 75 403947-40394d 52->75 76 403827-403837 call 405a54 ExitProcess 52->76 60 403801-403808 call 403abd 53->60 61 403772-40377d call 405cf0 53->61 63 403654-403657 54->63 64 403659 54->64 55->36 65 4036bf-4036cd call 4063ee 55->65 56->39 56->52 57->28 59 4036bd 57->59 58->57 67 4036d2 59->67 74 40380d 60->74 77 4037cb-4037d5 61->77 78 40377f-4037b4 61->78 63->48 63->64 64->48 65->67 67->29 74->52 80 4039cb-4039d3 75->80 81 40394f-403965 GetCurrentProcess OpenProcessToken 75->81 85 4037d7-4037e5 call 405dcb 77->85 86 40383d-403851 call 4059bf lstrcatW 77->86 82 4037b6-4037ba 78->82 83 4039d5 80->83 84 4039d9-4039dd ExitProcess 80->84 88 403967-403995 LookupPrivilegeValueW AdjustTokenPrivileges 81->88 89 40399b-4039a9 call 4067e3 81->89 91 4037c3-4037c7 82->91 92 4037bc-4037c1 82->92 83->84 85->52 101 4037e7-4037fd call 4063ee * 2 85->101 102 403853-403859 lstrcatW 86->102 103 40385e-403878 lstrcatW lstrcmpiW 86->103 88->89 99 4039b7-4039c2 ExitWindowsEx 89->99 100 4039ab-4039b5 89->100 91->82 96 4037c9 91->96 92->91 92->96 96->77 99->80 105 4039c4-4039c6 call 40140b 99->105 100->99 100->105 101->60 102->103 103->52 104 40387a-40387d 103->104 107 403886 call 4059a2 104->107 108 40387f-403884 call 405925 104->108 105->80 117 40388b-403899 SetCurrentDirectoryW 107->117 108->117 118 4038a6-4038cf call 4063ee 117->118 119 40389b-4038a1 call 4063ee 117->119 123 4038d4-4038f0 call 40642b DeleteFileW 118->123 119->118 126 403931-403939 123->126 127 4038f2-403902 CopyFileW 123->127 126->123 129 40393b-403942 call 4061b4 126->129 127->126 128 403904-403924 call 4061b4 call 40642b call 4059d7 127->128 128->126 138 403926-40392d CloseHandle 128->138 129->52 138->126
                            APIs
                            • SetErrorMode.KERNELBASE ref: 004034C5
                            • GetVersion.KERNEL32 ref: 004034CB
                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034FE
                            • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040353B
                            • OleInitialize.OLE32(00000000), ref: 00403542
                            • SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 0040355E
                            • GetCommandLineW.KERNEL32(007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 00403573
                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Document_084462.scr.exe",00000020,"C:\Users\user\Desktop\Document_084462.scr.exe",00000000,?,00000007,00000009,0000000B), ref: 004035AB
                              • Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
                              • Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E5
                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036F6
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403702
                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403716
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040371E
                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040372F
                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403737
                            • DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 0040374B
                              • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB
                            • OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403816
                            • ExitProcess.KERNEL32 ref: 00403837
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Document_084462.scr.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 0040384A
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Document_084462.scr.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403859
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Document_084462.scr.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403864
                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Document_084462.scr.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403870
                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040388C
                            • DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,00000009,?,00000007,00000009,0000000B), ref: 004038E6
                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\Document_084462.scr.exe,0079F708,?,?,00000007,00000009,0000000B), ref: 004038FA
                            • CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000,?,00000007,00000009,0000000B), ref: 00403927
                            • GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403956
                            • OpenProcessToken.ADVAPI32(00000000), ref: 0040395D
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403972
                            • AdjustTokenPrivileges.ADVAPI32 ref: 00403995
                            • ExitWindowsEx.USER32(00000002,80040002), ref: 004039BA
                            • ExitProcess.KERNEL32 ref: 004039DD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                            • String ID: "C:\Users\user\Desktop\Document_084462.scr.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$C:\Users\user\Desktop$C:\Users\user\Desktop\Document_084462.scr.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$kernel32::EnumResourceTypesA(i 0,i r8,i 0)$~nsu
                            • API String ID: 3441113951-281924048
                            • Opcode ID: ef7bc40cfc21a65b5c7abadd4c778368bce5dd0c15bdea56e8fa6b9d03db3f5a
                            • Instruction ID: d7b9bf8e5ec5db16f392776339999e6c5d6af7d7718e861a4dfbc7241a8cc938
                            • Opcode Fuzzy Hash: ef7bc40cfc21a65b5c7abadd4c778368bce5dd0c15bdea56e8fa6b9d03db3f5a
                            • Instruction Fuzzy Hash: 65D1F6B1200310AAD7207F659D49B2B3AACEB81749F10843FF581B62D1DB7D8A55C76E
                            Function 00405595 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 139 405595-4055b0 140 4055b6-40567d GetDlgItem * 3 call 404379 call 404cd2 GetClientRect GetSystemMetrics SendMessageW * 2 139->140 141 40573f-405746 139->141 162 40569b-40569e 140->162 163 40567f-405699 SendMessageW * 2 140->163 143 405770-40577d 141->143 144 405748-40576a GetDlgItem CreateThread CloseHandle 141->144 146 40579b-4057a5 143->146 147 40577f-405785 143->147 144->143 151 4057a7-4057ad 146->151 152 4057fb-4057ff 146->152 149 4057c0-4057c9 call 4043ab 147->149 150 405787-405796 ShowWindow * 2 call 404379 147->150 159 4057ce-4057d2 149->159 150->146 157 4057d5-4057e5 ShowWindow 151->157 158 4057af-4057bb call 40431d 151->158 152->149 155 405801-405807 152->155 155->149 164 405809-40581c SendMessageW 155->164 160 4057f5-4057f6 call 40431d 157->160 161 4057e7-4057f0 call 405456 157->161 158->149 160->152 161->160 168 4056a0-4056ac SendMessageW 162->168 169 4056ae-4056c5 call 404344 162->169 163->162 170 405822-40584d CreatePopupMenu call 40642b AppendMenuW 164->170 171 40591e-405920 164->171 168->169 178 4056c7-4056db ShowWindow 169->178 179 4056fb-40571c GetDlgItem SendMessageW 169->179 176 405862-405877 TrackPopupMenu 170->176 177 40584f-40585f GetWindowRect 170->177 171->159 176->171 181 40587d-405894 176->181 177->176 182 4056ea 178->182 183 4056dd-4056e8 ShowWindow 178->183 179->171 180 405722-40573a SendMessageW * 2 179->180 180->171 184 405899-4058b4 SendMessageW 181->184 185 4056f0-4056f6 call 404379 182->185 183->185 184->184 186 4058b6-4058d9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 184->186 185->179 188 4058db-405902 SendMessageW 186->188 188->188 189 405904-405918 GlobalUnlock SetClipboardData CloseClipboard 188->189 189->171
                            APIs
                            • GetDlgItem.USER32(?,00000403), ref: 004055F3
                            • GetDlgItem.USER32(?,000003EE), ref: 00405602
                            • GetClientRect.USER32(?,?), ref: 0040563F
                            • GetSystemMetrics.USER32(00000002), ref: 00405646
                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405667
                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405678
                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040568B
                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405699
                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004056AC
                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056CE
                            • ShowWindow.USER32(?,00000008), ref: 004056E2
                            • GetDlgItem.USER32(?,000003EC), ref: 00405703
                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405713
                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040572C
                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405738
                            • GetDlgItem.USER32(?,000003F8), ref: 00405611
                              • Part of subcall function 00404379: SendMessageW.USER32(00000028,?,?,004041A4), ref: 00404387
                            • GetDlgItem.USER32(?,000003EC), ref: 00405755
                            • CreateThread.KERNELBASE(00000000,00000000,Function_00005529,00000000), ref: 00405763
                            • CloseHandle.KERNELBASE(00000000), ref: 0040576A
                            • ShowWindow.USER32(00000000), ref: 0040578E
                            • ShowWindow.USER32(?,00000008), ref: 00405793
                            • ShowWindow.USER32(00000008), ref: 004057DD
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405811
                            • CreatePopupMenu.USER32 ref: 00405822
                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405836
                            • GetWindowRect.USER32(?,?), ref: 00405856
                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040586F
                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A7
                            • OpenClipboard.USER32(00000000), ref: 004058B7
                            • EmptyClipboard.USER32 ref: 004058BD
                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C9
                            • GlobalLock.KERNEL32(00000000), ref: 004058D3
                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E7
                            • GlobalUnlock.KERNEL32(00000000), ref: 00405907
                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405912
                            • CloseClipboard.USER32 ref: 00405918
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                            • String ID: {
                            • API String ID: 590372296-366298937
                            • Opcode ID: 76257269951a7008dfdc90867c28ba5585546a04cccc1881335d18026b5b47bc
                            • Instruction ID: ce320b3aa05de7a86cd71a66421b7d26801e1fa413e38a053d13c4a4e4f3a794
                            • Opcode Fuzzy Hash: 76257269951a7008dfdc90867c28ba5585546a04cccc1881335d18026b5b47bc
                            • Instruction Fuzzy Hash: 43B15BB1900608FFDB119F64DD89EAE7B79FB44354F00802AFA45B61A0CB794E51DFA8
                            Function 6E331B5F Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6E33121B: GlobalAlloc.KERNEL32(00000040,?,6E33123B,?,6E3312DF,00000019,6E3311BE,-000000A0), ref: 6E331225
                            • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6E331C8D
                            • lstrcpyW.KERNEL32(00000008,?), ref: 6E331CD5
                            • lstrcpyW.KERNEL32(00000808,?), ref: 6E331CDF
                            • GlobalFree.KERNEL32(00000000), ref: 6E331CF2
                            • GlobalFree.KERNEL32(?), ref: 6E331DD4
                            • GlobalFree.KERNEL32(?), ref: 6E331DD9
                            • GlobalFree.KERNEL32(?), ref: 6E331DDE
                            • GlobalFree.KERNEL32(00000000), ref: 6E331FC8
                            • lstrcpyW.KERNEL32(?,?), ref: 6E332182
                            • GetModuleHandleW.KERNEL32(00000008), ref: 6E332201
                            • LoadLibraryW.KERNEL32(00000008), ref: 6E332212
                            • GetProcAddress.KERNEL32(?,?), ref: 6E33226C
                            • lstrlenW.KERNEL32(00000808), ref: 6E332286
                            Memory Dump Source
                            • Source File: 00000000.00000002.3831381006.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                            • Associated: 00000000.00000002.3831364303.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831397605.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831410720.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e330000_Document_084462.jbxd
                            Similarity
                            • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                            • String ID:
                            • API String ID: 245916457-0
                            • Opcode ID: cd890d6b38b908bc17d2a7734aa7270cec5a5a72f0fd29b1448519544f0972b9
                            • Instruction ID: 2419870dd5677206857e0ce4ddddc9cddd3ca8c3804109a27be0cee51d7d3976
                            • Opcode Fuzzy Hash: cd890d6b38b908bc17d2a7734aa7270cec5a5a72f0fd29b1448519544f0972b9
                            • Instruction Fuzzy Hash: 1922AE71D142A6DEDB608FE9C980AEEB7F8FF06305F30452AD1A5E3140D7755589CBA0
                            Function 00405B00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 656 405b00-405b26 call 405dcb 659 405b28-405b3a DeleteFileW 656->659 660 405b3f-405b46 656->660 661 405cbc-405cc0 659->661 662 405b48-405b4a 660->662 663 405b59-405b69 call 4063ee 660->663 664 405b50-405b53 662->664 665 405c6a-405c6f 662->665 669 405b78-405b79 call 405d0f 663->669 670 405b6b-405b76 lstrcatW 663->670 664->663 664->665 665->661 667 405c71-405c74 665->667 671 405c76-405c7c 667->671 672 405c7e-405c86 call 40674c 667->672 673 405b7e-405b82 669->673 670->673 671->661 672->661 680 405c88-405c9c call 405cc3 call 405ab8 672->680 676 405b84-405b8c 673->676 677 405b8e-405b94 lstrcatW 673->677 676->677 679 405b99-405bb5 lstrlenW FindFirstFileW 676->679 677->679 681 405bbb-405bc3 679->681 682 405c5f-405c63 679->682 696 405cb4-405cb7 call 405456 680->696 697 405c9e-405ca1 680->697 685 405be3-405bf7 call 4063ee 681->685 686 405bc5-405bcd 681->686 682->665 684 405c65 682->684 684->665 698 405bf9-405c01 685->698 699 405c0e-405c19 call 405ab8 685->699 688 405c42-405c52 FindNextFileW 686->688 689 405bcf-405bd7 686->689 688->681 695 405c58-405c59 FindClose 688->695 689->685 692 405bd9-405be1 689->692 692->685 692->688 695->682 696->661 697->671 702 405ca3-405cb2 call 405456 call 4061b4 697->702 698->688 703 405c03-405c0c call 405b00 698->703 709 405c3a-405c3d call 405456 699->709 710 405c1b-405c1e 699->710 702->661 703->688 709->688 712 405c20-405c30 call 405456 call 4061b4 710->712 713 405c32-405c38 710->713 712->688 713->688
                            APIs
                            • DeleteFileW.KERNELBASE(?,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B29
                            • lstrcatW.KERNEL32(007A3F50,\*.*,007A3F50,?,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B71
                            • lstrcatW.KERNEL32(?,0040A014,?,007A3F50,?,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B94
                            • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B9A
                            • FindFirstFileW.KERNEL32(007A3F50,?,?,?,0040A014,?,007A3F50,?,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BAA
                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C4A
                            • FindClose.KERNEL32(00000000), ref: 00405C59
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                            • String ID: "C:\Users\user\Desktop\Document_084462.scr.exe"$C:\Users\user\AppData\Local\Temp\$P?z$\*.*
                            • API String ID: 2035342205-126033897
                            • Opcode ID: 9bcf84aa20197a85572e9300232fccf325a3569ae83ff5500f6c5511c7c60933
                            • Instruction ID: d176cfcb2707c6ba555092c79fa60715814496245c058da0d6595325efdb1864
                            • Opcode Fuzzy Hash: 9bcf84aa20197a85572e9300232fccf325a3569ae83ff5500f6c5511c7c60933
                            • Instruction Fuzzy Hash: BE41D530804A15AAEB216B658D89EBF7678EF42715F14813FF801711D2DB7C5E82CE6E
                            Function 00405456 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 849 405456-40546b 850 405471-405482 849->850 851 405522-405526 849->851 852 405484-405488 call 40642b 850->852 853 40548d-405499 lstrlenW 850->853 852->853 854 4054b6-4054ba 853->854 855 40549b-4054ab lstrlenW 853->855 858 4054c9-4054cd 854->858 859 4054bc-4054c3 SetWindowTextW 854->859 855->851 857 4054ad-4054b1 lstrcatW 855->857 857->854 860 405513-405515 858->860 861 4054cf-405511 SendMessageW * 3 858->861 859->858 860->851 862 405517-40551a 860->862 861->860 862->851
                            APIs
                            • lstrlenW.KERNEL32(007A0F28,00000000,0079A700,756F23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
                            • lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,756F23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
                            • lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,756F23A0), ref: 004054B1
                            • SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                            • String ID:
                            • API String ID: 2531174081-0
                            • Opcode ID: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
                            • Instruction ID: 198c43ce2186877ab3aec1728abe16fb3d15ea5683a6b9ae92d40c5f72e5eea1
                            • Opcode Fuzzy Hash: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
                            • Instruction Fuzzy Hash: EC21AF75900518BACB119F65DD44ACFBFB9EF89354F10802AF904B22A1C3798A81CFA8
                            Function 0040674C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNELBASE(?,007A4F98,C:\Users\user\AppData\Local\Temp\nswD393.tmp,00405E14,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp,00000000,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp, 4ou,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,756F3420,C:\Users\user\AppData\Local\Temp\), ref: 00406757
                            • FindClose.KERNEL32(00000000), ref: 00406763
                            Strings
                            • C:\Users\user\AppData\Local\Temp\nswD393.tmp, xrefs: 0040674C
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Find$CloseFileFirst
                            • String ID: C:\Users\user\AppData\Local\Temp\nswD393.tmp
                            • API String ID: 2295610775-3749522000
                            • Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
                            • Instruction ID: 5230d556015edc92dacd95909e5542708b333c59f405b635cf09ddc887f28092
                            • Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
                            • Instruction Fuzzy Hash: CCD012315192205FC75027386F0C84B7A599F567353264B36F0AAF21E0C6788C3286AC
                            Function 00403E6B Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 190 403e6b-403e7d 191 403e83-403e89 190->191 192 403fbe-403fcd 190->192 191->192 193 403e8f-403e98 191->193 194 40401c-404031 192->194 195 403fcf-404017 GetDlgItem * 2 call 404344 SetClassLongW call 40140b 192->195 196 403e9a-403ea7 SetWindowPos 193->196 197 403ead-403eb0 193->197 199 404071-404076 call 404390 194->199 200 404033-404036 194->200 195->194 196->197 201 403eb2-403ec4 ShowWindow 197->201 202 403eca-403ed0 197->202 207 40407b-404096 199->207 204 404038-404043 call 401389 200->204 205 404069-40406b 200->205 201->202 208 403ed2-403ee7 DestroyWindow 202->208 209 403eec-403eef 202->209 204->205 227 404045-404064 SendMessageW 204->227 205->199 212 404311 205->212 213 404098-40409a call 40140b 207->213 214 40409f-4040a5 207->214 215 4042ee-4042f4 208->215 218 403ef1-403efd SetWindowLongW 209->218 219 403f02-403f08 209->219 217 404313-40431a 212->217 213->214 223 4040ab-4040b6 214->223 224 4042cf-4042e8 DestroyWindow EndDialog 214->224 215->212 222 4042f6-4042fc 215->222 218->217 225 403fab-403fb9 call 4043ab 219->225 226 403f0e-403f1f GetDlgItem 219->226 222->212 228 4042fe-404307 ShowWindow 222->228 223->224 229 4040bc-404109 call 40642b call 404344 * 3 GetDlgItem 223->229 224->215 225->217 230 403f21-403f38 SendMessageW IsWindowEnabled 226->230 231 403f3e-403f41 226->231 227->217 228->212 260 404113-40414f ShowWindow KiUserCallbackDispatcher call 404366 EnableWindow 229->260 261 40410b-404110 229->261 230->212 230->231 235 403f43-403f44 231->235 236 403f46-403f49 231->236 238 403f74-403f79 call 40431d 235->238 239 403f57-403f5c 236->239 240 403f4b-403f51 236->240 238->225 241 403f92-403fa5 SendMessageW 239->241 242 403f5e-403f64 239->242 240->241 245 403f53-403f55 240->245 241->225 246 403f66-403f6c call 40140b 242->246 247 403f7b-403f84 call 40140b 242->247 245->238 256 403f72 246->256 247->225 257 403f86-403f90 247->257 256->238 257->256 264 404151-404152 260->264 265 404154 260->265 261->260 266 404156-404184 GetSystemMenu EnableMenuItem SendMessageW 264->266 265->266 267 404186-404197 SendMessageW 266->267 268 404199 266->268 269 40419f-4041de call 404379 call 403e4c call 4063ee lstrlenW call 40642b SetWindowTextW call 401389 267->269 268->269 269->207 280 4041e4-4041e6 269->280 280->207 281 4041ec-4041f0 280->281 282 4041f2-4041f8 281->282 283 40420f-404223 DestroyWindow 281->283 282->212 284 4041fe-404204 282->284 283->215 285 404229-404256 CreateDialogParamW 283->285 284->207 286 40420a 284->286 285->215 287 40425c-4042b3 call 404344 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 285->287 286->212 287->212 292 4042b5-4042c8 ShowWindow call 404390 287->292 294 4042cd 292->294 294->215
                            APIs
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA7
                            • ShowWindow.USER32(?), ref: 00403EC4
                            • DestroyWindow.USER32 ref: 00403ED8
                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF4
                            • GetDlgItem.USER32(?,?), ref: 00403F15
                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F29
                            • IsWindowEnabled.USER32(00000000), ref: 00403F30
                            • GetDlgItem.USER32(?,?), ref: 00403FDE
                            • GetDlgItem.USER32(?,00000002), ref: 00403FE8
                            • SetClassLongW.USER32(?,000000F2,?), ref: 00404002
                            • SendMessageW.USER32(0000040F,00000000,?,?), ref: 00404053
                            • GetDlgItem.USER32(?,00000003), ref: 004040F9
                            • ShowWindow.USER32(00000000,?), ref: 0040411A
                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040412C
                            • EnableWindow.USER32(?,?), ref: 00404147
                            • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040415D
                            • EnableMenuItem.USER32(00000000), ref: 00404164
                            • SendMessageW.USER32(?,000000F4,00000000,?), ref: 0040417C
                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040418F
                            • lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004041B9
                            • SetWindowTextW.USER32(?,007A1F48), ref: 004041CD
                            • ShowWindow.USER32(?,0000000A), ref: 00404301
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                            • String ID:
                            • API String ID: 3282139019-0
                            • Opcode ID: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
                            • Instruction ID: fd8a01c06953bfbcdc6c7a7ca4fde1a241a6ed83f8ebcdeac2000881ab9a06ac
                            • Opcode Fuzzy Hash: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
                            • Instruction Fuzzy Hash: 67C1BFB1604604AFDB206F61ED85D2A3B78EBCA705B10853EF651B11F0CB3D9941DB6E
                            Function 00403ABD Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 295 403abd-403ad5 call 4067e3 298 403ad7-403ae2 GetUserDefaultUILanguage call 406335 295->298 299 403ae9-403b20 call 4062bc 295->299 302 403ae7 298->302 305 403b22-403b33 call 4062bc 299->305 306 403b38-403b3e lstrcatW 299->306 304 403b43-403b6c call 403d93 call 405dcb 302->304 312 403b72-403b77 304->312 313 403bfe-403c06 call 405dcb 304->313 305->306 306->304 312->313 314 403b7d-403ba5 call 4062bc 312->314 319 403c14-403c39 LoadImageW 313->319 320 403c08-403c0f call 40642b 313->320 314->313 321 403ba7-403bab 314->321 323 403cba-403cc2 call 40140b 319->323 324 403c3b-403c6b RegisterClassW 319->324 320->319 325 403bbd-403bc9 lstrlenW 321->325 326 403bad-403bba call 405cf0 321->326 335 403cc4-403cc7 323->335 336 403ccc-403cd7 call 403d93 323->336 327 403c71-403cb5 SystemParametersInfoW CreateWindowExW 324->327 328 403d89 324->328 332 403bf1-403bf9 call 405cc3 call 4063ee 325->332 333 403bcb-403bd9 lstrcmpiW 325->333 326->325 327->323 331 403d8b-403d92 328->331 332->313 333->332 339 403bdb-403be5 GetFileAttributesW 333->339 335->331 347 403d60-403d61 call 405529 336->347 348 403cdd-403cf7 ShowWindow call 406773 336->348 342 403be7-403be9 339->342 343 403beb-403bec call 405d0f 339->343 342->332 342->343 343->332 351 403d66-403d68 347->351 355 403d03-403d15 GetClassInfoW 348->355 356 403cf9-403cfe call 406773 348->356 353 403d82-403d84 call 40140b 351->353 354 403d6a-403d70 351->354 353->328 354->335 357 403d76-403d7d call 40140b 354->357 360 403d17-403d27 GetClassInfoW RegisterClassW 355->360 361 403d2d-403d50 DialogBoxParamW call 40140b 355->361 356->355 357->335 360->361 365 403d55-403d5e call 403a0d 361->365 365->331
                            APIs
                              • Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
                              • Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                            • GetUserDefaultUILanguage.KERNELBASE(00000002,756F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Document_084462.scr.exe",00000000), ref: 00403AD7
                              • Part of subcall function 00406335: wsprintfW.USER32 ref: 00406342
                            • lstrcatW.KERNEL32(1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,756F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Document_084462.scr.exe",00000000), ref: 00403B3E
                            • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,756F3420), ref: 00403BBE
                            • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403BD1
                            • GetFileAttributesW.KERNEL32(Call), ref: 00403BDC
                            • LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires), ref: 00403C25
                            • RegisterClassW.USER32(007A7A00), ref: 00403C62
                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7A
                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CAF
                            • ShowWindow.USER32(00000005,00000000), ref: 00403CE5
                            • GetClassInfoW.USER32(00000000,RichEdit20W,007A7A00), ref: 00403D11
                            • GetClassInfoW.USER32(00000000,RichEdit,007A7A00), ref: 00403D1E
                            • RegisterClassW.USER32(007A7A00), ref: 00403D27
                            • DialogBoxParamW.USER32(?,00000000,00403E6B,00000000), ref: 00403D46
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                            • String ID: "C:\Users\user\Desktop\Document_084462.scr.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                            • API String ID: 606308-327555894
                            • Opcode ID: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
                            • Instruction ID: 7ce8ec14a48fa11d69b3a5e1f0875b7083b8d607cd9ed6182ea3b60f82ca9994
                            • Opcode Fuzzy Hash: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
                            • Instruction Fuzzy Hash: 286193702407007ED320AB669D46F2B3A7CEB85B49F40853FF941B22E2DB7D99018B6D
                            Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 368 403015-403063 GetTickCount GetModuleFileNameW call 405ee4 371 403065-40306a 368->371 372 40306f-40309d call 4063ee call 405d0f call 4063ee GetFileSize 368->372 373 403245-403249 371->373 380 4030a3 372->380 381 403188-403196 call 402fb1 372->381 382 4030a8-4030bf 380->382 387 403198-40319b 381->387 388 4031eb-4031f0 381->388 384 4030c1 382->384 385 4030c3-4030cc call 403444 382->385 384->385 394 4031f2-4031fa call 402fb1 385->394 395 4030d2-4030d9 385->395 390 40319d-4031b5 call 40345a call 403444 387->390 391 4031bf-4031e9 GlobalAlloc call 40345a call 40324c 387->391 388->373 390->388 414 4031b7-4031bd 390->414 391->388 419 4031fc-40320d 391->419 394->388 398 403155-403159 395->398 399 4030db-4030ef call 405e9f 395->399 403 403163-403169 398->403 404 40315b-403162 call 402fb1 398->404 399->403 417 4030f1-4030f8 399->417 410 403178-403180 403->410 411 40316b-403175 call 4068d0 403->411 404->403 410->382 418 403186 410->418 411->410 414->388 414->391 417->403 423 4030fa-403101 417->423 418->381 420 403215-40321a 419->420 421 40320f 419->421 424 40321b-403221 420->424 421->420 423->403 425 403103-40310a 423->425 424->424 426 403223-40323e SetFilePointer call 405e9f 424->426 425->403 427 40310c-403113 425->427 430 403243 426->430 427->403 429 403115-403135 427->429 429->388 431 40313b-40313f 429->431 430->373 432 403141-403145 431->432 433 403147-40314f 431->433 432->418 432->433 433->403 434 403151-403153 433->434 434->403
                            APIs
                            • GetTickCount.KERNEL32 ref: 00403026
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Document_084462.scr.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042
                              • Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\Document_084462.scr.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
                              • Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A
                            • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Document_084462.scr.exe,C:\Users\user\Desktop\Document_084462.scr.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
                            • GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                            • String ID: "C:\Users\user\Desktop\Document_084462.scr.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Document_084462.scr.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                            • API String ID: 2803837635-545098723
                            • Opcode ID: 08ca265c2c11c7ade98783a519f9a0a5c073a42a03571b96a4881a179354b053
                            • Instruction ID: b65d07b499067b34cf8ea267e223a71d0fae98adc47698ec1498b1efb03bef53
                            • Opcode Fuzzy Hash: 08ca265c2c11c7ade98783a519f9a0a5c073a42a03571b96a4881a179354b053
                            • Instruction Fuzzy Hash: DD51D171900204ABDB119F64DD85B9E7EACEB45316F20843BE911BA2D1DB7C8F418B5D
                            Function 0040642B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 720 40642b-406436 721 406438-406447 720->721 722 406449-40645f 720->722 721->722 723 406465-406472 722->723 724 406677-40667d 722->724 723->724 727 406478-40647f 723->727 725 406683-40668e 724->725 726 406484-406491 724->726 728 406690-406694 call 4063ee 725->728 729 406699-40669a 725->729 726->725 730 406497-4064a3 726->730 727->724 728->729 732 406664 730->732 733 4064a9-4064e7 730->733 736 406672-406675 732->736 737 406666-406670 732->737 734 406607-40660b 733->734 735 4064ed-4064f8 733->735 740 40660d-406613 734->740 741 40663e-406642 734->741 738 406511 735->738 739 4064fa-4064ff 735->739 736->724 737->724 745 406518-40651f 738->745 739->738 742 406501-406504 739->742 743 406623-40662f call 4063ee 740->743 744 406615-406621 call 406335 740->744 746 406651-406662 lstrlenW 741->746 747 406644-40664c call 40642b 741->747 742->738 748 406506-406509 742->748 758 406634-40663a 743->758 744->758 750 406521-406523 745->750 751 406524-406526 745->751 746->724 747->746 748->738 754 40650b-40650f 748->754 750->751 756 406561-406564 751->756 757 406528-40654f call 4062bc 751->757 754->745 759 406574-406577 756->759 760 406566-406572 GetSystemDirectoryW 756->760 770 406555-40655c call 40642b 757->770 771 4065ef-4065f2 757->771 758->746 762 40663c 758->762 764 4065e2-4065e4 759->764 765 406579-406587 GetWindowsDirectoryW 759->765 763 4065e6-4065ea 760->763 767 4065ff-406605 call 40669d 762->767 763->767 772 4065ec 763->772 764->763 769 406589-406593 764->769 765->764 767->746 774 406595-406598 769->774 775 4065ad-4065c3 SHGetSpecialFolderLocation 769->775 770->763 771->767 777 4065f4-4065fa lstrcatW 771->777 772->771 774->775 778 40659a-4065a1 774->778 779 4065c5-4065dc SHGetPathFromIDListW CoTaskMemFree 775->779 780 4065de 775->780 777->767 782 4065a9-4065ab 778->782 779->763 779->780 780->764 782->763 782->775
                            APIs
                            • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040656C
                            • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 0040657F
                            • SHGetSpecialFolderLocation.SHELL32(0040548D,0079A700,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 004065BB
                            • SHGetPathFromIDListW.SHELL32(0079A700,Call), ref: 004065C9
                            • CoTaskMemFree.OLE32(0079A700), ref: 004065D4
                            • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065FA
                            • lstrlenW.KERNEL32(Call,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 00406652
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                            • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                            • API String ID: 717251189-1230650788
                            • Opcode ID: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
                            • Instruction ID: 6a9894c1754425a34e634a53c322024ca71031740d406166b65bc8419ebad360
                            • Opcode Fuzzy Hash: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
                            • Instruction Fuzzy Hash: A261F471600505ABDF249F24DD40ABE37A5AF51318F22813FE543BA2D4DB3D8AA1CB5E
                            Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 783 40176f-401794 call 402d3e call 405d3a 788 401796-40179c call 4063ee 783->788 789 40179e-4017b0 call 4063ee call 405cc3 lstrcatW 783->789 794 4017b5-4017b6 call 40669d 788->794 789->794 798 4017bb-4017bf 794->798 799 4017c1-4017cb call 40674c 798->799 800 4017f2-4017f5 798->800 807 4017dd-4017ef 799->807 808 4017cd-4017db CompareFileTime 799->808 802 4017f7-4017f8 call 405ebf 800->802 803 4017fd-401819 call 405ee4 800->803 802->803 810 40181b-40181e 803->810 811 40188d-4018b6 call 405456 call 40324c 803->811 807->800 808->807 812 401820-40185e call 4063ee * 2 call 40642b call 4063ee call 405a54 810->812 813 40186f-401879 call 405456 810->813 823 4018b8-4018bc 811->823 824 4018be-4018ca SetFileTime 811->824 812->798 845 401864-401865 812->845 825 401882-401888 813->825 823->824 828 4018d0-4018db CloseHandle 823->828 824->828 829 402bcb 825->829 831 4018e1-4018e4 828->831 832 402bc2-402bc5 828->832 833 402bcd-402bd1 829->833 835 4018e6-4018f7 call 40642b lstrcatW 831->835 836 4018f9-4018fc call 40642b 831->836 832->829 842 401901-402390 835->842 836->842 846 402395-40239a 842->846 847 402390 call 405a54 842->847 845->825 848 401867-401868 845->848 846->833 847->846 848->813
                            APIs
                            • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,?,00000031), ref: 004017B0
                            • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,?,00000031), ref: 004017D5
                              • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB
                              • Part of subcall function 00405456: lstrlenW.KERNEL32(007A0F28,00000000,0079A700,756F23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
                              • Part of subcall function 00405456: lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,756F23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
                              • Part of subcall function 00405456: lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,756F23A0), ref: 004054B1
                              • Part of subcall function 00405456: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
                              • Part of subcall function 00405456: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
                              • Part of subcall function 00405456: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
                              • Part of subcall function 00405456: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                            • String ID: C:\Users\user\AppData\Local\Temp\nswD393.tmp$C:\Users\user\AppData\Local\Temp\nswD393.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call
                            • API String ID: 1941528284-1115891836
                            • Opcode ID: 97aee72ff6c72179d07b6fee79d1c52bf4840d83196187cb81e3270487e243c2
                            • Instruction ID: cd03b910d30ecf031e582351f340fed2e2266b195dd1fdcb6122cfe31266ec79
                            • Opcode Fuzzy Hash: 97aee72ff6c72179d07b6fee79d1c52bf4840d83196187cb81e3270487e243c2
                            • Instruction Fuzzy Hash: 0B418571510508BACF11BFB5CD85DAE3A79EF45329B20423FF422B11E1DB3C8A519A6E
                            Function 00405925 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 863 405925-405970 CreateDirectoryW 864 405972-405974 863->864 865 405976-405983 GetLastError 863->865 866 40599d-40599f 864->866 865->866 867 405985-405999 SetFileSecurityW 865->867 867->864 868 40599b GetLastError 867->868 868->866
                            APIs
                            • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405968
                            • GetLastError.KERNEL32 ref: 0040597C
                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405991
                            • GetLastError.KERNEL32 ref: 0040599B
                            Strings
                            • C:\Users\user\Desktop, xrefs: 00405925
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040594B
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                            • API String ID: 3449924974-4029896129
                            • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                            • Instruction ID: 4c6d3c4ce34384c56ae6b54862a6db5cebbf8231f9905efb0a53c4272bf1951e
                            • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                            • Instruction Fuzzy Hash: E1011AB1C00219EADF009FA5DD44BEFBBB8EF04314F00803AD544B6190E7789648CFA9
                            Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 869 406773-406793 GetSystemDirectoryW 870 406795 869->870 871 406797-406799 869->871 870->871 872 4067aa-4067ac 871->872 873 40679b-4067a4 871->873 875 4067ad-4067e0 wsprintfW LoadLibraryExW 872->875 873->872 874 4067a6-4067a8 873->874 874->875
                            APIs
                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
                            • wsprintfW.USER32 ref: 004067C5
                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: DirectoryLibraryLoadSystemwsprintf
                            • String ID: %s%S.dll$UXTHEME$\
                            • API String ID: 2200240437-1946221925
                            • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                            • Instruction ID: 038d7fed81a94acb9f8d17f6b302bf2205b26bc145b48260013954e6d266918a
                            • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                            • Instruction Fuzzy Hash: 65F0F670510119A7CF14AB64DD0DF9B376CAB40309F10047AA646F20D0EB7C9A68CBA8
                            Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 876 40324c-403263 877 403265 876->877 878 40326c-403275 876->878 877->878 879 403277 878->879 880 40327e-403283 878->880 879->880 881 403293-4032a0 call 403444 880->881 882 403285-40328e call 40345a 880->882 886 403432 881->886 887 4032a6-4032aa 881->887 882->881 888 403434-403435 886->888 889 4032b0-4032d6 GetTickCount 887->889 890 4033dd-4033df 887->890 893 40343d-403441 888->893 894 40343a 889->894 895 4032dc-4032e4 889->895 891 4033e1-4033e4 890->891 892 40341f-403422 890->892 891->894 898 4033e6 891->898 896 403424 892->896 897 403427-403430 call 403444 892->897 894->893 899 4032e6 895->899 900 4032e9-4032f7 call 403444 895->900 896->897 897->886 908 403437 897->908 902 4033e9-4033ef 898->902 899->900 900->886 910 4032fd-403306 900->910 905 4033f1 902->905 906 4033f3-403401 call 403444 902->906 905->906 906->886 913 403403-40340f call 405f96 906->913 908->894 912 40330c-40332c call 40693e 910->912 917 403332-403345 GetTickCount 912->917 918 4033d5-4033d7 912->918 922 403411-40341b 913->922 923 4033d9-4033db 913->923 920 403390-403392 917->920 921 403347-40334f 917->921 918->888 926 403394-403398 920->926 927 4033c9-4033cd 920->927 924 403351-403355 921->924 925 403357-403388 MulDiv wsprintfW call 405456 921->925 922->902 928 40341d 922->928 923->888 924->920 924->925 933 40338d 925->933 931 40339a-4033a1 call 405f96 926->931 932 4033af-4033ba 926->932 927->895 929 4033d3 927->929 928->894 929->894 936 4033a6-4033a8 931->936 935 4033bd-4033c1 932->935 933->920 935->912 937 4033c7 935->937 936->923 938 4033aa-4033ad 936->938 937->894 938->935
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CountTick$wsprintf
                            • String ID: ... %d%%
                            • API String ID: 551687249-2449383134
                            • Opcode ID: 93e44d2671c096b7225e0ed32f8acedc4fb2cb11057b9db1c10a95020cbffac7
                            • Instruction ID: 008436f450556a42ebae23d461066e9f0811e1f15f23a2ec19415b9062137ceb
                            • Opcode Fuzzy Hash: 93e44d2671c096b7225e0ed32f8acedc4fb2cb11057b9db1c10a95020cbffac7
                            • Instruction Fuzzy Hash: 86516C71900219DBDB11DF65DA84B9F7FB8AF0076AF14417BE814B72C1C7789A40CBAA
                            Function 00405F13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 939 405f13-405f1f 940 405f20-405f54 GetTickCount GetTempFileNameW 939->940 941 405f63-405f65 940->941 942 405f56-405f58 940->942 944 405f5d-405f60 941->944 942->940 943 405f5a 942->943 943->944
                            APIs
                            • GetTickCount.KERNEL32 ref: 00405F31
                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Document_084462.scr.exe",004034A0,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC), ref: 00405F4C
                            Strings
                            • nsa, xrefs: 00405F20
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F18
                            • "C:\Users\user\Desktop\Document_084462.scr.exe", xrefs: 00405F13
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CountFileNameTempTick
                            • String ID: "C:\Users\user\Desktop\Document_084462.scr.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                            • API String ID: 1716503409-189465187
                            • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                            • Instruction ID: 2ec416300cd5d099b763d3688cd3c506487cb406e2025687db32897a35dea38d
                            • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                            • Instruction Fuzzy Hash: 84F09676B00204BBDB008F55ED05E9FB7ACEB95750F10803AEA04F7140E6B499548B58
                            Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 945 402e41-402e6a call 40625b 947 402e6f-402e73 945->947 948 402f24-402f28 947->948 949 402e79-402e7d 947->949 950 402ea2-402eb5 949->950 951 402e7f-402ea0 RegEnumValueW 949->951 953 402ede-402ee5 RegEnumKeyW 950->953 951->950 952 402f09-402f17 RegCloseKey 951->952 952->948 954 402eb7-402eb9 953->954 955 402ee7-402ef9 RegCloseKey call 4067e3 953->955 954->952 956 402ebb-402ecf call 402e41 954->956 961 402f19-402f1f 955->961 962 402efb-402f07 RegDeleteKeyW 955->962 956->955 963 402ed1-402edd 956->963 961->948 962->948 963->953
                            APIs
                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CloseEnum$DeleteValue
                            • String ID:
                            • API String ID: 1354259210-0
                            • Opcode ID: 62b78b0d49bd01798b93cc74e08c59fab283fd11ef2de5059a0807e48668f6f6
                            • Instruction ID: 6d47fb934da24c9d717e5f7ce43986d94c12ea4066fa177ccbd406c8c521aae0
                            • Opcode Fuzzy Hash: 62b78b0d49bd01798b93cc74e08c59fab283fd11ef2de5059a0807e48668f6f6
                            • Instruction Fuzzy Hash: D1215A71500109BBDF129F90CE89EEF7A7DEB54348F110076F909B21A0E7B49E54AAA8
                            Function 6E331777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 964 6e331777-6e3317b6 call 6e331b5f 968 6e3318d6-6e3318d8 964->968 969 6e3317bc-6e3317c0 964->969 970 6e3317c2-6e3317c8 call 6e33239e 969->970 971 6e3317c9-6e3317d6 call 6e3323e0 969->971 970->971 976 6e331806-6e33180d 971->976 977 6e3317d8-6e3317dd 971->977 978 6e33180f-6e33182b call 6e3325b5 call 6e3315b4 call 6e331272 GlobalFree 976->978 979 6e33182d-6e331831 976->979 980 6e3317f8-6e3317fb 977->980 981 6e3317df-6e3317e0 977->981 1004 6e331885-6e331889 978->1004 982 6e331833-6e33187c call 6e3315c6 call 6e3325b5 979->982 983 6e33187e-6e331884 call 6e3325b5 979->983 980->976 984 6e3317fd-6e3317fe call 6e332d83 980->984 986 6e3317e2-6e3317e3 981->986 987 6e3317e8-6e3317e9 call 6e332af8 981->987 982->1004 983->1004 997 6e331803 984->997 992 6e3317f0-6e3317f6 call 6e332770 986->992 993 6e3317e5-6e3317e6 986->993 1000 6e3317ee 987->1000 1003 6e331805 992->1003 993->976 993->987 997->1003 1000->997 1003->976 1007 6e3318c6-6e3318cd 1004->1007 1008 6e33188b-6e331899 call 6e332578 1004->1008 1007->968 1010 6e3318cf-6e3318d0 GlobalFree 1007->1010 1014 6e3318b1-6e3318b8 1008->1014 1015 6e33189b-6e33189e 1008->1015 1010->968 1014->1007 1016 6e3318ba-6e3318c5 call 6e33153d 1014->1016 1015->1014 1017 6e3318a0-6e3318a8 1015->1017 1016->1007 1017->1014 1019 6e3318aa-6e3318ab FreeLibrary 1017->1019 1019->1014
                            APIs
                              • Part of subcall function 6E331B5F: GlobalFree.KERNEL32(?), ref: 6E331DD4
                              • Part of subcall function 6E331B5F: GlobalFree.KERNEL32(?), ref: 6E331DD9
                              • Part of subcall function 6E331B5F: GlobalFree.KERNEL32(?), ref: 6E331DDE
                            • GlobalFree.KERNEL32(00000000), ref: 6E331825
                            • FreeLibrary.KERNEL32(?), ref: 6E3318AB
                            • GlobalFree.KERNEL32(00000000), ref: 6E3318D0
                              • Part of subcall function 6E33239E: GlobalAlloc.KERNEL32(00000040,?), ref: 6E3323CF
                              • Part of subcall function 6E332770: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6E3317F6,00000000), ref: 6E332840
                              • Part of subcall function 6E3315C6: wsprintfW.USER32 ref: 6E3315F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3831381006.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                            • Associated: 00000000.00000002.3831364303.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831397605.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831410720.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e330000_Document_084462.jbxd
                            Similarity
                            • API ID: Global$Free$Alloc$Librarywsprintf
                            • String ID:
                            • API String ID: 3962662361-3916222277
                            • Opcode ID: 29fdcab808755a63144c5ec01cef8567f771525295fb38079d97dfe283001db4
                            • Instruction ID: 44578440811ae997e2d3cf152c3efdc0863ccaf4c7232dca882aa98eed592932
                            • Opcode Fuzzy Hash: 29fdcab808755a63144c5ec01cef8567f771525295fb38079d97dfe283001db4
                            • Instruction Fuzzy Hash: 254120714003E1AADF108FF49884FE637ACBF05314F3449A5F9959E086DBBA808CC7A0
                            Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nswD393.tmp,?,00405DE2,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp, 4ou,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
                              • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
                              • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99
                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                              • Part of subcall function 00405925: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405968
                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,00000000,000000F0), ref: 0040164D
                            Strings
                            • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 00401640
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                            • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires
                            • API String ID: 1892508949-99851308
                            • Opcode ID: 80fd5ec796b1b368ed682b76771a31175e10dfebd9dfd37df4bee3ba0698d93a
                            • Instruction ID: df70cc4d1a75ed244d2a997ae4edf05539497ac8b3a7dfb8588bf84231242a1b
                            • Opcode Fuzzy Hash: 80fd5ec796b1b368ed682b76771a31175e10dfebd9dfd37df4bee3ba0698d93a
                            • Instruction Fuzzy Hash: 2811E231504104EBCF206FA5CD4099F37B0EF25329B28493BEA11B12F1D63E4A819B5E
                            Function 004020D0 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 004020FB
                              • Part of subcall function 00405456: lstrlenW.KERNEL32(007A0F28,00000000,0079A700,756F23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
                              • Part of subcall function 00405456: lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,756F23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
                              • Part of subcall function 00405456: lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,756F23A0), ref: 004054B1
                              • Part of subcall function 00405456: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
                              • Part of subcall function 00405456: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
                              • Part of subcall function 00405456: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
                              • Part of subcall function 00405456: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511
                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 0040210C
                            • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,?,000000F0), ref: 00402189
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                            • String ID:
                            • API String ID: 334405425-0
                            • Opcode ID: 5c833f01b377be5376766f2e6cb9e4f555552131171d122c413b7556d1d1ded2
                            • Instruction ID: a0686faca365a727748c0602422b19a99e1e577425e3ae8133f46283b43b75e6
                            • Opcode Fuzzy Hash: 5c833f01b377be5376766f2e6cb9e4f555552131171d122c413b7556d1d1ded2
                            • Instruction Fuzzy Hash: 63219671600104EBCF10AFA5CE49A9E7A71AF55358F70413BF515B91E0CBBD8E829A2E
                            Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GlobalFree.KERNEL32(00000000), ref: 00401C0B
                            • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Global$AllocFree
                            • String ID: Call
                            • API String ID: 3394109436-1824292864
                            • Opcode ID: c08fe461fcbc7eb508863a6e274c322000732a28328c89134215c3cfb5836e23
                            • Instruction ID: 2334a48e4172ebb904b3f5af91f3a45bddc9a396230004d4704967bba2e99f69
                            • Opcode Fuzzy Hash: c08fe461fcbc7eb508863a6e274c322000732a28328c89134215c3cfb5836e23
                            • Instruction Fuzzy Hash: 822162736001109BDB20AF64DDC495A73B4AB18328725453BF952F72D0C6B8A8508BAD
                            Function 00402522 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402553
                            • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nswD393.tmp,00000000,00000011,00000002), ref: 004025F5
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CloseQueryValue
                            • String ID:
                            • API String ID: 3356406503-0
                            • Opcode ID: c4931dbd72d9995d666128c08bbc003a5423e9f1551f9922d5dd2e0fdbfca249
                            • Instruction ID: ca3dd7d1b7a13d3c8a9a28b827632004175b2a1fd75c59dcebef83c1aa991e75
                            • Opcode Fuzzy Hash: c4931dbd72d9995d666128c08bbc003a5423e9f1551f9922d5dd2e0fdbfca249
                            • Instruction Fuzzy Hash: 00113AB1911219EBDF14DFA4DE589AEB774FF04354B20843BE402B62D0D7B88A44DB6E
                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                            Download Yara Rule
                            APIs
                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
                            • Instruction ID: 3e9f44f44444eb33be3e1f1d809517d1ef13f380758e007b8d3e22890c14ce30
                            • Opcode Fuzzy Hash: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
                            • Instruction Fuzzy Hash: 0301F432624220ABE7195B389D05B2A3698E751318F10C13FF855F6AF1EA78CC02DB4D
                            Function 0040242C Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040244E
                            • RegCloseKey.ADVAPI32(00000000), ref: 00402457
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CloseDeleteValue
                            • String ID:
                            • API String ID: 2831762973-0
                            • Opcode ID: d01278e6f8cc288e6040235642a3087c6766f337411ac542237e970b9f885c9a
                            • Instruction ID: b1f28ea4fe1f397702134e154a5d50ad3aafc71d487b2ad51b946e19fd30fa70
                            • Opcode Fuzzy Hash: d01278e6f8cc288e6040235642a3087c6766f337411ac542237e970b9f885c9a
                            • Instruction Fuzzy Hash: 3CF09672A00120ABDB10AFA89B4DAAE73B5AF45314F12443FF651B71C1DAFC5D01963E
                            Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            • ShowWindow.USER32(00000000,00000000), ref: 00401EFC
                            • EnableWindow.USER32(00000000,00000000), ref: 00401F07
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Window$EnableShow
                            • String ID:
                            • API String ID: 1136574915-0
                            • Opcode ID: a206bc09d31208a55ef0f8a5c470fd50e96019e1354e9f0dd429e4c405301b30
                            • Instruction ID: a2c3742fa11dc5cf357e4fc2c1b39d3237f925362780464401897514ce5169fc
                            • Opcode Fuzzy Hash: a206bc09d31208a55ef0f8a5c470fd50e96019e1354e9f0dd429e4c405301b30
                            • Instruction Fuzzy Hash: 64E09A72A042009FD704EFA4AE488AEB3B4EB90325B20497FE401F20C1CBB85D00862E
                            Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: ShowWindow
                            • String ID:
                            • API String ID: 1268545403-0
                            • Opcode ID: ed0fba548ae3e193f0e5ef583f5be9fd2d24872a13bb97bcc89e0a3ab6842b84
                            • Instruction ID: b2fefa23d47a0510f6e3c17d58d1e446f1e854612225740054352d4863a47d08
                            • Opcode Fuzzy Hash: ed0fba548ae3e193f0e5ef583f5be9fd2d24872a13bb97bcc89e0a3ab6842b84
                            • Instruction Fuzzy Hash: 5CE0BF76B24114ABCB18DFA8ED90C6E77B6EB95310720847AE512B3690C679AD10CB68
                            Function 004067E3 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                              • Part of subcall function 00406773: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
                              • Part of subcall function 00406773: wsprintfW.USER32 ref: 004067C5
                              • Part of subcall function 00406773: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                            • String ID:
                            • API String ID: 2547128583-0
                            • Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
                            • Instruction ID: 99a4bc67a8c43757839ce5658996565e88f4cb2ecc15aeea03f34014f97f3c52
                            • Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
                            • Instruction Fuzzy Hash: F2E0863350521056E611AA719D44C7773AC9F89650307843EF946F2080D738DC31ABBD
                            Function 00405EE4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\Document_084462.scr.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
                            • CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: File$AttributesCreate
                            • String ID:
                            • API String ID: 415043291-0
                            • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                            • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                            • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                            • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                            Function 00405EBF Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNELBASE(?,?,00405AC4,?,?,00000000,00405C9A,?,?,?,?), ref: 00405EC4
                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405ED8
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                            • Instruction ID: 9f802252afbb128bb6d2778500f244350c46036787b5d1505cff2c7139ff2394
                            • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                            • Instruction Fuzzy Hash: 3CD0C9725055306BC2102728EE0C89BBB55EB64271B114A35F9A5A62B0CB304C528A98
                            Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                            Download Yara Rule
                            APIs
                            • CreateDirectoryW.KERNELBASE(?,00000000,00403495,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 004059A8
                            • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059B6
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CreateDirectoryErrorLast
                            • String ID:
                            • API String ID: 1375471231-0
                            • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                            • Instruction ID: 379133542b1e1e7011c0d69b4b2ae41cc98c6aec5a22f3063a42931ced3e53c7
                            • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                            • Instruction Fuzzy Hash: 1EC04C71205502EEF6115B20DF48B1B7A909B50751F16843DA146E01E4DE389455D92D
                            Function 6E332AF8 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNELBASE(00000000), ref: 6E332BB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.3831381006.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                            • Associated: 00000000.00000002.3831364303.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831397605.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831410720.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e330000_Document_084462.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: cbf354efa8f4e08f5f5fcb1bea77d9b315f3049072865f14d01c76956447d184
                            • Instruction ID: 1243ad785978172b0972ba0a0b1d5fb08e1acb33ec41a45cccf9a748e0a0a2fd
                            • Opcode Fuzzy Hash: cbf354efa8f4e08f5f5fcb1bea77d9b315f3049072865f14d01c76956447d184
                            • Instruction Fuzzy Hash: B6414BB1904AE4EFDB209FE4DA84F9977BCEB46319F308865E94487210DB3A9581CBD1
                            Function 00405F67 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403457,00000000,00000000,0040329E,?,00000004,00000000,00000000,00000000), ref: 00405F7B
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                            • Instruction ID: e146fa180a083be72d256ad1b428d57881e9eb39a1326beaade4420b40277b6a
                            • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                            • Instruction Fuzzy Hash: E7E0EC3221065BAFDF10AEA59C04EFB7B6CEB05360F004836FD55E6150D635E9219BA8
                            Function 00405F96 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            APIs
                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040340D,000000FF,00793700,?,00793700,?,?,00000004,00000000), ref: 00405FAA
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID:
                            • API String ID: 3934441357-0
                            • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                            • Instruction ID: df8aade711aef2fea4c6cc03ed90c08959c6261ddae8de931081f7d2433cde5f
                            • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                            • Instruction Fuzzy Hash: 96E08C3221021AEBDF109E608C00AEB7B6CEB00360F004433FA24E3150D634E8218BA8
                            Function 6E3329DF Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualProtect.KERNELBASE(6E33505C,00000004,00000040,6E33504C), ref: 6E3329FD
                            Memory Dump Source
                            • Source File: 00000000.00000002.3831381006.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                            • Associated: 00000000.00000002.3831364303.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831397605.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831410720.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e330000_Document_084462.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: ea34945edfd2734dc88a4498523447bea86f963c88ee9e2bf4661b4750bbff51
                            • Instruction ID: 955a2e4b83042ede732c7b76976d96fcfd022621f023099d7dc38084542d758b
                            • Opcode Fuzzy Hash: ea34945edfd2734dc88a4498523447bea86f963c88ee9e2bf4661b4750bbff51
                            • Instruction Fuzzy Hash: C1F092F0519AC0FECB70CF688584F093BE8B70A305F3049AAE148D6240E3364488CF91
                            Function 0040625B Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F28,?,?,004062E9,007A0F28,00000000,?,?,Call,?), ref: 0040627F
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Open
                            • String ID:
                            • API String ID: 71445658-0
                            • Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                            • Instruction ID: 981b209bfbc59ad728c3152e24748ded8346fc425447e23afb42b8d85bc6dac1
                            • Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                            • Instruction Fuzzy Hash: 35D0123200020DBBDF11AF90ED05FAB372DAB08350F014426FE06A4091D775D530A728
                            Function 00404390 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
                            • Instruction ID: 2ab46fc48b107f7ec410a0490fc1e10939948660fe742cc14426a6f165494095
                            • Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
                            • Instruction Fuzzy Hash: 26C04C75784700BADA149B549E45F0677546B90701F158429B641A50D0CA78D410DA2C
                            Function 0040345A Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                            Download Yara Rule
                            APIs
                            • SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 00403468
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: FilePointer
                            • String ID:
                            • API String ID: 973152223-0
                            • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                            • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                            • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                            • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                            Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000028,?,?,004041A4), ref: 00404387
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
                            • Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
                            • Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
                            • Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A
                            Function 00404366 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule
                            APIs
                            • KiUserCallbackDispatcher.NTDLL(?,0040413D), ref: 00404370
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CallbackDispatcherUser
                            • String ID:
                            • API String ID: 2492992576-0
                            • Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
                            • Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
                            • Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
                            • Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D
                            Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(00000000), ref: 004014EA
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 105fb3db34f0ab7e38f6648118bc74ea061e25b53dce703b88c99de24f5127b8
                            • Instruction ID: a18cf0c9a9b021ee27972f2e0a35f90bb7c2f66644072f7244457554decb08b2
                            • Opcode Fuzzy Hash: 105fb3db34f0ab7e38f6648118bc74ea061e25b53dce703b88c99de24f5127b8
                            • Instruction Fuzzy Hash: 0AD05EB3A201008BC700DFB8BE8545E73B8EA903193308837D452E2091E6B889518629

                            Non-executed Functions

                            Function 00404835 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,000003FB), ref: 00404884
                            • SetWindowTextW.USER32(00000000,-007A9000), ref: 004048AE
                            • SHBrowseForFolderW.SHELL32(?), ref: 0040495F
                            • CoTaskMemFree.OLE32(00000000), ref: 0040496A
                            • lstrcmpiW.KERNEL32(Call,007A1F48,00000000,?,-007A9000), ref: 0040499C
                            • lstrcatW.KERNEL32(-007A9000,Call), ref: 004049A8
                            • SetDlgItemTextW.USER32(?,000003FB,-007A9000), ref: 004049BA
                              • Part of subcall function 00405A38: GetDlgItemTextW.USER32(?,?,00000400,004049F1), ref: 00405A4B
                              • Part of subcall function 0040669D: CharNextW.USER32(?,*?|<>/":,00000000,00000000,756F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Document_084462.scr.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406700
                              • Part of subcall function 0040669D: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040670F
                              • Part of subcall function 0040669D: CharNextW.USER32(?,00000000,756F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Document_084462.scr.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406714
                              • Part of subcall function 0040669D: CharPrevW.USER32(?,?,756F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Document_084462.scr.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406727
                            • GetDiskFreeSpaceW.KERNEL32(0079FF18,?,?,0000040F,?,0079FF18,0079FF18,-007A9000,?,0079FF18,-007A9000,-007A9000,000003FB,-007A9000), ref: 00404A7D
                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A98
                              • Part of subcall function 00404BF1: lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-007A9000), ref: 00404C92
                              • Part of subcall function 00404BF1: wsprintfW.USER32 ref: 00404C9B
                              • Part of subcall function 00404BF1: SetDlgItemTextW.USER32(?,007A1F48), ref: 00404CAE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                            • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call
                            • API String ID: 2624150263-3274330998
                            • Opcode ID: d6791cdbf7c3281003b221a05808b40c9ad422951b6e996bdb0757aefb9ec102
                            • Instruction ID: 411b0bed4dd1c8854bcfe70218cd405116d93f5cc49f5f9e093397eef6854a11
                            • Opcode Fuzzy Hash: d6791cdbf7c3281003b221a05808b40c9ad422951b6e996bdb0757aefb9ec102
                            • Instruction Fuzzy Hash: 78A17FB1A00209ABDB11EFA5CD81AAF77B8EF84314F10843BF601B62D1D77C99418F69
                            Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.OLE32(004084E4,?,?,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221
                            Strings
                            • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 00402261
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CreateInstance
                            • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires
                            • API String ID: 542301482-99851308
                            • Opcode ID: b4712aa48105cc69b095c3f87a81c369142c56c2de636fbf5eab3f9b3d428366
                            • Instruction ID: 318f5a272383e4943f9a7a1f828131c4cf43be91e798f39f03958dcf779540d2
                            • Opcode Fuzzy Hash: b4712aa48105cc69b095c3f87a81c369142c56c2de636fbf5eab3f9b3d428366
                            • Instruction Fuzzy Hash: 67412771A00208AFCF00DFE4C989A9E7BB6FF48304B2045AAF515EB2D1DB799981CB54
                            Function 00402902 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: FileFindFirst
                            • String ID:
                            • API String ID: 1974802433-0
                            • Opcode ID: 9f6b3688567407df88bc885cd05bd46b036fdb5e920d3cf82a61260b0db69743
                            • Instruction ID: c1f6bc4fbd4392edc64dd94dfb26af21a0adc514685abdce03c7c09792edecab
                            • Opcode Fuzzy Hash: 9f6b3688567407df88bc885cd05bd46b036fdb5e920d3cf82a61260b0db69743
                            • Instruction Fuzzy Hash: FAF08CB1A00104ABC700DFA4DD499AEB378EF10324F70857BE911F21E0D7B89E109B3A
                            Function 00404DB1 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490windowmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,000003F9), ref: 00404DC8
                            • GetDlgItem.USER32(?,00000408), ref: 00404DD5
                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E21
                            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E38
                            • SetWindowLongW.USER32(?,000000FC,004053CA), ref: 00404E52
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E66
                            • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E7A
                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404E8F
                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E9B
                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EAD
                            • DeleteObject.GDI32(00000110), ref: 00404EB2
                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EDD
                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EE9
                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F84
                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FB4
                              • Part of subcall function 00404379: SendMessageW.USER32(00000028,?,?,004041A4), ref: 00404387
                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FC8
                            • GetWindowLongW.USER32(?,000000F0), ref: 00404FF6
                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405004
                            • ShowWindow.USER32(?,00000005), ref: 00405014
                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405115
                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405177
                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040518C
                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B0
                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D3
                            • ImageList_Destroy.COMCTL32(?), ref: 004051E8
                            • GlobalFree.KERNEL32(?), ref: 004051F8
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405271
                            • SendMessageW.USER32(?,00001102,?,?), ref: 0040531A
                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405329
                            • InvalidateRect.USER32(?,00000000,?), ref: 00405353
                            • ShowWindow.USER32(?,00000000), ref: 004053A1
                            • GetDlgItem.USER32(?,000003FE), ref: 004053AC
                            • ShowWindow.USER32(00000000), ref: 004053B3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                            • String ID: $M$N
                            • API String ID: 2564846305-813528018
                            • Opcode ID: c3ac8b7f72e1706bd9280966f96f37ce41592bed6db73bdefb319f52e69f62e5
                            • Instruction ID: 7baa9a5517a4605733e15ddb68db2cf5b5f1e79b3ae63259faab1fa91bacf49a
                            • Opcode Fuzzy Hash: c3ac8b7f72e1706bd9280966f96f37ce41592bed6db73bdefb319f52e69f62e5
                            • Instruction Fuzzy Hash: 24127A70900609EFDB20CF65CC45AAF7BB5FB85314F10817AEA10BA2E1DB798951DF58
                            Function 00404503 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                            Download Yara Rule
                            APIs
                            • CheckDlgButton.USER32(?,-0000040A,?), ref: 004045A1
                            • GetDlgItem.USER32(?,000003E8), ref: 004045B5
                            • SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 004045D2
                            • GetSysColor.USER32(?), ref: 004045E3
                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045F1
                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045FF
                            • lstrlenW.KERNEL32(?), ref: 00404604
                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404611
                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404626
                            • GetDlgItem.USER32(?,0000040A), ref: 0040467F
                            • SendMessageW.USER32(00000000), ref: 00404686
                            • GetDlgItem.USER32(?,000003E8), ref: 004046B1
                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046F4
                            • LoadCursorW.USER32(00000000,00007F02), ref: 00404702
                            • SetCursor.USER32(00000000), ref: 00404705
                            • LoadCursorW.USER32(00000000,00007F00), ref: 0040471E
                            • SetCursor.USER32(00000000), ref: 00404721
                            • SendMessageW.USER32(00000111,?,00000000), ref: 00404750
                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404762
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                            • String ID: Call$N$zD@
                            • API String ID: 3103080414-4182535457
                            • Opcode ID: edd6e1ed575ff481441806d0cdfc4cc3cbf57af2bc668ca3fdfe935b7b56bb3e
                            • Instruction ID: a130e1d57a17a91ade9f3fb54c611fa5fc44c03720afd6b67d12dead6e9fe9b9
                            • Opcode Fuzzy Hash: edd6e1ed575ff481441806d0cdfc4cc3cbf57af2bc668ca3fdfe935b7b56bb3e
                            • Instruction Fuzzy Hash: 3D6181B1900209BFDB10AF60DD85E6A7BA9FB85354F00803AFB05B72D1C778A951CF99
                            Function 0040603A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,004061D5,?,?), ref: 00406075
                            • GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 0040607E
                              • Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E59
                              • Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E8B
                            • GetShortPathNameW.KERNEL32(?,007A5DE8,00000400), ref: 0040609B
                            • wsprintfA.USER32 ref: 004060B9
                            • GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?,?,?,?,?), ref: 004060F4
                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406103
                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040613B
                            • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406191
                            • GlobalFree.KERNEL32(00000000), ref: 004061A2
                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A9
                              • Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\Document_084462.scr.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
                              • Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                            • String ID: %ls=%ls$[Rename]$Uz$]z$]z
                            • API String ID: 2171350718-2304911260
                            • Opcode ID: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
                            • Instruction ID: 03fe7b931bffc2b02635af9c10f4e714808f3729e90155368a1b4a6ed52067ca
                            • Opcode Fuzzy Hash: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
                            • Instruction Fuzzy Hash: 44312370600B05BFD6206B618D48F6B3A6CDF86744F15013AFD42FA2C3DA3C99218ABD
                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                            • BeginPaint.USER32(?,?), ref: 00401047
                            • GetClientRect.USER32(?,?), ref: 0040105B
                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                            • DeleteObject.GDI32(?), ref: 004010ED
                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                            • SetBkMode.GDI32(00000000,?), ref: 00401126
                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                            • SelectObject.GDI32(00000000,?), ref: 00401140
                            • DrawTextW.USER32(00000000,007A7A60,000000FF,00000010,00000820), ref: 00401156
                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                            • DeleteObject.GDI32(?), ref: 00401165
                            • EndPaint.USER32(?,?), ref: 0040116E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                            • String ID: F
                            • API String ID: 941294808-1304234792
                            • Opcode ID: 88f198494482b5c6c442ae986b6c1e2dc60a71cbe67cc352e3a5a4066e9850df
                            • Instruction ID: d956376f91ba3d110af617c57d1628f0fb3f6748c3ab60faf4ed9a16e53922cc
                            • Opcode Fuzzy Hash: 88f198494482b5c6c442ae986b6c1e2dc60a71cbe67cc352e3a5a4066e9850df
                            • Instruction Fuzzy Hash: 78418B71800209AFCF058FA5CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4
                            Function 0040669D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,756F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Document_084462.scr.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406700
                            • CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040670F
                            • CharNextW.USER32(?,00000000,756F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Document_084462.scr.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406714
                            • CharPrevW.USER32(?,?,756F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Document_084462.scr.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406727
                            Strings
                            • *?|<>/":, xrefs: 004066EF
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040669E
                            • "C:\Users\user\Desktop\Document_084462.scr.exe", xrefs: 0040669D
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Char$Next$Prev
                            • String ID: "C:\Users\user\Desktop\Document_084462.scr.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                            • API String ID: 589700163-212961211
                            • Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                            • Instruction ID: 12c80e2bf748d1a62cb3884e1ae38c2d534281e125f75e63bd15dfe73c9398b2
                            • Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                            • Instruction Fuzzy Hash: E711EB15800A1255DB303B148C84A7763F8EF947A4F56443FED86732C0E77D4C9286BD
                            Function 004043AB Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowLongW.USER32(?,000000EB), ref: 004043C8
                            • GetSysColor.USER32(00000000), ref: 00404406
                            • SetTextColor.GDI32(?,00000000), ref: 00404412
                            • SetBkMode.GDI32(?,?), ref: 0040441E
                            • GetSysColor.USER32(?), ref: 00404431
                            • SetBkColor.GDI32(?,?), ref: 00404441
                            • DeleteObject.GDI32(?), ref: 0040445B
                            • CreateBrushIndirect.GDI32(?), ref: 00404465
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                            • String ID:
                            • API String ID: 2320649405-0
                            • Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                            • Instruction ID: 7fe0b9bd09f79c55d2aa0e3576d5328f94b18663b05207f77db8afc097fd36db
                            • Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                            • Instruction Fuzzy Hash: F62174B15007049BCB319F78D948F5BBBF8AF80714B048A3EE9D2A26E1C734E905CB58
                            Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNEL32(?,?,?,?), ref: 00402750
                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 0040278B
                            • SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 004027AE
                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004027C4
                              • Part of subcall function 00405FC5: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405FDB
                            • SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 00402870
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: File$Pointer$ByteCharMultiWide$Read
                            • String ID: 9
                            • API String ID: 163830602-2366072709
                            • Opcode ID: 9ec651210d820e9b24df916f481368169d6e1ca8bc1240ea0af3f2247977670f
                            • Instruction ID: d74bd8ffb6d519048d690203a29de729842be89db78b0864c200dffe12222895
                            • Opcode Fuzzy Hash: 9ec651210d820e9b24df916f481368169d6e1ca8bc1240ea0af3f2247977670f
                            • Instruction Fuzzy Hash: 1451F875D00219ABDF20DF95CA89AAEBB79FF04304F10817BE501B62D0E7B49D82CB58
                            Function 00404CFF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D1A
                            • GetMessagePos.USER32 ref: 00404D22
                            • ScreenToClient.USER32(?,?), ref: 00404D3C
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D4E
                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D74
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Message$Send$ClientScreen
                            • String ID: f
                            • API String ID: 41195575-1993550816
                            • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                            • Instruction ID: 46b4da8a0d4c37396bcf421d2915c418c0d79b1a62bcd48facf8de7c649397b3
                            • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                            • Instruction Fuzzy Hash: 80015E7190021DBADB00DBA4DD85FFEBBBCAF54711F10012BBB50B61D0DBB4AA058BA5
                            Function 6E33161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6E332238,?,00000808), ref: 6E331635
                            • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6E332238,?,00000808), ref: 6E33163C
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6E332238,?,00000808), ref: 6E331650
                            • GetProcAddress.KERNEL32(8"3n,00000000), ref: 6E331657
                            • GlobalFree.KERNEL32(00000000), ref: 6E331660
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3831381006.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                            • Associated: 00000000.00000002.3831364303.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831397605.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831410720.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e330000_Document_084462.jbxd
                            Similarity
                            • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                            • String ID: 8"3n
                            • API String ID: 1148316912-1903408307
                            • Opcode ID: f5df2416124f55f136ef8545c985dfaf570d1542626fb3a10525db8e8555f6a2
                            • Instruction ID: 97978557b90c34f730fdfcab0429b0f1e57d4533613af0c6c302c2bc08b05b2f
                            • Opcode Fuzzy Hash: f5df2416124f55f136ef8545c985dfaf570d1542626fb3a10525db8e8555f6a2
                            • Instruction Fuzzy Hash: 85F0AC722065787BDA3117A68C4CC9BBE9CDF8B2F5B210255F6289219086665D02D7F1
                            Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                            Download Yara Rule
                            APIs
                            • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402F49
                            • MulDiv.KERNEL32(0006F352,00000064,0006F556), ref: 00402F74
                            • wsprintfW.USER32 ref: 00402F84
                            • SetWindowTextW.USER32(?,?), ref: 00402F94
                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6
                            Strings
                            • verifying installer: %d%%, xrefs: 00402F7E
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Text$ItemTimerWindowwsprintf
                            • String ID: verifying installer: %d%%
                            • API String ID: 1451636040-82062127
                            • Opcode ID: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
                            • Instruction ID: 448c993359d53400b231c8c55bc41b2c2aaf26e1e6946bd82a433317a94b79bc
                            • Opcode Fuzzy Hash: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
                            • Instruction Fuzzy Hash: 1101FF70640209BBEF209F60DE4AFAA3B79EB04349F008039FA16A51D1DBB999559F58
                            Function 6E3325B5 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6E33121B: GlobalAlloc.KERNEL32(00000040,?,6E33123B,?,6E3312DF,00000019,6E3311BE,-000000A0), ref: 6E331225
                            • GlobalFree.KERNEL32(?), ref: 6E3326A3
                            • GlobalFree.KERNEL32(00000000), ref: 6E3326D8
                            Memory Dump Source
                            • Source File: 00000000.00000002.3831381006.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                            • Associated: 00000000.00000002.3831364303.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831397605.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831410720.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e330000_Document_084462.jbxd
                            Similarity
                            • API ID: Global$Free$Alloc
                            • String ID:
                            • API String ID: 1780285237-0
                            • Opcode ID: 0d9d0cbd607a750a47313a508fe34cae5fbf523418f654cd610b3afcdf464af0
                            • Instruction ID: affcf7f0028cbfce520f9c8f2ece96fef5a0b0d87e0837c9861f12cd4a2fcbb9
                            • Opcode Fuzzy Hash: 0d9d0cbd607a750a47313a508fe34cae5fbf523418f654cd610b3afcdf464af0
                            • Instruction Fuzzy Hash: 3731CF322045E2EFCB248FA5CE94C6AB7BEFF86305B324569F54083220C7729805CBA1
                            Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
                            • GlobalFree.KERNEL32(?), ref: 004029F0
                            • GlobalFree.KERNEL32(00000000), ref: 00402A03
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                            • String ID:
                            • API String ID: 2667972263-0
                            • Opcode ID: 9a7f16dab41c655e637aa095d71f48b0dcdd0dbed15c15d8c7bb14721209ca4d
                            • Instruction ID: a183675b87451ddc5318bffc5c3e349b28a5858cebf66036b341c16136851789
                            • Opcode Fuzzy Hash: 9a7f16dab41c655e637aa095d71f48b0dcdd0dbed15c15d8c7bb14721209ca4d
                            • Instruction Fuzzy Hash: B521AE71800124BBDF216FA5DE4999F7E79EF04364F10023AF560762E1CB784D419B98
                            Function 00405DCB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB
                              • Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nswD393.tmp,?,00405DE2,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp, 4ou,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
                              • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
                              • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99
                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswD393.tmp,00000000,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp, 4ou,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E24
                            • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp,00000000,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp, 4ou,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,756F3420,C:\Users\user\AppData\Local\Temp\), ref: 00405E34
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                            • String ID: 4ou$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nswD393.tmp
                            • API String ID: 3248276644-2337009026
                            • Opcode ID: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
                            • Instruction ID: 3e737dd218ce82e1fa1fef2ae0b63742eeb13cb079fe623d21add3619189c6ea
                            • Opcode Fuzzy Hash: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
                            • Instruction Fuzzy Hash: B2F0A435104E5115D632333A9D09BEF1558CE86718B19863BF8A2B22D2DB3C8A539DBE
                            Function 6E3318D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.3831381006.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                            • Associated: 00000000.00000002.3831364303.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831397605.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831410720.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e330000_Document_084462.jbxd
                            Similarity
                            • API ID: FreeGlobal
                            • String ID:
                            • API String ID: 2979337801-0
                            • Opcode ID: ae16a6c618e40ea2bd28e2e24b4d2e0a4d5cb104de92ab66595b75ba1946c0e9
                            • Instruction ID: 07b2f8aab8997ab41d232efcbdfda7a47f576e615ac13d553776d532eb03ca2e
                            • Opcode Fuzzy Hash: ae16a6c618e40ea2bd28e2e24b4d2e0a4d5cb104de92ab66595b75ba1946c0e9
                            • Instruction Fuzzy Hash: 8151D932D240FA9ECB509FE98540DAFBBBEEF45316F308659D400A3104D7B29E8D87A1
                            Function 6E3323E0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GlobalFree.KERNEL32(00000000), ref: 6E332522
                              • Part of subcall function 6E33122C: lstrcpynW.KERNEL32(00000000,?,6E3312DF,00000019,6E3311BE,-000000A0), ref: 6E33123C
                            • GlobalAlloc.KERNEL32(00000040), ref: 6E3324A8
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6E3324C3
                            Memory Dump Source
                            • Source File: 00000000.00000002.3831381006.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                            • Associated: 00000000.00000002.3831364303.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831397605.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831410720.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e330000_Document_084462.jbxd
                            Similarity
                            • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                            • String ID:
                            • API String ID: 4216380887-0
                            • Opcode ID: d7df4b8d58ac11c8eea3d0203b3125a4c7f5cf62f9d220e7371159136c9c593d
                            • Instruction ID: d19d1c7bc1838cafff87181a8d07b0a5e380f6969ae182bbccd931df2ed6740a
                            • Opcode Fuzzy Hash: d7df4b8d58ac11c8eea3d0203b3125a4c7f5cf62f9d220e7371159136c9c593d
                            • Instruction Fuzzy Hash: 3241EFB00083A5EFD724DFA9D940E66B7FCFB49310F30892DE48687181EB32A545CBA1
                            Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,?), ref: 00401D9A
                            • GetClientRect.USER32(?,?), ref: 00401DE5
                            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                            • DeleteObject.GDI32(00000000), ref: 00401E39
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                            • String ID:
                            • API String ID: 1849352358-0
                            • Opcode ID: 72141a0695bd09deaf038b4057165ceb7fe748d1dd496bc1742fd2fda8c47cb7
                            • Instruction ID: b40b93da7826e3b7615b819c1b58470e7634271ab5df736de73e72df9abaa9c9
                            • Opcode Fuzzy Hash: 72141a0695bd09deaf038b4057165ceb7fe748d1dd496bc1742fd2fda8c47cb7
                            • Instruction Fuzzy Hash: 1521F572904119AFCB05DFA4DE45AEEBBB5EB08304F14403AF945F62A0CB389D51DB99
                            Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32(?), ref: 00401E51
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                            • ReleaseDC.USER32(?,00000000), ref: 00401E84
                            • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CapsCreateDeviceFontIndirectRelease
                            • String ID:
                            • API String ID: 3808545654-0
                            • Opcode ID: a771a12b6b1f9eb28fc4aa732c56658ca34c83768ad7333c3b90bf9ccbdf4b02
                            • Instruction ID: e0f466a359637f901669b8d4edcb0a2768f8d1cf7dbd19b4a84ec7a1be175679
                            • Opcode Fuzzy Hash: a771a12b6b1f9eb28fc4aa732c56658ca34c83768ad7333c3b90bf9ccbdf4b02
                            • Instruction Fuzzy Hash: 3301D871950651EFEB006BB4AE89BDA3FB0AF15300F10493AF141B71E2C6B90404DB2D
                            Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: MessageSend$Timeout
                            • String ID: !
                            • API String ID: 1777923405-2657877971
                            • Opcode ID: 979e86d2c84321a506bd374142032a088a90d10552bd354102554aa37ba48567
                            • Instruction ID: 189cbaabe8764c773f58747126bd63a1e8498669fac95269da527f62f649557f
                            • Opcode Fuzzy Hash: 979e86d2c84321a506bd374142032a088a90d10552bd354102554aa37ba48567
                            • Instruction Fuzzy Hash: EE21AD7195420AAEEF05AFB4DD4AAAE7BB0EF44304F10453EF601B61D1D7B84941CBA8
                            Function 00404BF1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-007A9000), ref: 00404C92
                            • wsprintfW.USER32 ref: 00404C9B
                            • SetDlgItemTextW.USER32(?,007A1F48), ref: 00404CAE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: ItemTextlstrlenwsprintf
                            • String ID: %u.%u%s%s
                            • API String ID: 3540041739-3551169577
                            • Opcode ID: 37836083cc55521027f8373fcaefe3c58d3b132896e9bd9a1ff8b63297692a70
                            • Instruction ID: 3d6b25ca05220dcf043cb3c1ab85a77e0c97cb6522f385c7b59333deb0f41e84
                            • Opcode Fuzzy Hash: 37836083cc55521027f8373fcaefe3c58d3b132896e9bd9a1ff8b63297692a70
                            • Instruction Fuzzy Hash: 4811EB736041283BEB00A5AD9D45EDE3688DBC5334F254637FA26F31D1E978C81182E8
                            Function 00402482 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswD393.tmp,00000023,00000011,00000002), ref: 004024CD
                            • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nswD393.tmp,00000000,00000011,00000002), ref: 0040250D
                            • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nswD393.tmp,00000000,00000011,00000002), ref: 004025F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CloseValuelstrlen
                            • String ID: C:\Users\user\AppData\Local\Temp\nswD393.tmp
                            • API String ID: 2655323295-3749522000
                            • Opcode ID: 7daaa867e9da28a2930db7b37df5dfdc19be89cd1d3ff8a61dbf0427a346cfd9
                            • Instruction ID: b5ab21fa5db9dca98c90a3684f9c4c1c94415ceb852b3cd4d8f68548cc0c41e7
                            • Opcode Fuzzy Hash: 7daaa867e9da28a2930db7b37df5dfdc19be89cd1d3ff8a61dbf0427a346cfd9
                            • Instruction Fuzzy Hash: D311AF71E00108BEEB00AFA5CE49AAE7BB9EF44314F20443AF514B71D1D6B88D409668
                            Function 00405D6E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                            Download Yara Rule
                            APIs
                            • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nswD393.tmp,?,00405DE2,C:\Users\user\AppData\Local\Temp\nswD393.tmp,C:\Users\user\AppData\Local\Temp\nswD393.tmp, 4ou,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
                            • CharNextW.USER32(00000000), ref: 00405D81
                            • CharNextW.USER32(00000000), ref: 00405D99
                            Strings
                            • C:\Users\user\AppData\Local\Temp\nswD393.tmp, xrefs: 00405D6F
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CharNext
                            • String ID: C:\Users\user\AppData\Local\Temp\nswD393.tmp
                            • API String ID: 3213498283-3749522000
                            • Opcode ID: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
                            • Instruction ID: 839f6a4cd7818f8bbcc29dd9d6e935739f9a8baf6e4a15472bca77c663bd0c43
                            • Opcode Fuzzy Hash: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
                            • Instruction Fuzzy Hash: 1FF09022920F1296DB3177545C4DE7B5BB8EF54760B00C43BE601B72C1E3B84C818EAA
                            Function 00405CC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CC9
                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CD3
                            • lstrcatW.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405CE5
                            Strings
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC3
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CharPrevlstrcatlstrlen
                            • String ID: C:\Users\user\AppData\Local\Temp\
                            • API String ID: 2659869361-1881609536
                            • Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                            • Instruction ID: 20018de61182ae54b5e078598b4ece42ca391df12eccfc729252e8f5514d5294
                            • Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                            • Instruction Fuzzy Hash: 78D0A731101A30AAD1117B448D04CDF629CFE85304341403BF202B30A2C77C1D5387FD
                            Function 00402636 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nswD393.tmp\System.dll), ref: 0040268D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: lstrlen
                            • String ID: C:\Users\user\AppData\Local\Temp\nswD393.tmp$C:\Users\user\AppData\Local\Temp\nswD393.tmp\System.dll
                            • API String ID: 1659193697-1272981134
                            • Opcode ID: bd38f659e256a09bfdae8fa8d4f0e721d731d784e9f16bc2970e2de0a2b6f4fc
                            • Instruction ID: b6edfc9972aa644188961ebceaa73704b58c28032334693464610e5b401fed5f
                            • Opcode Fuzzy Hash: bd38f659e256a09bfdae8fa8d4f0e721d731d784e9f16bc2970e2de0a2b6f4fc
                            • Instruction Fuzzy Hash: CF110D71A10305AACB00ABB08F4AAAE77719F55748F61443FF502F61C1D6FC4951565E
                            Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32(00000000,00000000,0040318F,?,?,00000007,00000009,0000000B), ref: 00402FC4
                            • GetTickCount.KERNEL32 ref: 00402FE2
                            • CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
                            • ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                            • String ID:
                            • API String ID: 2102729457-0
                            • Opcode ID: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
                            • Instruction ID: 8c281f3aa7e88f802b7d8bba4993e69035ed424970cff038758a163d63a680ad
                            • Opcode Fuzzy Hash: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
                            • Instruction Fuzzy Hash: 3AF0BE30506221ABC2616F60FE0CA8B3B78FB44B51705C83BF101F11E4CB3808819B9D
                            Function 004053CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                            Download Yara Rule
                            APIs
                            • IsWindowVisible.USER32(?), ref: 004053F9
                            • CallWindowProcW.USER32(?,?,?,?), ref: 0040544A
                              • Part of subcall function 00404390: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Window$CallMessageProcSendVisible
                            • String ID:
                            • API String ID: 3748168415-3916222277
                            • Opcode ID: 63f07d3bfe87a358a7903b8c4052eed0806f84f2521abbc8f8e3291c3210bf1f
                            • Instruction ID: 5f6fd1bc1cb6019f344e496d8f57972e5ce8a9055d244d91c322c77d39ebf2aa
                            • Opcode Fuzzy Hash: 63f07d3bfe87a358a7903b8c4052eed0806f84f2521abbc8f8e3291c3210bf1f
                            • Instruction Fuzzy Hash: 63018431101608AFEF205F11DD80BDB3725EB95355F508037FA00762E1C77A8C919A6D
                            Function 004062BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,007A0F28,00000000,?,?,Call,?,?,0040654B,80000002), ref: 00406302
                            • RegCloseKey.ADVAPI32(?,?,0040654B,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F28), ref: 0040630D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CloseQueryValue
                            • String ID: Call
                            • API String ID: 3356406503-1824292864
                            • Opcode ID: e4d53d9119acc97e3ded4dfe14f35fc16891fc75654ca884eca869e70a2bebda
                            • Instruction ID: 373679b9ec00f947e58de2b720fd419a4882b2706591ab80caa015ae1ce90e84
                            • Opcode Fuzzy Hash: e4d53d9119acc97e3ded4dfe14f35fc16891fc75654ca884eca869e70a2bebda
                            • Instruction Fuzzy Hash: 56017C72510209EADF218F65CC09EDB3BA8FF54364F01803AFD5AA2190D778D964DBA4
                            Function 004059D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F50,Error launching installer), ref: 00405A00
                            • CloseHandle.KERNEL32(?), ref: 00405A0D
                            Strings
                            • Error launching installer, xrefs: 004059EA
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CloseCreateHandleProcess
                            • String ID: Error launching installer
                            • API String ID: 3712363035-66219284
                            • Opcode ID: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
                            • Instruction ID: 2b341ff16c6abf5d503a25303b32c86a9a78efd9c2a610832e0bce27d8c53e5f
                            • Opcode Fuzzy Hash: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
                            • Instruction Fuzzy Hash: F3E0BFF46002097FEB109F64ED05F7B77ACEB44644F004525BD54F6150D7B999148A7D
                            Function 00403A28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            • FreeLibrary.KERNEL32(6E330000,756F3420,00000000,C:\Users\user\AppData\Local\Temp\,00403A00,00403816,00000007,?,00000007,00000009,0000000B), ref: 00403A42
                            • GlobalFree.KERNEL32(00B50B40), ref: 00403A49
                            Strings
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A28
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: Free$GlobalLibrary
                            • String ID: C:\Users\user\AppData\Local\Temp\
                            • API String ID: 1100898210-1881609536
                            • Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
                            • Instruction ID: 10b089f61d7fd26560bcfb3f790e8945b6a0be01d7b58778b04adbc7300f8739
                            • Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
                            • Instruction Fuzzy Hash: 64E0123360112057C6215F45FE0475ABB7D6F49B26F06803BE9C0BB26087785C838FD8
                            Function 00405D0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Document_084462.scr.exe,C:\Users\user\Desktop\Document_084462.scr.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D15
                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Document_084462.scr.exe,C:\Users\user\Desktop\Document_084462.scr.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D25
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: CharPrevlstrlen
                            • String ID: C:\Users\user\Desktop
                            • API String ID: 2709904686-4267323751
                            • Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                            • Instruction ID: 3b4219a6871f3e4e2040e57eeeef2aaac809f1ec38f5d31038b50c09059f2d31
                            • Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                            • Instruction Fuzzy Hash: 97D05EB34109209AE3127704DC0599F73E8EF5530074A8467E541A61A5D7785C818AAC
                            Function 6E3310E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GlobalAlloc.KERNEL32(00000040,?), ref: 6E33116A
                            • GlobalFree.KERNEL32(00000000), ref: 6E3311C7
                            • GlobalFree.KERNEL32(00000000), ref: 6E3311D9
                            • GlobalFree.KERNEL32(?), ref: 6E331203
                            Memory Dump Source
                            • Source File: 00000000.00000002.3831381006.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                            • Associated: 00000000.00000002.3831364303.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831397605.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000000.00000002.3831410720.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e330000_Document_084462.jbxd
                            Similarity
                            • API ID: Global$Free$Alloc
                            • String ID:
                            • API String ID: 1780285237-0
                            • Opcode ID: 7b1bdbced7b1941e4625102e886080edc5c7c84138bf488ebcc7518d46afa581
                            • Instruction ID: f14c3b35607085fb02a072641500b3529cf4ee88cfb5660e217de4c5357a8bd0
                            • Opcode Fuzzy Hash: 7b1bdbced7b1941e4625102e886080edc5c7c84138bf488ebcc7518d46afa581
                            • Instruction Fuzzy Hash: 1831D7B29002A2AFEB208FF8C955DA677ECEB06311F304559F880D7211E736DC49CBA0
                            Function 00405E49 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E59
                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E71
                            • CharNextA.USER32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E82
                            • lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E8B
                            Memory Dump Source
                            • Source File: 00000000.00000002.3824377564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.3824364522.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824391373.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824404396.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.3824785053.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_Document_084462.jbxd
                            Similarity
                            • API ID: lstrlen$CharNextlstrcmpi
                            • String ID:
                            • API String ID: 190613189-0
                            • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                            • Instruction ID: a1795947179755a411c98c1569971d2b6f4e38ea7894d212e8297337e4f71977
                            • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                            • Instruction Fuzzy Hash: E2F06231504514FFD7129BA5DD409AEBBA8EF06250B2540BAE884FB250D674DF029BE9