Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nRNzqQOQwk.exe

Overview

General Information

Sample name:nRNzqQOQwk.exe
renamed because original name is a hash value
Original sample name:a180642558a07876a9a047217ef75504a4fe7e1f02e22e1f19ffba8d33e6790a.exe
Analysis ID:1587595
MD5:c616c105a117d63de2b4f818c8fdd3e0
SHA1:fe7d7c8863a5f71e02b2b5b76e1a8f506b08dba7
SHA256:a180642558a07876a9a047217ef75504a4fe7e1f02e22e1f19ffba8d33e6790a
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
PE / OLE file has an invalid certificate
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • nRNzqQOQwk.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\nRNzqQOQwk.exe" MD5: C616C105A117D63DE2B4F818C8FDD3E0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3789872839.000000000414B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: nRNzqQOQwk.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: nRNzqQOQwk.exeVirustotal: Detection: 67%Perma Link
    Source: nRNzqQOQwk.exeReversingLabs: Detection: 70%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: nRNzqQOQwk.exeJoe Sandbox ML: detected
    Source: nRNzqQOQwk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: nRNzqQOQwk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_00405642 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405642
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_004060A4 FindFirstFileA,FindClose,0_2_004060A4
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_0040270B FindFirstFileA,0_2_0040270B
    Source: global trafficTCP traffic: 192.168.2.9:57686 -> 162.159.36.2:53
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
    Source: nRNzqQOQwk.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
    Source: nRNzqQOQwk.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_004050F7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F7
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_00403180 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403180
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeFile created: C:\Windows\Fonts\prelegacyJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeFile created: C:\Windows\Fonts\prelegacy\prsterJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_004049360_2_00404936
    Source: nRNzqQOQwk.exeStatic PE information: invalid certificate
    Source: nRNzqQOQwk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal76.troj.evad.winEXE@1/7@1/0
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_00403180 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403180
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_004043C3 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004043C3
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_004020CD CoCreateInstance,MultiByteToWideChar,0_2_004020CD
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeFile created: C:\Program Files (x86)\Fljtenists.iniJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeFile created: C:\Users\user\slavelivetsJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeFile created: C:\Users\user\AppData\Local\Temp\nsz9F79.tmpJump to behavior
    Source: nRNzqQOQwk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: nRNzqQOQwk.exeVirustotal: Detection: 67%
    Source: nRNzqQOQwk.exeReversingLabs: Detection: 70%
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeFile read: C:\Users\user\Desktop\nRNzqQOQwk.exeJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeFile written: C:\Program Files (x86)\Fljtenists.iniJump to behavior
    Source: nRNzqQOQwk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.3789872839.000000000414B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_10002D20 push eax; ret 0_2_10002D4E
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeFile created: C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeRDTSC instruction interceptor: First address: 4956AE9 second address: 4956AE9 instructions: 0x00000000 rdtsc 0x00000002 test edx, edx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007EFC6CC15A45h 0x00000008 test dx, bx 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_00405642 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405642
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_004060A4 FindFirstFileA,FindClose,0_2_004060A4
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_0040270B FindFirstFileA,0_2_0040270B
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeAPI call chain: ExitProcess graph end nodegraph_0-3797
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeAPI call chain: ExitProcess graph end nodegraph_0-3977
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_00402B0E RegOpenKeyExA,RegEnumKeyA,RegEnumKeyA,RegCloseKey,LdrInitializeThunk,RegCloseKey,RegDeleteKeyA,0_2_00402B0E
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
    Source: C:\Users\user\Desktop\nRNzqQOQwk.exeCode function: 0_2_00405DC2 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405DC2

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		12
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Access Token Manipulation    		LSASS Memory3
    File and Directory Discovery    		Remote Desktop Protocol1
    Clipboard Data    		1
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Obfuscated Files or Information    		Security Account Manager13
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared Drive1
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    DLL Side-Loading    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    nRNzqQOQwk.exe67%VirustotalBrowse
    nRNzqQOQwk.exe71%ReversingLabsWin32.Trojan.Guloader
    nRNzqQOQwk.exe100%AviraTR/AD.NsisInject.monhx
    nRNzqQOQwk.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp\System.dll0%VirustotalBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    s-part-0017.t-0009.t-msedge.net
    		13.107.246.45
    		truefalse
      		high
      15.164.165.52.in-addr.arpa
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nsis.sf.net/NSIS_ErrornRNzqQOQwk.exefalse
          		high
          http://nsis.sf.net/NSIS_ErrorErrornRNzqQOQwk.exefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1587595
            Start date and time:2025-01-10 15:20:50 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 50s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:8
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:nRNzqQOQwk.exe
            renamed because original name is a hash value
            Original Sample Name:a180642558a07876a9a047217ef75504a4fe7e1f02e22e1f19ffba8d33e6790a.exe
            Detection:MAL
            Classification:mal76.troj.evad.winEXE@1/7@1/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 40
            • Number of non-executed functions: 31
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240s for sample files taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 52.165.164.15, 172.202.163.200
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenFile calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.t-msedge.netPO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 13.107.246.45
            PO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 13.107.246.45
            Shipping Document.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 13.107.246.45
            1712226379134618467.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            https://www.filemail.com/d/rxythqchkhluipl?skipreg=trueGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            https://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
            • 13.107.246.45
            http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.chGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            https://app.planable.io/review/0OPaw36t6M_kGet hashmaliciousHTMLPhisherBrowse
            • 13.107.246.45
            PDFONLINE.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.45

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp\System.dllODjwCjQBAP.exeGet hashmaliciousGuLoaderBrowse
              ODjwCjQBAP.exeGet hashmaliciousGuLoaderBrowse
                Anfrage.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  Anfrage_244384.exeGet hashmaliciousFormBook, GuLoaderBrowse
                    Anfrage_244384.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      Anfrage244384.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        Anfrage244384.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          Anfrage_244384.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            5112024976.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              5112024976.exeGet hashmaliciousFormBook, GuLoaderBrowse

                                Created / dropped Files

                                C:\Program Files (x86)\Fljtenists.ini

                                Download File
                                Process:C:\Users\user\Desktop\nRNzqQOQwk.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):34
                                Entropy (8bit):4.35937791471612
                                Encrypted:false
                                SSDEEP:3:oMXADiGWkon:xnGWn
                                MD5:5BAD417385FA63549574090876DC680D
                                SHA1:84E00066DC079E657BE9AF39E2C9E4EC42F5E527
                                SHA-256:8B8CCA2780BD72F608E87BAEC979BBB17706AEFEB8D9F603E53AE144ECFAB71D
                                SHA-512:EA709BAB31CFAAB4979617C4D1DFF414387F6988BE9F67E70BF7F941A9E7EA4C36CF320CE2518AE0DD9171DF5C46BE85D86D3F6031059A3CB3E79FD58E3F14E2
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:[Omniregent]..promovable=bugspyt..

                                C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp\System.dll

                                Download File
                                Process:C:\Users\user\Desktop\nRNzqQOQwk.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):11264
                                Entropy (8bit):5.7711167426271945
                                Encrypted:false
                                SSDEEP:192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
                                MD5:3F176D1EE13B0D7D6BD92E1C7A0B9BAE
                                SHA1:FE582246792774C2C9DD15639FFA0ACA90D6FD0B
                                SHA-256:FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E
                                SHA-512:0A69124819B7568D0DEA4E9E85CE8FE61C7BA697C934E3A95E2DCFB9F252B1D9DA7FAF8774B6E8EFD614885507ACC94987733EBA09A2F5E7098B774DFC8524B6
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Joe Sandbox View:
                                • Filename: ODjwCjQBAP.exe, Detection: malicious, Browse
                                • Filename: ODjwCjQBAP.exe, Detection: malicious, Browse
                                • Filename: Anfrage.exe, Detection: malicious, Browse
                                • Filename: Anfrage_244384.exe, Detection: malicious, Browse
                                • Filename: Anfrage_244384.exe, Detection: malicious, Browse
                                • Filename: Anfrage244384.exe, Detection: malicious, Browse
                                • Filename: Anfrage244384.exe, Detection: malicious, Browse
                                • Filename: Anfrage_244384.exe, Detection: malicious, Browse
                                • Filename: 5112024976.exe, Detection: malicious, Browse
                                • Filename: 5112024976.exe, Detection: malicious, Browse
                                Reputation:moderate, very likely benign file
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....MX...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\slavelivets\Frimenigheders.Lin

                                Download File
                                Process:C:\Users\user\Desktop\nRNzqQOQwk.exe
                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                Category:dropped
                                Size (bytes):457262
                                Entropy (8bit):2.660957868808711
                                Encrypted:false
                                SSDEEP:3072:D/3hlxuinGt/VhqT1iOn8lRgQ69dV1Vbx:7oig/VYRJz9Xt
                                MD5:CDE198D8ADD807141052775916060A46
                                SHA1:BA64728F6A13AEE536B9EF46484A7938F52D9272
                                SHA-256:C9BBC92FD69037DCCF745A1ECC71F4BCE8867E41CD9D2DCDB8332587A1A147B6
                                SHA-512:898011AB3D1BAA68E702091C465F2BB1EBD172475CE73439A9BB8B205E68ABAFAE71776445BC7DC87227F9E0E80A04272944962C95CAE415786C252DEE256041
                                Malicious:false
                                Reputation:low
                                Preview:00E100005252525200000000000000F00031313100AE0000005600FF00000000000000EAEAEAEAEAEA006300000000004E0056565656565656000000F2F2F2F200E6E6E60000DDDD00828200000000C600E5E50000DEDE0013131300AC00000000A9A900004900000000242424001313130038001F000075757575757500BE00004B4B4B0000080800004200005F00000000EFEF00F300006A005E004141000010101010004F4F0000CA0056560000272727005800290000000000000000000A00002A000065650085000000550000000000D0D0001B00008686005B00CA00000000003C3C00BA005700009C9C00898900008383005400CACACA0000AC00F100DDDD00E200FB0000007700110000000086860000000000000000ADADAD001A1A00D8D80000353535009A9A000000878700F8004141000000D0D0D000000000D900292929290000FBFB0006060600D00000535300F1F10000B000A6A6A600006C6C6C6C0029290000000000ADAD00B7B70000C300000000A2000000626262005E0000000000AAAAAA0000000042000000AAAA00002C002600D4D4000000101000002D005700200000ADAD0000030000D4D400000000001E1E1E1E1E00002F2F2F2F2F2F00D3004646002F000000F5F5F5F5F500B3B3B3B300006600161616160000282828280000DBDBDBDBDBDB00BB0000D70081

                                C:\Users\user\slavelivets\Tonsillary252.Ban

                                Download File
                                Process:C:\Users\user\Desktop\nRNzqQOQwk.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):193843
                                Entropy (8bit):7.55628710093093
                                Encrypted:false
                                SSDEEP:3072:H39dlMnmxBSEy9gi65aaTlHepUWtyW8ImC/BN2WlIP7AKAKUHjjuXKc:X5SHWhTlHwhXNPTH2bUDjuac
                                MD5:FFAC979D13A99BF107CED6B9BBA2B7E4
                                SHA1:04E8B535A2B67D6CBAA54626492583D0DF1C9435
                                SHA-256:482E699C60E1B448B9953352AB2840956AB56E9C5559B5C06CF4F48D5AF98781
                                SHA-512:7DA199810F2A6B76FDA110D419EA35A424A0155DB814AA081F84F1C7CB0B9072E64D8B1A89F606D557A8B54AF8AC6395200F1CF281C28BC06101916C5285FFF3
                                Malicious:false
                                Reputation:low
                                Preview:......nnn.....aaaa....4..............R.P.......]]].......s.........)).............VV.........SS.........................................;.../..55...........z.....&.............$.3...&.....JJ..).......%.......................................a...........7.........#####...........}}}......................ss.....\\\...................................................TT..p......j..........?...++............bb.....................A..........z...............K.....................:::........cc........).............e.........M............)))..........]..&&&.GGGGGG..%......III.....................hh.....l..........y............./......X....Z..j................88.........................c..........9............................#........aaaa...................z...... ..........w....#.v.................K.................jjjjj.....99......................vv........--........Y.......6.........................................L..........uu....................r..................K................W.d......

                                C:\Users\user\slavelivets\alsmekill.sta

                                Download File
                                Process:C:\Users\user\Desktop\nRNzqQOQwk.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):339393
                                Entropy (8bit):1.2543469977620876
                                Encrypted:false
                                SSDEEP:1536:JwpZQcXbJ+mf8ME8s+dg5Z90uGaXF9Pl7:W4cX8ncmxhGm
                                MD5:F6A8488B1B62B7AC3B0979C8FBEABB30
                                SHA1:9725896EBC26CCB2CB9060640B9E0D4A0618916F
                                SHA-256:34DC9B70D0CE5223A531E499611F1208F3AE85AAEF9973FC27E89190568F8EE2
                                SHA-512:88A719685D0972290632C6B5A665184E79A98BE22B76AF28F18056F2E7A721A0B2D3B4A8815BCE562426643E69F998F9E45F3CA62B3288EAAFB71FE89A23AD20
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:..............................................o....D....................l.......k...................................._...2...........;..........................................0............................e......_....................}.......................,....4...................n.............T................j...z..........u.....#...................h............].............................................................................................................1......G...h.......g...3..(........................................................H......)...........o...................4.............^..................."....................$....................E..............................................................|..........3.............1...........................S....................x..........................................................................................................................................................=..........................|....

                                C:\Users\user\slavelivets\boat.ast

                                Download File
                                Process:C:\Users\user\Desktop\nRNzqQOQwk.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):456047
                                Entropy (8bit):1.2479728238915362
                                Encrypted:false
                                SSDEEP:768:WqBSYr/TzktUI9ql+6iD8iDu43pfrmQ+PHlyjwkZY51UG90JdfSDUsby4/FApmbO:I3TS9ymKhysrQEkRbwvL3xcbNyFN2Mv
                                MD5:9911B32FE219697A738F39AE5766B512
                                SHA1:DA67EBB043C778DEEA874E1C746483A2B65E533C
                                SHA-256:1D3D52ECB41F725DC23080ACB1ACDFEDF29BB5F167DCB75F89AF837888421880
                                SHA-512:FBF703CD56434BB14C6A1A34878F094BE183D9F638D0F34074F7EE4C9D12DB70A833679B496FCB1E4C6050C418A906221149AAC70035BCDA3C01D4272C0FE3E8
                                Malicious:false
                                Preview:.................................................z.................m.......L.......<.............................................................._.....y....._.........x.................................................................>............Q...........:e........................................................[.-.:....................................................A.....................................................................G................................+..............................z..........................................]...........................................................................................T.....&.}........G..............c...u.....................5......B....................................................................l................H..........................H.......................|...........................m.............................................:...........(...............8..............................................g.....

                                C:\Users\user\slavelivets\rupis.txt

                                Download File
                                Process:C:\Users\user\Desktop\nRNzqQOQwk.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):276
                                Entropy (8bit):4.348758704403097
                                Encrypted:false
                                SSDEEP:6:4s/IdpH+oqGSUkJOlUjvMzJ7HxXEp6JN+qIN2CGZgw9n7FmNIb+:4skpesSUAOlSsJ7BEpg+H2XWwTmCq
                                MD5:668A01D3AF55A42FBFDBB1E9DD730B59
                                SHA1:E0949D489A15516B3CD09F1043543C38E3688F1A
                                SHA-256:6A7FEEBFE1F4330E611E6E1B3804619D329A9D3ABD3A3ECBD9D441F884E9999D
                                SHA-512:CF3F03583667362ADCEA4DEB094513B84D3E275EBCC42A993F9293B7374618A1BA060D4C4BAE446C02B329DDE2A4579C152F54A1F7537A0F83A3E88406509459
                                Malicious:false
                                Preview:vulcanizable zoanthidae raalam osullivan,phantasmic oxyluminescence fluidness pickin raadelig.muslimer broder encyclopaedically bessarabian bvt.skyggespillene shellfishes urmi fume panocha imago,troskabseder cypriotes thalassian,udvandringskontorers telfonmontrens bugtalende.

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                Entropy (8bit):7.306164693512133
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:nRNzqQOQwk.exe
                                File size:616'800 bytes
                                MD5:c616c105a117d63de2b4f818c8fdd3e0
                                SHA1:fe7d7c8863a5f71e02b2b5b76e1a8f506b08dba7
                                SHA256:a180642558a07876a9a047217ef75504a4fe7e1f02e22e1f19ffba8d33e6790a
                                SHA512:71499f14196cfc6b3c2dd9d767ef3174083ff384fa642cb46086fdba4cfa5bb13d13f0f7491f1e3da55eab19c5b431f667c0851466241258840dcbd308b9fc1c
                                SSDEEP:6144:GyI5s2239X0wH5ky98puy+AMRYEBx2fKIn4jmTYzCr/5/dwgEhWSdfoVLg6XLCLl:D22tHb8MRYEBxAnPTYzA/7wRhW906OLl
                                TLSH:A0D4F183340558E0F4E20DB154BB8A6105BF9F7ABB95282FB3DC731614F225A4B3A7D6
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........s.../...............+.......Rich............................PE..L.....MX.................`....9....

                                File Icon

                                Icon Hash:8b1985c04404416d

                                Static PE Info

                                General

                                Entrypoint:0x403180
                                Entrypoint Section:.text
                                Digitally signed:true
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x584DCA1F [Sun Dec 11 21:50:23 2016 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:b78ecf47c0a3e24a6f4af114e2d1f5de

                                Authenticode Signature

                                Signature Valid:false
                                Signature Issuer:CN="Congratulator Penetralia ", E=ida@Harpuneren9.Af, L=Wormsdorf, S=Sachsen-Anhalt, C=DE
                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                Error Number:-2146762487
                                Not Before, Not After
                                • 24/06/2024 04:12:24 24/06/2027 04:12:24
                                Subject Chain
                                • CN="Congratulator Penetralia ", E=ida@Harpuneren9.Af, L=Wormsdorf, S=Sachsen-Anhalt, C=DE
                                Version:3
                                Thumbprint MD5:5F1213D251D7C1248101800D2397AEFA
                                Thumbprint SHA-1:A24C9A43698A21F20F2503099FDB0E547144AFA5
                                Thumbprint SHA-256:46FA314984A20ACD8945B5BC70EC2590BB3B9E7A27C8EA9AE030A1512F819942
                                Serial:79B8813DC1624EA9849722EC81B484F6FED3A8A4

                                Entrypoint Preview

                                Instruction
                                sub esp, 00000184h
                                push ebx
                                push esi
                                push edi
                                xor ebx, ebx
                                push 00008001h
                                mov dword ptr [esp+18h], ebx
                                mov dword ptr [esp+10h], 00409198h
                                mov dword ptr [esp+20h], ebx
                                mov byte ptr [esp+14h], 00000020h
                                call dword ptr [004070A8h]
                                call dword ptr [004070A4h]
                                cmp ax, 00000006h
                                je 00007EFC6CEBCD83h
                                push ebx
                                call 00007EFC6CEBFCF1h
                                cmp eax, ebx
                                je 00007EFC6CEBCD79h
                                push 00000C00h
                                call eax
                                mov esi, 00407298h
                                push esi
                                call 00007EFC6CEBFC6Dh
                                push esi
                                call dword ptr [004070A0h]
                                lea esi, dword ptr [esi+eax+01h]
                                cmp byte ptr [esi], bl
                                jne 00007EFC6CEBCD5Dh
                                push ebp
                                push 00000009h
                                call 00007EFC6CEBFCC4h
                                push 00000007h
                                call 00007EFC6CEBFCBDh
                                mov dword ptr [007A1F44h], eax
                                call dword ptr [00407044h]
                                push ebx
                                call dword ptr [00407288h]
                                mov dword ptr [007A1FF8h], eax
                                push ebx
                                lea eax, dword ptr [esp+38h]
                                push 00000160h
                                push eax
                                push ebx
                                push 0079D500h
                                call dword ptr [00407174h]
                                push 00409188h
                                push 007A1740h
                                call 00007EFC6CEBF8E7h
                                call dword ptr [0040709Ch]
                                mov ebp, 007A8000h
                                push eax
                                push ebp
                                call 00007EFC6CEBF8D5h
                                push ebx
                                call dword ptr [00407154h]

                                Rich Headers

                                Programming Language:
                                • [EXP] VC++ 6.0 SP5 build 8804

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x74280xa0.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c30000x28340.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x956100x1350.data
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x5e4a0x600030c42419b2e69d0fb178ad82fde5a6a6False0.6707356770833334data6.461674766148295IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x70000x12460x140043fab6a80651bd97af8f34ecf44cd8acFalse0.42734375data5.005029341587408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x90000x3990380x400295703f29cbf0cc87537f54786ed1d01unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .ndata0x3a30000x200000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x3c30000x283400x284000a923a42d1a39b5e7ff4cbf67045065cFalse0.21775524068322982data4.016272150271427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x3c33580x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.1348337868212469
                                RT_ICON0x3d3b800x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.24942190456169855
                                RT_ICON0x3dd0280x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.286090573012939
                                RT_ICON0x3e24b00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.2502952290977799
                                RT_ICON0x3e66d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3522821576763486
                                RT_ICON0x3e8c800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.37828330206378985
                                RT_ICON0x3e9d280x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.4668032786885246
                                RT_ICON0x3ea6b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5106382978723404
                                RT_DIALOG0x3eab180x100dataEnglishUnited States0.5234375
                                RT_DIALOG0x3eac180x11cdataEnglishUnited States0.6056338028169014
                                RT_DIALOG0x3ead380xc4dataEnglishUnited States0.5918367346938775
                                RT_DIALOG0x3eae000x60dataEnglishUnited States0.7291666666666666
                                RT_GROUP_ICON0x3eae600x76dataEnglishUnited States0.7542372881355932
                                RT_VERSION0x3eaed80x128dataEnglishUnited States0.6114864864864865
                                RT_MANIFEST0x3eb0000x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                Imports

                                DLLImport
                                KERNEL32.dllSetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
                                USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 10, 2025 15:22:12.212737083 CET5768653192.168.2.9162.159.36.2
                                Jan 10, 2025 15:22:12.218421936 CET5357686162.159.36.2192.168.2.9
                                Jan 10, 2025 15:22:12.218549013 CET5768653192.168.2.9162.159.36.2
                                Jan 10, 2025 15:22:12.225150108 CET5357686162.159.36.2192.168.2.9
                                Jan 10, 2025 15:22:12.704155922 CET5768653192.168.2.9162.159.36.2
                                Jan 10, 2025 15:22:12.709167004 CET5357686162.159.36.2192.168.2.9
                                Jan 10, 2025 15:22:12.709223032 CET5768653192.168.2.9162.159.36.2

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 10, 2025 15:22:12.211992025 CET5355329162.159.36.2192.168.2.9
                                Jan 10, 2025 15:22:12.714577913 CET4954453192.168.2.91.1.1.1
                                Jan 10, 2025 15:22:12.721642971 CET53495441.1.1.1192.168.2.9

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 10, 2025 15:22:12.714577913 CET192.168.2.91.1.1.10x69ceStandard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 10, 2025 15:21:39.179152012 CET1.1.1.1192.168.2.90x1075No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                Jan 10, 2025 15:21:39.179152012 CET1.1.1.1192.168.2.90x1075No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                Jan 10, 2025 15:22:12.721642971 CET1.1.1.1192.168.2.90x69ceName error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:09:21:41
                                Start date:10/01/2025
                                Path:C:\Users\user\Desktop\nRNzqQOQwk.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\nRNzqQOQwk.exe"
                                Imagebase:0x400000
                                File size:616'800 bytes
                                MD5 hash:C616C105A117D63DE2B4F818C8FDD3E0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3789872839.000000000414B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:16.9%
                                  Dynamic/Decrypted Code Coverage:14.4%
                                  Signature Coverage:21.5%
                                  Total number of Nodes:1468
                                  Total number of Limit Nodes:37
                                  execution_graph 4624 10001000 4627 1000101b 4624->4627 4634 100014bb 4627->4634 4629 10001020 4630 10001024 4629->4630 4631 10001027 GlobalAlloc 4629->4631 4632 100014e2 3 API calls 4630->4632 4631->4630 4633 10001019 4632->4633 4636 100014c1 4634->4636 4635 100014c7 4635->4629 4636->4635 4637 100014d3 GlobalFree 4636->4637 4637->4629 4638 402241 4639 402ace 18 API calls 4638->4639 4640 402247 4639->4640 4641 402ace 18 API calls 4640->4641 4642 402250 4641->4642 4643 402ace 18 API calls 4642->4643 4644 402259 4643->4644 4645 4060a4 2 API calls 4644->4645 4646 402262 4645->4646 4647 402273 lstrlenA lstrlenA 4646->4647 4651 402266 4646->4651 4649 404fb9 25 API calls 4647->4649 4648 404fb9 25 API calls 4652 40226e 4648->4652 4650 4022af SHFileOperationA 4649->4650 4650->4651 4650->4652 4651->4648 4653 4043c3 4654 404400 4653->4654 4655 4043ef 4653->4655 4656 40440c GetDlgItem 4654->4656 4663 40446b 4654->4663 4714 40557a GetDlgItemTextA 4655->4714 4658 404420 4656->4658 4662 404434 SetWindowTextA 4658->4662 4666 4058ab 4 API calls 4658->4666 4659 40454f 4712 4046f9 4659->4712 4719 40557a GetDlgItemTextA 4659->4719 4660 4043fa 4661 40600b 5 API calls 4660->4661 4661->4654 4715 403f85 4662->4715 4663->4659 4668 405dc2 18 API calls 4663->4668 4663->4712 4671 40442a 4666->4671 4673 4044df SHBrowseForFolderA 4668->4673 4669 40457f 4674 405900 18 API calls 4669->4674 4671->4662 4678 405812 3 API calls 4671->4678 4672 404450 4675 403f85 19 API calls 4672->4675 4673->4659 4676 4044f7 CoTaskMemFree 4673->4676 4677 404585 4674->4677 4679 40445e 4675->4679 4680 405812 3 API calls 4676->4680 4720 405da0 lstrcpynA 4677->4720 4678->4662 4718 403fba SendMessageA 4679->4718 4682 404504 4680->4682 4685 40453b SetDlgItemTextA 4682->4685 4689 405dc2 18 API calls 4682->4689 4684 404464 4688 406139 5 API calls 4684->4688 4685->4659 4686 40459c 4687 406139 5 API calls 4686->4687 4695 4045a3 4687->4695 4688->4663 4690 404523 lstrcmpiA 4689->4690 4690->4685 4692 404534 lstrcatA 4690->4692 4691 4045df 4721 405da0 lstrcpynA 4691->4721 4692->4685 4694 4045e6 4696 4058ab 4 API calls 4694->4696 4695->4691 4700 405859 2 API calls 4695->4700 4701 404637 4695->4701 4697 4045ec GetDiskFreeSpaceA 4696->4697 4699 404610 MulDiv 4697->4699 4697->4701 4699->4701 4700->4695 4711 4046a8 4701->4711 4722 40483f 4701->4722 4703 40140b 2 API calls 4707 4046cb 4703->4707 4705 4046aa SetDlgItemTextA 4705->4711 4706 40469a 4725 40477a 4706->4725 4733 403fa7 EnableWindow 4707->4733 4710 4046e7 4710->4712 4734 404358 4710->4734 4711->4703 4711->4707 4737 403fec 4712->4737 4714->4660 4716 405dc2 18 API calls 4715->4716 4717 403f90 SetDlgItemTextA 4716->4717 4717->4672 4718->4684 4719->4669 4720->4686 4721->4694 4723 40477a 21 API calls 4722->4723 4724 404695 4723->4724 4724->4705 4724->4706 4726 404790 4725->4726 4727 405dc2 18 API calls 4726->4727 4728 4047f4 4727->4728 4729 405dc2 18 API calls 4728->4729 4730 4047ff 4729->4730 4731 405dc2 18 API calls 4730->4731 4732 404815 lstrlenA wsprintfA SetDlgItemTextA 4731->4732 4732->4711 4733->4710 4735 404366 4734->4735 4736 40436b SendMessageA 4734->4736 4735->4736 4736->4712 4738 40408d 4737->4738 4739 404004 GetWindowLongA 4737->4739 4739->4738 4740 404015 4739->4740 4741 404024 GetSysColor 4740->4741 4742 404027 4740->4742 4741->4742 4743 404037 SetBkMode 4742->4743 4744 40402d SetTextColor 4742->4744 4745 404055 4743->4745 4746 40404f GetSysColor 4743->4746 4744->4743 4747 404066 4745->4747 4748 40405c SetBkColor 4745->4748 4746->4745 4747->4738 4749 404080 CreateBrushIndirect 4747->4749 4750 404079 DeleteObject 4747->4750 4748->4747 4749->4738 4750->4749 4751 402844 4752 402aac 18 API calls 4751->4752 4753 40284a 4752->4753 4754 402872 4753->4754 4755 402889 4753->4755 4761 402729 4753->4761 4756 402886 4754->4756 4757 402877 4754->4757 4758 4028a3 4755->4758 4759 402893 4755->4759 4766 405cfe wsprintfA 4756->4766 4765 405da0 lstrcpynA 4757->4765 4760 405dc2 18 API calls 4758->4760 4762 402aac 18 API calls 4759->4762 4760->4761 4762->4761 4765->4761 4766->4761 4256 401746 4257 402ace 18 API calls 4256->4257 4258 40174d 4257->4258 4259 405a42 2 API calls 4258->4259 4260 401754 4259->4260 4261 405a42 2 API calls 4260->4261 4261->4260 4767 4026c7 4768 4026cd 4767->4768 4769 4026d5 FindClose 4768->4769 4770 40295e 4768->4770 4769->4770 4771 401947 4772 402ace 18 API calls 4771->4772 4773 40194e lstrlenA 4772->4773 4774 40258a 4773->4774 4775 402749 4776 402ace 18 API calls 4775->4776 4777 402757 4776->4777 4778 40276d 4777->4778 4779 402ace 18 API calls 4777->4779 4780 4059ee 2 API calls 4778->4780 4779->4778 4781 402773 4780->4781 4803 405a13 GetFileAttributesA CreateFileA 4781->4803 4783 402780 4784 402823 4783->4784 4785 40278c GlobalAlloc 4783->4785 4786 40282b DeleteFileA 4784->4786 4787 40283e 4784->4787 4788 4027a5 4785->4788 4789 40281a CloseHandle 4785->4789 4786->4787 4804 403138 SetFilePointer 4788->4804 4789->4784 4791 4027ab 4792 403122 ReadFile 4791->4792 4793 4027b4 GlobalAlloc 4792->4793 4794 4027c4 4793->4794 4795 4027f8 4793->4795 4796 402f33 32 API calls 4794->4796 4797 405aba WriteFile 4795->4797 4802 4027d1 4796->4802 4798 402804 GlobalFree 4797->4798 4799 402f33 32 API calls 4798->4799 4801 402817 4799->4801 4800 4027ef GlobalFree 4800->4795 4801->4789 4802->4800 4803->4783 4804->4791 4266 1000270b 4267 1000275b 4266->4267 4268 1000271b VirtualProtect 4266->4268 4268->4267 4808 1000180d 4809 10001830 4808->4809 4810 10001860 GlobalFree 4809->4810 4811 10001872 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 4809->4811 4810->4811 4812 10001266 2 API calls 4811->4812 4813 100019e3 GlobalFree GlobalFree 4812->4813 4814 4020cd 4815 402ace 18 API calls 4814->4815 4816 4020d4 4815->4816 4817 402ace 18 API calls 4816->4817 4818 4020de 4817->4818 4819 402ace 18 API calls 4818->4819 4820 4020e8 4819->4820 4821 402ace 18 API calls 4820->4821 4822 4020f2 4821->4822 4823 402ace 18 API calls 4822->4823 4824 4020fc 4823->4824 4825 40213b CoCreateInstance 4824->4825 4826 402ace 18 API calls 4824->4826 4829 40215a 4825->4829 4831 402202 4825->4831 4826->4825 4827 401423 25 API calls 4828 402238 4827->4828 4830 4021e2 MultiByteToWideChar 4829->4830 4829->4831 4830->4831 4831->4827 4831->4828 4832 4040ce 4834 4040e4 4832->4834 4837 4041f0 4832->4837 4833 40425f 4835 404333 4833->4835 4836 404269 GetDlgItem 4833->4836 4838 403f85 19 API calls 4834->4838 4842 403fec 8 API calls 4835->4842 4839 4042f1 4836->4839 4840 40427f 4836->4840 4837->4833 4837->4835 4844 404234 GetDlgItem SendMessageA 4837->4844 4841 40413a 4838->4841 4839->4835 4848 404303 4839->4848 4840->4839 4847 4042a5 6 API calls 4840->4847 4843 403f85 19 API calls 4841->4843 4845 40432e 4842->4845 4846 404147 CheckDlgButton 4843->4846 4863 403fa7 EnableWindow 4844->4863 4861 403fa7 EnableWindow 4846->4861 4847->4839 4851 404309 SendMessageA 4848->4851 4852 40431a 4848->4852 4851->4852 4852->4845 4855 404320 SendMessageA 4852->4855 4853 40425a 4856 404358 SendMessageA 4853->4856 4854 404165 GetDlgItem 4862 403fba SendMessageA 4854->4862 4855->4845 4856->4833 4858 40417b SendMessageA 4859 4041a2 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4858->4859 4860 404199 GetSysColor 4858->4860 4859->4845 4860->4859 4861->4854 4862->4858 4863->4853 4864 4028d2 4865 402aac 18 API calls 4864->4865 4866 4028d8 4865->4866 4867 40290d 4866->4867 4869 402729 4866->4869 4870 4028ea 4866->4870 4868 405dc2 18 API calls 4867->4868 4867->4869 4868->4869 4870->4869 4872 405cfe wsprintfA 4870->4872 4872->4869 4285 4023d3 4286 4023d9 4285->4286 4287 402ace 18 API calls 4286->4287 4288 4023eb 4287->4288 4289 402ace 18 API calls 4288->4289 4290 4023f5 RegCreateKeyExA 4289->4290 4291 402729 4290->4291 4292 40241f 4290->4292 4293 402437 4292->4293 4295 402ace 18 API calls 4292->4295 4294 402443 4293->4294 4302 402aac 4293->4302 4298 402462 RegSetValueExA 4294->4298 4299 402f33 32 API calls 4294->4299 4296 402430 lstrlenA 4295->4296 4296->4293 4300 402478 RegCloseKey 4298->4300 4299->4298 4300->4291 4303 405dc2 18 API calls 4302->4303 4304 402ac1 4303->4304 4304->4294 4873 401cd4 4874 402aac 18 API calls 4873->4874 4875 401cda IsWindow 4874->4875 4876 401a0e 4875->4876 4322 4014d6 4323 402aac 18 API calls 4322->4323 4324 4014dc Sleep 4323->4324 4326 40295e 4324->4326 4334 4025d7 4335 402aac 18 API calls 4334->4335 4340 4025e1 4335->4340 4336 40264f 4337 405a8b ReadFile 4337->4340 4338 402651 4343 405cfe wsprintfA 4338->4343 4339 402661 4339->4336 4342 402677 SetFilePointer 4339->4342 4340->4336 4340->4337 4340->4338 4340->4339 4342->4336 4343->4336 4367 401759 4368 402ace 18 API calls 4367->4368 4369 401760 4368->4369 4370 401786 4369->4370 4371 40177e 4369->4371 4408 405da0 lstrcpynA 4370->4408 4407 405da0 lstrcpynA 4371->4407 4374 401791 4376 405812 3 API calls 4374->4376 4375 401784 4378 40600b 5 API calls 4375->4378 4377 401797 lstrcatA 4376->4377 4377->4375 4403 4017a3 4378->4403 4379 4060a4 2 API calls 4379->4403 4380 4017e4 4381 4059ee 2 API calls 4380->4381 4381->4403 4383 4017ba CompareFileTime 4383->4403 4384 40187e 4386 404fb9 25 API calls 4384->4386 4385 401855 4387 404fb9 25 API calls 4385->4387 4404 40186a 4385->4404 4389 401888 4386->4389 4387->4404 4388 405da0 lstrcpynA 4388->4403 4390 402f33 32 API calls 4389->4390 4391 40189b 4390->4391 4392 4018af SetFileTime 4391->4392 4394 4018c1 CloseHandle 4391->4394 4392->4394 4393 405dc2 18 API calls 4393->4403 4395 4018d2 4394->4395 4394->4404 4396 4018d7 4395->4396 4397 4018ea 4395->4397 4398 405dc2 18 API calls 4396->4398 4399 405dc2 18 API calls 4397->4399 4400 4018df lstrcatA 4398->4400 4401 4018f2 4399->4401 4400->4401 4401->4404 4405 405596 MessageBoxIndirectA 4401->4405 4402 405596 MessageBoxIndirectA 4402->4403 4403->4379 4403->4380 4403->4383 4403->4384 4403->4385 4403->4388 4403->4393 4403->4402 4406 405a13 GetFileAttributesA CreateFileA 4403->4406 4405->4404 4406->4403 4407->4375 4408->4374 4877 401659 4878 402ace 18 API calls 4877->4878 4879 40165f 4878->4879 4880 4060a4 2 API calls 4879->4880 4881 401665 4880->4881 4882 401e59 4883 402ace 18 API calls 4882->4883 4884 401e5f 4883->4884 4885 402ace 18 API calls 4884->4885 4886 401e68 4885->4886 4887 402ace 18 API calls 4886->4887 4888 401e71 4887->4888 4889 402ace 18 API calls 4888->4889 4890 401e7a 4889->4890 4891 401423 25 API calls 4890->4891 4892 401e81 ShellExecuteA 4891->4892 4893 401eae 4892->4893 4894 401959 4895 402aac 18 API calls 4894->4895 4896 401960 4895->4896 4897 402aac 18 API calls 4896->4897 4898 40196d 4897->4898 4899 402ace 18 API calls 4898->4899 4900 401984 lstrlenA 4899->4900 4901 401994 4900->4901 4902 4019d4 4901->4902 4906 405da0 lstrcpynA 4901->4906 4904 4019c4 4904->4902 4905 4019c9 lstrlenA 4904->4905 4905->4902 4906->4904 4907 1000161a 4908 10001649 4907->4908 4909 10001a5d 18 API calls 4908->4909 4910 10001650 4909->4910 4911 10001663 4910->4911 4912 10001657 4910->4912 4913 1000168a 4911->4913 4914 1000166d 4911->4914 4915 10001266 2 API calls 4912->4915 4917 10001690 4913->4917 4918 100016b4 4913->4918 4916 100014e2 3 API calls 4914->4916 4919 10001661 4915->4919 4920 10001672 4916->4920 4921 10001559 3 API calls 4917->4921 4922 100014e2 3 API calls 4918->4922 4923 10001559 3 API calls 4920->4923 4924 10001695 4921->4924 4922->4919 4925 10001678 4923->4925 4926 10001266 2 API calls 4924->4926 4927 10001266 2 API calls 4925->4927 4928 1000169b GlobalFree 4926->4928 4929 1000167e GlobalFree 4927->4929 4928->4919 4930 100016af GlobalFree 4928->4930 4929->4919 4930->4919 4931 401f5d 4932 402ace 18 API calls 4931->4932 4933 401f64 4932->4933 4934 406139 5 API calls 4933->4934 4935 401f73 4934->4935 4936 401f8b GlobalAlloc 4935->4936 4937 401ff3 4935->4937 4936->4937 4938 401f9f 4936->4938 4939 406139 5 API calls 4938->4939 4940 401fa6 4939->4940 4941 406139 5 API calls 4940->4941 4942 401fb0 4941->4942 4942->4937 4946 405cfe wsprintfA 4942->4946 4944 401fe7 4947 405cfe wsprintfA 4944->4947 4946->4944 4947->4937 4948 401a5e 4949 402aac 18 API calls 4948->4949 4950 401a64 4949->4950 4951 402aac 18 API calls 4950->4951 4952 401a0e 4951->4952 4953 4036de 4954 4036e9 4953->4954 4955 4036f0 GlobalAlloc 4954->4955 4956 4036ed 4954->4956 4955->4956 4957 4026e1 4958 4026e7 4957->4958 4959 4026eb FindNextFileA 4958->4959 4961 4026fd 4958->4961 4960 40273c 4959->4960 4959->4961 4963 405da0 lstrcpynA 4960->4963 4963->4961 4964 40166a 4965 402ace 18 API calls 4964->4965 4966 401671 4965->4966 4967 402ace 18 API calls 4966->4967 4968 40167a 4967->4968 4969 402ace 18 API calls 4968->4969 4970 401683 MoveFileA 4969->4970 4971 401696 4970->4971 4972 40168f 4970->4972 4974 4060a4 2 API calls 4971->4974 4976 402238 4971->4976 4973 401423 25 API calls 4972->4973 4973->4976 4975 4016a5 4974->4975 4975->4976 4977 405c5b 38 API calls 4975->4977 4977->4972 4978 4019ed 4979 402ace 18 API calls 4978->4979 4980 4019f4 4979->4980 4981 402ace 18 API calls 4980->4981 4982 4019fd 4981->4982 4983 401a04 lstrcmpiA 4982->4983 4984 401a16 lstrcmpA 4982->4984 4985 401a0a 4983->4985 4984->4985 4986 40256e 4987 402ace 18 API calls 4986->4987 4988 402575 4987->4988 4991 405a13 GetFileAttributesA CreateFileA 4988->4991 4990 402581 4991->4990 4269 4022f2 4270 4022fa 4269->4270 4275 402300 4269->4275 4271 402ace 18 API calls 4270->4271 4271->4275 4272 402ace 18 API calls 4274 402310 4272->4274 4273 40231e 4277 402ace 18 API calls 4273->4277 4274->4273 4276 402ace 18 API calls 4274->4276 4275->4272 4275->4274 4276->4273 4278 402327 WritePrivateProfileStringA 4277->4278 4992 100015b3 4993 100014bb GlobalFree 4992->4993 4995 100015cb 4993->4995 4994 10001611 GlobalFree 4995->4994 4996 100015e6 4995->4996 4997 100015fd VirtualFree 4995->4997 4996->4994 4997->4994 4998 4014f4 SetForegroundWindow 4999 40295e 4998->4999 5000 401cf5 5001 402aac 18 API calls 5000->5001 5002 401cfc 5001->5002 5003 402aac 18 API calls 5002->5003 5004 401d08 GetDlgItem 5003->5004 5005 40258a 5004->5005 5006 4024f5 5007 402bd8 19 API calls 5006->5007 5008 4024ff 5007->5008 5009 402aac 18 API calls 5008->5009 5010 402508 5009->5010 5011 402523 RegEnumKeyA 5010->5011 5012 40252f RegEnumValueA 5010->5012 5013 402729 5010->5013 5014 402548 RegCloseKey 5011->5014 5012->5013 5012->5014 5014->5013 4344 402377 4345 4023a7 4344->4345 4346 40237c 4344->4346 4347 402ace 18 API calls 4345->4347 4348 402bd8 19 API calls 4346->4348 4351 4023ae 4347->4351 4349 402383 4348->4349 4350 40238d 4349->4350 4353 4023c4 4349->4353 4352 402ace 18 API calls 4350->4352 4356 402b0e RegOpenKeyExA 4351->4356 4354 402394 RegDeleteValueA RegCloseKey 4352->4354 4354->4353 4357 402ba2 4356->4357 4361 402b39 4356->4361 4357->4353 4358 402b5f RegEnumKeyA 4359 402b71 RegCloseKey 4358->4359 4358->4361 4362 406139 5 API calls 4359->4362 4360 402b96 RegCloseKey 4365 402b85 4360->4365 4361->4358 4361->4359 4361->4360 4363 402b0e 5 API calls 4361->4363 4364 402b81 4362->4364 4363->4361 4364->4365 4366 402bb1 RegDeleteKeyA 4364->4366 4365->4357 4366->4365 5016 4050f7 5017 4052a2 5016->5017 5018 405119 GetDlgItem GetDlgItem GetDlgItem 5016->5018 5019 4052d2 5017->5019 5020 4052aa GetDlgItem CreateThread CloseHandle 5017->5020 5061 403fba SendMessageA 5018->5061 5023 405300 5019->5023 5024 405321 5019->5024 5025 4052e8 ShowWindow ShowWindow 5019->5025 5020->5019 5022 405189 5026 405190 GetClientRect GetSystemMetrics SendMessageA SendMessageA 5022->5026 5027 40535b 5023->5027 5029 405310 5023->5029 5030 405334 ShowWindow 5023->5030 5031 403fec 8 API calls 5024->5031 5063 403fba SendMessageA 5025->5063 5032 4051e2 SendMessageA SendMessageA 5026->5032 5033 4051fe 5026->5033 5027->5024 5034 405368 SendMessageA 5027->5034 5064 403f5e 5029->5064 5037 405354 5030->5037 5038 405346 5030->5038 5036 40532d 5031->5036 5032->5033 5040 405211 5033->5040 5041 405203 SendMessageA 5033->5041 5034->5036 5042 405381 CreatePopupMenu 5034->5042 5039 403f5e SendMessageA 5037->5039 5043 404fb9 25 API calls 5038->5043 5039->5027 5045 403f85 19 API calls 5040->5045 5041->5040 5044 405dc2 18 API calls 5042->5044 5043->5037 5046 405391 AppendMenuA 5044->5046 5047 405221 5045->5047 5048 4053c2 TrackPopupMenu 5046->5048 5049 4053af GetWindowRect 5046->5049 5050 40522a ShowWindow 5047->5050 5051 40525e GetDlgItem SendMessageA 5047->5051 5048->5036 5052 4053de 5048->5052 5049->5048 5053 405240 ShowWindow 5050->5053 5056 40524d 5050->5056 5051->5036 5054 405285 SendMessageA SendMessageA 5051->5054 5055 4053fd SendMessageA 5052->5055 5053->5056 5054->5036 5055->5055 5057 40541a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5055->5057 5062 403fba SendMessageA 5056->5062 5059 40543c SendMessageA 5057->5059 5059->5059 5060 40545e GlobalUnlock SetClipboardData CloseClipboard 5059->5060 5060->5036 5061->5022 5062->5051 5063->5023 5065 403f65 5064->5065 5066 403f6b SendMessageA 5064->5066 5065->5066 5066->5024 5067 40437c 5068 4043b2 5067->5068 5069 40438c 5067->5069 5071 403fec 8 API calls 5068->5071 5070 403f85 19 API calls 5069->5070 5072 404399 SetDlgItemTextA 5070->5072 5073 4043be 5071->5073 5072->5068 5074 1000103d 5075 1000101b 5 API calls 5074->5075 5076 10001056 5075->5076 5077 4018fd 5078 401934 5077->5078 5079 402ace 18 API calls 5078->5079 5080 401939 5079->5080 5081 405642 69 API calls 5080->5081 5082 401942 5081->5082 4442 401fff 4443 402011 4442->4443 4453 4020bf 4442->4453 4444 402ace 18 API calls 4443->4444 4446 402018 4444->4446 4445 401423 25 API calls 4451 402238 4445->4451 4447 402ace 18 API calls 4446->4447 4448 402021 4447->4448 4449 402036 LoadLibraryExA 4448->4449 4450 402029 GetModuleHandleA 4448->4450 4452 402046 GetProcAddress 4449->4452 4449->4453 4450->4449 4450->4452 4454 402092 4452->4454 4455 402055 4452->4455 4453->4445 4456 404fb9 25 API calls 4454->4456 4457 402074 4455->4457 4458 40205d 4455->4458 4459 402065 4456->4459 4463 100016bd 4457->4463 4460 401423 25 API calls 4458->4460 4459->4451 4461 4020b3 FreeLibrary 4459->4461 4460->4459 4461->4451 4464 100016ed 4463->4464 4505 10001a5d 4464->4505 4466 1000180a 4466->4459 4467 100016f4 4467->4466 4468 10001705 4467->4468 4469 1000170c 4467->4469 4554 100021b0 4468->4554 4537 100021fa 4469->4537 4474 10001770 4480 100017b2 4474->4480 4481 10001776 4474->4481 4475 10001752 4567 100023da 4475->4567 4476 10001722 4479 10001728 4476->4479 4483 10001733 4476->4483 4477 1000173b 4489 10001731 4477->4489 4564 10002aa3 4477->4564 4479->4489 4548 100027e8 4479->4548 4487 100023da 11 API calls 4480->4487 4485 10001559 3 API calls 4481->4485 4482 10001758 4578 10001559 4482->4578 4558 10002589 4483->4558 4491 1000178c 4485->4491 4492 100017a4 4487->4492 4489->4474 4489->4475 4495 100023da 11 API calls 4491->4495 4496 100017f9 4492->4496 4589 100023a0 4492->4589 4494 10001739 4494->4489 4495->4492 4496->4466 4500 10001803 GlobalFree 4496->4500 4500->4466 4502 100017e5 4502->4496 4593 100014e2 wsprintfA 4502->4593 4503 100017de FreeLibrary 4503->4502 4596 10001215 GlobalAlloc 4505->4596 4507 10001a81 4597 10001215 GlobalAlloc 4507->4597 4509 10001cbb GlobalFree GlobalFree GlobalFree 4510 10001cd8 4509->4510 4525 10001d22 4509->4525 4511 1000201a 4510->4511 4518 10001ced 4510->4518 4510->4525 4513 1000203c GetModuleHandleA 4511->4513 4511->4525 4512 10001b60 GlobalAlloc 4532 10001a8c 4512->4532 4516 10002062 4513->4516 4517 1000204d LoadLibraryA 4513->4517 4514 10001bab lstrcpyA 4519 10001bb5 lstrcpyA 4514->4519 4515 10001bc9 GlobalFree 4515->4532 4604 100015a4 GetProcAddress 4516->4604 4517->4516 4517->4525 4518->4525 4600 10001224 4518->4600 4519->4532 4521 100020b3 4522 100020c0 lstrlenA 4521->4522 4521->4525 4605 100015a4 GetProcAddress 4522->4605 4524 10001f7a 4524->4525 4529 10001fbe lstrcpyA 4524->4529 4525->4467 4526 10002074 4526->4521 4536 1000209d GetProcAddress 4526->4536 4529->4525 4530 10001e75 GlobalFree 4530->4532 4531 100020d9 4531->4525 4532->4509 4532->4512 4532->4514 4532->4515 4532->4519 4532->4524 4532->4525 4532->4530 4533 10001c07 4532->4533 4534 10001224 2 API calls 4532->4534 4603 10001215 GlobalAlloc 4532->4603 4533->4532 4598 10001534 GlobalSize GlobalAlloc 4533->4598 4534->4532 4536->4521 4543 10002212 4537->4543 4539 10002349 GlobalFree 4540 10001712 4539->4540 4539->4543 4540->4476 4540->4477 4540->4489 4541 100022b9 GlobalAlloc MultiByteToWideChar 4545 10002303 4541->4545 4546 100022e3 GlobalAlloc CLSIDFromString GlobalFree 4541->4546 4542 1000230a lstrlenA 4542->4539 4542->4545 4543->4539 4543->4541 4543->4542 4544 10001224 GlobalAlloc lstrcpynA 4543->4544 4607 100012ad 4543->4607 4544->4543 4545->4539 4611 1000251d 4545->4611 4546->4539 4550 100027fa 4548->4550 4549 1000289f VirtualAllocEx 4551 100028bd 4549->4551 4550->4549 4552 100029b9 4551->4552 4553 100029ae GetLastError 4551->4553 4552->4489 4553->4552 4555 100021c0 4554->4555 4556 1000170b 4554->4556 4555->4556 4557 100021d2 GlobalAlloc 4555->4557 4556->4469 4557->4555 4562 100025a5 4558->4562 4559 100025f6 GlobalAlloc 4563 10002618 4559->4563 4560 10002609 4561 1000260e GlobalSize 4560->4561 4560->4563 4561->4563 4562->4559 4562->4560 4563->4494 4565 10002aae 4564->4565 4566 10002aee GlobalFree 4565->4566 4614 10001215 GlobalAlloc 4567->4614 4569 1000243a lstrcpynA 4575 100023e6 4569->4575 4570 1000244b StringFromGUID2 WideCharToMultiByte 4570->4575 4571 1000246f WideCharToMultiByte 4571->4575 4572 10002490 wsprintfA 4572->4575 4573 100024b4 GlobalFree 4573->4575 4574 100024ee GlobalFree 4574->4482 4575->4569 4575->4570 4575->4571 4575->4572 4575->4573 4575->4574 4576 10001266 2 API calls 4575->4576 4615 100012d1 4575->4615 4576->4575 4619 10001215 GlobalAlloc 4578->4619 4580 1000155f 4582 10001586 4580->4582 4583 1000156c lstrcpyA 4580->4583 4584 100015a0 4582->4584 4585 1000158b wsprintfA 4582->4585 4583->4584 4586 10001266 4584->4586 4585->4584 4587 100012a8 GlobalFree 4586->4587 4588 1000126f GlobalAlloc lstrcpynA 4586->4588 4587->4492 4588->4587 4590 100017c5 4589->4590 4591 100023ae 4589->4591 4590->4502 4590->4503 4591->4590 4592 100023c7 GlobalFree 4591->4592 4592->4591 4594 10001266 2 API calls 4593->4594 4595 10001503 4594->4595 4595->4496 4596->4507 4597->4532 4599 10001552 4598->4599 4599->4533 4606 10001215 GlobalAlloc 4600->4606 4602 10001233 lstrcpynA 4602->4525 4603->4532 4604->4526 4605->4531 4606->4602 4608 100012b4 4607->4608 4609 10001224 2 API calls 4608->4609 4610 100012cf 4609->4610 4610->4543 4612 10002581 4611->4612 4613 1000252b VirtualAlloc 4611->4613 4612->4545 4613->4612 4614->4575 4616 100012f9 4615->4616 4617 100012da 4615->4617 4616->4575 4617->4616 4618 100012e0 lstrcpyA 4617->4618 4618->4616 4619->4580 3753 403180 SetErrorMode GetVersion 3754 4031b7 3753->3754 3755 4031bd 3753->3755 3756 406139 5 API calls 3754->3756 3841 4060cb GetSystemDirectoryA 3755->3841 3756->3755 3758 4031d3 lstrlenA 3758->3755 3759 4031e2 3758->3759 3844 406139 GetModuleHandleA 3759->3844 3762 406139 5 API calls 3763 4031f1 #17 OleInitialize SHGetFileInfoA 3762->3763 3850 405da0 lstrcpynA 3763->3850 3765 40322e GetCommandLineA 3851 405da0 lstrcpynA 3765->3851 3767 403240 GetModuleHandleA 3768 403257 3767->3768 3852 40583d 3768->3852 3771 403345 3772 403358 GetTempPathA 3771->3772 3856 40314f 3772->3856 3774 403370 3775 403374 GetWindowsDirectoryA lstrcatA 3774->3775 3776 4033ca DeleteFileA 3774->3776 3778 40314f 12 API calls 3775->3778 3866 402cfa GetTickCount GetModuleFileNameA 3776->3866 3777 40583d CharNextA 3779 40327b 3777->3779 3781 403390 3778->3781 3779->3771 3779->3777 3782 403347 3779->3782 3781->3776 3784 403394 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3781->3784 3951 405da0 lstrcpynA 3782->3951 3783 4033de 3790 40583d CharNextA 3783->3790 3823 403464 3783->3823 3836 403474 3783->3836 3786 40314f 12 API calls 3784->3786 3788 4033c2 3786->3788 3788->3776 3788->3836 3792 4033f9 3790->3792 3800 4034a4 3792->3800 3801 40343f 3792->3801 3793 4035ac 3796 4035b4 GetCurrentProcess OpenProcessToken 3793->3796 3797 40362e ExitProcess 3793->3797 3794 40348e 3975 405596 3794->3975 3802 4035ff 3796->3802 3803 4035cf LookupPrivilegeValueA AdjustTokenPrivileges 3796->3803 3979 405519 3800->3979 3952 405900 3801->3952 3806 406139 5 API calls 3802->3806 3803->3802 3809 403606 3806->3809 3812 40361b ExitWindowsEx 3809->3812 3815 403627 3809->3815 3810 4034c5 lstrcatA lstrcmpiA 3814 4034e1 3810->3814 3810->3836 3811 4034ba lstrcatA 3811->3810 3812->3797 3812->3815 3817 4034e6 3814->3817 3818 4034ed 3814->3818 4017 40140b 3815->4017 3816 403459 3967 405da0 lstrcpynA 3816->3967 3982 40547f CreateDirectoryA 3817->3982 3987 4054fc CreateDirectoryA 3818->3987 3894 403720 3823->3894 3825 4034f2 SetCurrentDirectoryA 3826 403501 3825->3826 3827 40350c 3825->3827 3990 405da0 lstrcpynA 3826->3990 3991 405da0 lstrcpynA 3827->3991 3832 403558 CopyFileA 3838 40351a 3832->3838 3833 4035a0 3834 405c5b 38 API calls 3833->3834 3834->3836 3968 403646 3836->3968 3837 405dc2 18 API calls 3837->3838 3838->3833 3838->3837 3840 40358c CloseHandle 3838->3840 3992 405dc2 3838->3992 4010 405c5b MoveFileExA 3838->4010 4014 405531 CreateProcessA 3838->4014 3840->3838 3843 4060ed wsprintfA LoadLibraryExA 3841->3843 3843->3758 3845 406155 3844->3845 3846 40615f GetProcAddress 3844->3846 3847 4060cb 3 API calls 3845->3847 3848 4031ea 3846->3848 3849 40615b 3847->3849 3848->3762 3849->3846 3849->3848 3850->3765 3851->3767 3853 405843 3852->3853 3854 40326b CharNextA 3853->3854 3855 405849 CharNextA 3853->3855 3854->3779 3855->3853 4020 40600b 3856->4020 3858 403165 3858->3774 3859 40315b 3859->3858 4029 405812 lstrlenA CharPrevA 3859->4029 3862 4054fc 2 API calls 3863 403173 3862->3863 4032 405a42 3863->4032 4036 405a13 GetFileAttributesA CreateFileA 3866->4036 3868 402d3a 3869 402d4a 3868->3869 4037 405da0 lstrcpynA 3868->4037 3869->3783 3871 402d60 4038 405859 lstrlenA 3871->4038 3875 402d71 GetFileSize 3876 402d88 3875->3876 3891 402e6d 3875->3891 3876->3869 3881 402ed9 3876->3881 3889 402c96 6 API calls 3876->3889 3876->3891 4075 403122 3876->4075 3878 402e76 3878->3869 3880 402ea6 GlobalAlloc 3878->3880 4078 403138 SetFilePointer 3878->4078 4054 403138 SetFilePointer 3880->4054 3885 402c96 6 API calls 3881->3885 3884 402ec1 4055 402f33 3884->4055 3885->3869 3886 402e8f 3888 403122 ReadFile 3886->3888 3890 402e9a 3888->3890 3889->3876 3890->3869 3890->3880 4043 402c96 3891->4043 3892 402ecd 3892->3869 3892->3892 3893 402f0a SetFilePointer 3892->3893 3893->3869 3895 406139 5 API calls 3894->3895 3896 403734 3895->3896 3897 40373a 3896->3897 3898 40374c 3896->3898 4108 405cfe wsprintfA 3897->4108 4109 405c87 RegOpenKeyExA 3898->4109 3901 403795 lstrcatA 3904 40374a 3901->3904 3903 405c87 3 API calls 3903->3901 4099 4039e5 3904->4099 3907 405900 18 API calls 3908 4037c7 3907->3908 3909 403850 3908->3909 3911 405c87 3 API calls 3908->3911 3910 405900 18 API calls 3909->3910 3912 403856 3910->3912 3913 4037f3 3911->3913 3914 403866 LoadImageA 3912->3914 3915 405dc2 18 API calls 3912->3915 3913->3909 3920 40380f lstrlenA 3913->3920 3921 40583d CharNextA 3913->3921 3916 40390c 3914->3916 3917 40388d RegisterClassA 3914->3917 3915->3914 3919 40140b 2 API calls 3916->3919 3918 4038c3 SystemParametersInfoA CreateWindowExA 3917->3918 3950 403916 3917->3950 3918->3916 3924 403912 3919->3924 3922 403843 3920->3922 3923 40381d lstrcmpiA 3920->3923 3925 40380d 3921->3925 3927 405812 3 API calls 3922->3927 3923->3922 3926 40382d GetFileAttributesA 3923->3926 3929 4039e5 19 API calls 3924->3929 3924->3950 3925->3920 3928 403839 3926->3928 3930 403849 3927->3930 3928->3922 3931 405859 2 API calls 3928->3931 3932 403923 3929->3932 4114 405da0 lstrcpynA 3930->4114 3931->3922 3934 4039b2 3932->3934 3935 40392f ShowWindow 3932->3935 4115 40508b OleInitialize 3934->4115 3937 4060cb 3 API calls 3935->3937 3939 403947 3937->3939 3938 4039b8 3940 4039d4 3938->3940 3941 4039bc 3938->3941 3942 403955 GetClassInfoA 3939->3942 3946 4060cb 3 API calls 3939->3946 3945 40140b 2 API calls 3940->3945 3948 40140b 2 API calls 3941->3948 3941->3950 3943 403969 GetClassInfoA RegisterClassA 3942->3943 3944 40397f DialogBoxParamA 3942->3944 3943->3944 3947 40140b 2 API calls 3944->3947 3945->3950 3946->3942 3949 4039a7 3947->3949 3948->3950 3949->3950 3950->3836 3951->3772 4130 405da0 lstrcpynA 3952->4130 3954 405911 4131 4058ab CharNextA CharNextA 3954->4131 3957 40344a 3957->3836 3966 405da0 lstrcpynA 3957->3966 3958 40600b 5 API calls 3964 405927 3958->3964 3959 405952 lstrlenA 3960 40595d 3959->3960 3959->3964 3961 405812 3 API calls 3960->3961 3963 405962 GetFileAttributesA 3961->3963 3963->3957 3964->3957 3964->3959 3965 405859 2 API calls 3964->3965 4137 4060a4 FindFirstFileA 3964->4137 3965->3959 3966->3816 3967->3823 3969 403650 CloseHandle 3968->3969 3970 40365e 3968->3970 3969->3970 4140 40368b 3970->4140 3976 4055ab 3975->3976 3977 40349c ExitProcess 3976->3977 3978 4055bf MessageBoxIndirectA 3976->3978 3978->3977 3980 406139 5 API calls 3979->3980 3981 4034a9 lstrcatA 3980->3981 3981->3810 3981->3811 3983 4054d0 GetLastError 3982->3983 3984 4034eb 3982->3984 3983->3984 3985 4054df SetFileSecurityA 3983->3985 3984->3825 3985->3984 3986 4054f5 GetLastError 3985->3986 3986->3984 3988 405510 GetLastError 3987->3988 3989 40550c 3987->3989 3988->3989 3989->3825 3990->3827 3991->3838 3993 405dcf 3992->3993 3994 405ff2 3993->3994 3997 405e70 GetVersion 3993->3997 3998 405fc9 lstrlenA 3993->3998 4001 405dc2 10 API calls 3993->4001 4002 405ee8 GetSystemDirectoryA 3993->4002 4003 405c87 3 API calls 3993->4003 4004 405efb GetWindowsDirectoryA 3993->4004 4005 40600b 5 API calls 3993->4005 4006 405f2f SHGetSpecialFolderLocation 3993->4006 4007 405dc2 10 API calls 3993->4007 4008 405f72 lstrcatA 3993->4008 4197 405cfe wsprintfA 3993->4197 4198 405da0 lstrcpynA 3993->4198 3995 40354b DeleteFileA 3994->3995 4199 405da0 lstrcpynA 3994->4199 3995->3832 3995->3838 3997->3993 3998->3993 4001->3998 4002->3993 4003->3993 4004->3993 4005->3993 4006->3993 4009 405f47 SHGetPathFromIDListA CoTaskMemFree 4006->4009 4007->3993 4008->3993 4009->3993 4011 405c7c 4010->4011 4012 405c6f 4010->4012 4011->3838 4200 405ae9 lstrcpyA 4012->4200 4015 405570 4014->4015 4016 405564 CloseHandle 4014->4016 4015->3838 4016->4015 4018 401389 2 API calls 4017->4018 4019 401420 4018->4019 4019->3797 4026 406017 4020->4026 4021 406083 CharPrevA 4022 40607f 4021->4022 4022->4021 4025 40609e 4022->4025 4023 406074 CharNextA 4023->4022 4023->4026 4024 40583d CharNextA 4024->4026 4025->3859 4026->4022 4026->4023 4026->4024 4027 406062 CharNextA 4026->4027 4028 40606f CharNextA 4026->4028 4027->4026 4028->4023 4030 40316d 4029->4030 4031 40582c lstrcatA 4029->4031 4030->3862 4031->4030 4033 405a4d GetTickCount GetTempFileNameA 4032->4033 4034 40317e 4033->4034 4035 405a7a 4033->4035 4034->3774 4035->4033 4035->4034 4036->3868 4037->3871 4039 405866 4038->4039 4040 402d66 4039->4040 4041 40586b CharPrevA 4039->4041 4042 405da0 lstrcpynA 4040->4042 4041->4039 4041->4040 4042->3875 4044 402cb7 4043->4044 4045 402c9f 4043->4045 4048 402cc7 GetTickCount 4044->4048 4049 402cbf 4044->4049 4046 402ca8 DestroyWindow 4045->4046 4047 402caf 4045->4047 4046->4047 4047->3878 4051 402cd5 CreateDialogParamA ShowWindow 4048->4051 4052 402cf8 4048->4052 4079 406175 4049->4079 4051->4052 4052->3878 4054->3884 4056 402f49 4055->4056 4057 402f77 4056->4057 4085 403138 SetFilePointer 4056->4085 4059 403122 ReadFile 4057->4059 4060 402f82 4059->4060 4061 402f94 GetTickCount 4060->4061 4062 4030bb 4060->4062 4064 4030a5 4060->4064 4061->4064 4071 402fc0 4061->4071 4063 4030fd 4062->4063 4068 4030bf 4062->4068 4066 403122 ReadFile 4063->4066 4064->3892 4065 403122 ReadFile 4065->4071 4066->4064 4067 403122 ReadFile 4067->4068 4068->4064 4068->4067 4069 405aba WriteFile 4068->4069 4069->4068 4070 403016 GetTickCount 4070->4071 4071->4064 4071->4065 4071->4070 4072 40303b MulDiv wsprintfA 4071->4072 4083 405aba WriteFile 4071->4083 4086 404fb9 4072->4086 4097 405a8b ReadFile 4075->4097 4078->3886 4080 406192 PeekMessageA 4079->4080 4081 402cc5 4080->4081 4082 406188 DispatchMessageA 4080->4082 4081->3878 4082->4080 4084 405ad8 4083->4084 4084->4071 4085->4057 4087 404fd4 4086->4087 4096 405077 4086->4096 4088 404ff1 lstrlenA 4087->4088 4089 405dc2 18 API calls 4087->4089 4090 40501a 4088->4090 4091 404fff lstrlenA 4088->4091 4089->4088 4093 405020 SetWindowTextA 4090->4093 4094 40502d 4090->4094 4092 405011 lstrcatA 4091->4092 4091->4096 4092->4090 4093->4094 4095 405033 SendMessageA SendMessageA SendMessageA 4094->4095 4094->4096 4095->4096 4096->4071 4098 403135 4097->4098 4098->3876 4100 4039f9 4099->4100 4122 405cfe wsprintfA 4100->4122 4102 403a6a 4103 405dc2 18 API calls 4102->4103 4104 403a76 SetWindowTextA 4103->4104 4105 403a92 4104->4105 4106 4037a5 4104->4106 4105->4106 4107 405dc2 18 API calls 4105->4107 4106->3907 4107->4105 4108->3904 4110 403777 4109->4110 4111 405cba RegQueryValueExA 4109->4111 4110->3901 4110->3903 4112 405cdb RegCloseKey 4111->4112 4112->4110 4114->3909 4123 403fd1 4115->4123 4117 4050ae 4121 4050d5 4117->4121 4126 401389 4117->4126 4118 403fd1 SendMessageA 4119 4050e7 OleUninitialize 4118->4119 4119->3938 4121->4118 4122->4102 4124 403fe9 4123->4124 4125 403fda SendMessageA 4123->4125 4124->4117 4125->4124 4128 401390 4126->4128 4127 4013fe 4127->4117 4128->4127 4129 4013cb MulDiv SendMessageA 4128->4129 4129->4128 4130->3954 4132 4058d6 4131->4132 4133 4058c6 4131->4133 4135 40583d CharNextA 4132->4135 4136 4058f6 4132->4136 4133->4132 4134 4058d1 CharNextA 4133->4134 4134->4136 4135->4132 4136->3957 4136->3958 4138 4060c5 4137->4138 4139 4060ba FindClose 4137->4139 4138->3964 4139->4138 4142 403699 4140->4142 4141 403663 4144 405642 4141->4144 4142->4141 4143 40369e FreeLibrary GlobalFree 4142->4143 4143->4141 4143->4143 4145 405900 18 API calls 4144->4145 4146 405662 4145->4146 4147 405681 4146->4147 4148 40566a DeleteFileA 4146->4148 4150 4057b9 4147->4150 4184 405da0 lstrcpynA 4147->4184 4149 40347d OleUninitialize 4148->4149 4149->3793 4149->3794 4150->4149 4155 4060a4 2 API calls 4150->4155 4152 4056a7 4153 4056ba 4152->4153 4154 4056ad lstrcatA 4152->4154 4157 405859 2 API calls 4153->4157 4156 4056c0 4154->4156 4158 4057d3 4155->4158 4159 4056ce lstrcatA 4156->4159 4161 4056d9 lstrlenA FindFirstFileA 4156->4161 4157->4156 4158->4149 4160 4057d7 4158->4160 4159->4161 4162 405812 3 API calls 4160->4162 4163 4057af 4161->4163 4182 4056fd 4161->4182 4164 4057dd 4162->4164 4163->4150 4166 4055fa 5 API calls 4164->4166 4165 40583d CharNextA 4165->4182 4167 4057e9 4166->4167 4168 405803 4167->4168 4169 4057ed 4167->4169 4172 404fb9 25 API calls 4168->4172 4169->4149 4174 404fb9 25 API calls 4169->4174 4170 40578e FindNextFileA 4173 4057a6 FindClose 4170->4173 4170->4182 4172->4149 4173->4163 4175 4057fa 4174->4175 4176 405c5b 38 API calls 4175->4176 4179 405801 4176->4179 4178 405642 62 API calls 4178->4182 4179->4149 4180 404fb9 25 API calls 4180->4170 4181 404fb9 25 API calls 4181->4182 4182->4165 4182->4170 4182->4178 4182->4180 4182->4181 4183 405c5b 38 API calls 4182->4183 4185 405da0 lstrcpynA 4182->4185 4186 4055fa 4182->4186 4183->4182 4184->4152 4185->4182 4194 4059ee GetFileAttributesA 4186->4194 4189 405615 RemoveDirectoryA 4191 405623 4189->4191 4190 40561d DeleteFileA 4190->4191 4192 405627 4191->4192 4193 405633 SetFileAttributesA 4191->4193 4192->4182 4193->4192 4195 405a00 SetFileAttributesA 4194->4195 4196 405606 4194->4196 4195->4196 4196->4189 4196->4190 4196->4192 4197->3993 4198->3993 4199->3995 4201 405b11 4200->4201 4202 405b37 GetShortPathNameA 4200->4202 4227 405a13 GetFileAttributesA CreateFileA 4201->4227 4203 405c56 4202->4203 4204 405b4c 4202->4204 4203->4011 4204->4203 4206 405b54 wsprintfA 4204->4206 4208 405dc2 18 API calls 4206->4208 4207 405b1b CloseHandle GetShortPathNameA 4207->4203 4209 405b2f 4207->4209 4210 405b7c 4208->4210 4209->4202 4209->4203 4228 405a13 GetFileAttributesA CreateFileA 4210->4228 4212 405b89 4212->4203 4213 405b98 GetFileSize GlobalAlloc 4212->4213 4214 405bba 4213->4214 4215 405c4f CloseHandle 4213->4215 4216 405a8b ReadFile 4214->4216 4215->4203 4217 405bc2 4216->4217 4217->4215 4229 405978 lstrlenA 4217->4229 4220 405bd9 lstrcpyA 4223 405bfb 4220->4223 4221 405bed 4222 405978 4 API calls 4221->4222 4222->4223 4224 405c32 SetFilePointer 4223->4224 4225 405aba WriteFile 4224->4225 4226 405c48 GlobalFree 4225->4226 4226->4215 4227->4207 4228->4212 4230 4059b9 lstrlenA 4229->4230 4231 405992 lstrcmpiA 4230->4231 4233 4059c1 4230->4233 4232 4059b0 CharNextA 4231->4232 4231->4233 4232->4230 4233->4220 4233->4221 5083 401000 5084 401037 BeginPaint GetClientRect 5083->5084 5085 40100c DefWindowProcA 5083->5085 5087 4010f3 5084->5087 5088 401179 5085->5088 5089 401073 CreateBrushIndirect FillRect DeleteObject 5087->5089 5090 4010fc 5087->5090 5089->5087 5091 401102 CreateFontIndirectA 5090->5091 5092 401167 EndPaint 5090->5092 5091->5092 5093 401112 6 API calls 5091->5093 5092->5088 5093->5092 5094 401900 5095 402ace 18 API calls 5094->5095 5096 401907 5095->5096 5097 405596 MessageBoxIndirectA 5096->5097 5098 401910 5097->5098 5099 401502 5100 40150a 5099->5100 5102 40151d 5099->5102 5101 402aac 18 API calls 5100->5101 5101->5102 4234 402483 4245 402bd8 4234->4245 4236 40248d 4249 402ace 4236->4249 4239 4024a0 RegQueryValueExA 4241 4024c0 4239->4241 4242 4024c6 RegCloseKey 4239->4242 4240 402729 4241->4242 4255 405cfe wsprintfA 4241->4255 4242->4240 4246 402ace 18 API calls 4245->4246 4247 402bf1 4246->4247 4248 402bff RegOpenKeyExA 4247->4248 4248->4236 4250 402ada 4249->4250 4251 405dc2 18 API calls 4250->4251 4252 402afb 4251->4252 4253 402496 4252->4253 4254 40600b 5 API calls 4252->4254 4253->4239 4253->4240 4254->4253 4255->4242 5103 100029c3 5104 100029db 5103->5104 5105 10001534 2 API calls 5104->5105 5106 100029f6 5105->5106 5107 401c04 5108 402aac 18 API calls 5107->5108 5109 401c0b 5108->5109 5110 402aac 18 API calls 5109->5110 5111 401c18 5110->5111 5112 401c2d 5111->5112 5113 402ace 18 API calls 5111->5113 5114 401c3d 5112->5114 5115 402ace 18 API calls 5112->5115 5113->5112 5116 401c94 5114->5116 5117 401c48 5114->5117 5115->5114 5119 402ace 18 API calls 5116->5119 5118 402aac 18 API calls 5117->5118 5120 401c4d 5118->5120 5121 401c99 5119->5121 5122 402aac 18 API calls 5120->5122 5123 402ace 18 API calls 5121->5123 5124 401c59 5122->5124 5125 401ca2 FindWindowExA 5123->5125 5126 401c84 SendMessageA 5124->5126 5127 401c66 SendMessageTimeoutA 5124->5127 5128 401cc0 5125->5128 5126->5128 5127->5128 4262 401389 4264 401390 4262->4264 4263 4013fe 4264->4263 4265 4013cb MulDiv SendMessageA 4264->4265 4265->4264 5129 40270b 5130 402ace 18 API calls 5129->5130 5131 402712 FindFirstFileA 5130->5131 5132 402735 5131->5132 5136 402725 5131->5136 5133 40273c 5132->5133 5137 405cfe wsprintfA 5132->5137 5138 405da0 lstrcpynA 5133->5138 5137->5133 5138->5136 5139 401490 5140 404fb9 25 API calls 5139->5140 5141 401497 5140->5141 5142 402590 5143 402595 5142->5143 5144 4025a9 5142->5144 5145 402aac 18 API calls 5143->5145 5146 402ace 18 API calls 5144->5146 5148 40259e 5145->5148 5147 4025b0 lstrlenA 5146->5147 5147->5148 5149 405aba WriteFile 5148->5149 5150 4025d2 5148->5150 5149->5150 5151 402c13 5152 402c22 SetTimer 5151->5152 5154 402c3b 5151->5154 5152->5154 5153 402c90 5154->5153 5155 402c55 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 5154->5155 5155->5153 5156 404714 5157 404740 5156->5157 5158 404724 5156->5158 5160 404773 5157->5160 5161 404746 SHGetPathFromIDListA 5157->5161 5167 40557a GetDlgItemTextA 5158->5167 5163 404756 5161->5163 5166 40475d SendMessageA 5161->5166 5162 404731 SendMessageA 5162->5157 5164 40140b 2 API calls 5163->5164 5164->5166 5166->5160 5167->5162 4305 401d95 GetDC 4306 402aac 18 API calls 4305->4306 4307 401da7 GetDeviceCaps MulDiv ReleaseDC 4306->4307 4308 402aac 18 API calls 4307->4308 4309 401dd8 4308->4309 4310 405dc2 18 API calls 4309->4310 4311 401e15 CreateFontIndirectA 4310->4311 4312 40258a 4311->4312 4313 402695 4314 40269c 4313->4314 4316 40290b 4313->4316 4315 402aac 18 API calls 4314->4315 4317 4026a3 4315->4317 4318 4026b2 SetFilePointer 4317->4318 4318->4316 4319 4026c2 4318->4319 4321 405cfe wsprintfA 4319->4321 4321->4316 5168 10001058 5170 10001074 5168->5170 5169 100010dc 5170->5169 5171 10001091 5170->5171 5172 100014bb GlobalFree 5170->5172 5173 100014bb GlobalFree 5171->5173 5172->5171 5174 100010a1 5173->5174 5175 100010b1 5174->5175 5176 100010a8 GlobalSize 5174->5176 5177 100010b5 GlobalAlloc 5175->5177 5178 100010c6 5175->5178 5176->5175 5179 100014e2 3 API calls 5177->5179 5180 100010d1 GlobalFree 5178->5180 5179->5178 5180->5169 5181 404099 lstrcpynA lstrlenA 5182 401d1a 5183 402aac 18 API calls 5182->5183 5184 401d28 SetWindowLongA 5183->5184 5185 40295e 5184->5185 4432 40159d 4433 402ace 18 API calls 4432->4433 4434 4015a4 SetFileAttributesA 4433->4434 4435 4015b6 4434->4435 5191 40149d 5192 4014ab PostQuitMessage 5191->5192 5193 4022dd 5191->5193 5192->5193 4436 401a1e 4437 402ace 18 API calls 4436->4437 4438 401a27 ExpandEnvironmentStringsA 4437->4438 4439 401a3b 4438->4439 4441 401a4e 4438->4441 4440 401a40 lstrcmpA 4439->4440 4439->4441 4440->4441 4620 40171f 4621 402ace 18 API calls 4620->4621 4622 401726 SearchPathA 4621->4622 4623 401741 4622->4623 5194 100010e0 5203 1000110e 5194->5203 5195 100011c4 GlobalFree 5196 100012ad 2 API calls 5196->5203 5197 100011c3 5197->5195 5198 10001266 2 API calls 5201 100011b1 GlobalFree 5198->5201 5199 10001155 GlobalAlloc 5199->5203 5200 100011ea GlobalFree 5200->5203 5201->5203 5202 100012d1 lstrcpyA 5202->5203 5203->5195 5203->5196 5203->5197 5203->5198 5203->5199 5203->5200 5203->5201 5203->5202 5204 10002162 5205 100021c0 5204->5205 5206 100021f6 5204->5206 5205->5206 5207 100021d2 GlobalAlloc 5205->5207 5207->5205 5208 401e25 5209 402aac 18 API calls 5208->5209 5210 401e2b 5209->5210 5211 402aac 18 API calls 5210->5211 5212 401e37 5211->5212 5213 401e43 ShowWindow 5212->5213 5214 401e4e EnableWindow 5212->5214 5215 40295e 5213->5215 5214->5215 5216 404f2d 5217 404f51 5216->5217 5218 404f3d 5216->5218 5220 404f59 IsWindowVisible 5217->5220 5224 404f70 5217->5224 5219 404f43 5218->5219 5228 404f9a 5218->5228 5222 403fd1 SendMessageA 5219->5222 5223 404f66 5220->5223 5220->5228 5221 404f9f CallWindowProcA 5225 404f4d 5221->5225 5222->5225 5229 404884 SendMessageA 5223->5229 5224->5221 5234 404904 5224->5234 5228->5221 5230 4048e3 SendMessageA 5229->5230 5231 4048a7 GetMessagePos ScreenToClient SendMessageA 5229->5231 5233 4048db 5230->5233 5232 4048e0 5231->5232 5231->5233 5232->5230 5233->5224 5243 405da0 lstrcpynA 5234->5243 5236 404917 5244 405cfe wsprintfA 5236->5244 5238 404921 5239 40140b 2 API calls 5238->5239 5240 40492a 5239->5240 5245 405da0 lstrcpynA 5240->5245 5242 404931 5242->5228 5243->5236 5244->5238 5245->5242 5246 401f2d 5247 402ace 18 API calls 5246->5247 5248 401f34 5247->5248 5249 4060a4 2 API calls 5248->5249 5250 401f3a 5249->5250 5252 401f4c 5250->5252 5253 405cfe wsprintfA 5250->5253 5253->5252 5254 403ab2 5255 403c05 5254->5255 5256 403aca 5254->5256 5258 403c56 5255->5258 5259 403c16 GetDlgItem GetDlgItem 5255->5259 5256->5255 5257 403ad6 5256->5257 5260 403ae1 SetWindowPos 5257->5260 5261 403af4 5257->5261 5263 403cb0 5258->5263 5272 401389 2 API calls 5258->5272 5262 403f85 19 API calls 5259->5262 5260->5261 5265 403b11 5261->5265 5266 403af9 ShowWindow 5261->5266 5267 403c40 SetClassLongA 5262->5267 5264 403fd1 SendMessageA 5263->5264 5268 403c00 5263->5268 5294 403cc2 5264->5294 5269 403b33 5265->5269 5270 403b19 DestroyWindow 5265->5270 5266->5265 5271 40140b 2 API calls 5267->5271 5274 403b38 SetWindowLongA 5269->5274 5275 403b49 5269->5275 5273 403f0e 5270->5273 5271->5258 5276 403c88 5272->5276 5273->5268 5283 403f3f ShowWindow 5273->5283 5274->5268 5280 403bc0 5275->5280 5281 403b55 GetDlgItem 5275->5281 5276->5263 5277 403c8c SendMessageA 5276->5277 5277->5268 5278 40140b 2 API calls 5278->5294 5279 403f10 DestroyWindow EndDialog 5279->5273 5282 403fec 8 API calls 5280->5282 5284 403b85 5281->5284 5285 403b68 SendMessageA IsWindowEnabled 5281->5285 5282->5268 5283->5268 5287 403b92 5284->5287 5288 403bd9 SendMessageA 5284->5288 5289 403ba5 5284->5289 5297 403b8a 5284->5297 5285->5268 5285->5284 5286 405dc2 18 API calls 5286->5294 5287->5288 5287->5297 5288->5280 5292 403bc2 5289->5292 5293 403bad 5289->5293 5290 403f5e SendMessageA 5290->5280 5291 403f85 19 API calls 5291->5294 5296 40140b 2 API calls 5292->5296 5295 40140b 2 API calls 5293->5295 5294->5268 5294->5278 5294->5279 5294->5286 5294->5291 5298 403f85 19 API calls 5294->5298 5313 403e50 DestroyWindow 5294->5313 5295->5297 5296->5297 5297->5280 5297->5290 5299 403d3d GetDlgItem 5298->5299 5300 403d52 5299->5300 5301 403d5a ShowWindow EnableWindow 5299->5301 5300->5301 5322 403fa7 EnableWindow 5301->5322 5303 403d84 EnableWindow 5306 403d98 5303->5306 5304 403d9d GetSystemMenu EnableMenuItem SendMessageA 5305 403dcd SendMessageA 5304->5305 5304->5306 5305->5306 5306->5304 5323 403fba SendMessageA 5306->5323 5324 405da0 lstrcpynA 5306->5324 5309 403dfb lstrlenA 5310 405dc2 18 API calls 5309->5310 5311 403e0c SetWindowTextA 5310->5311 5312 401389 2 API calls 5311->5312 5312->5294 5313->5273 5314 403e6a CreateDialogParamA 5313->5314 5314->5273 5315 403e9d 5314->5315 5316 403f85 19 API calls 5315->5316 5317 403ea8 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 5316->5317 5318 401389 2 API calls 5317->5318 5319 403eee 5318->5319 5319->5268 5320 403ef6 ShowWindow 5319->5320 5321 403fd1 SendMessageA 5320->5321 5321->5273 5322->5303 5323->5306 5324->5309 5325 401eb3 5326 402ace 18 API calls 5325->5326 5327 401eb9 5326->5327 5328 404fb9 25 API calls 5327->5328 5329 401ec3 5328->5329 5330 405531 2 API calls 5329->5330 5333 401ec9 5330->5333 5331 401f1f CloseHandle 5335 402729 5331->5335 5332 401ee8 WaitForSingleObject 5332->5333 5334 401ef6 GetExitCodeProcess 5332->5334 5333->5331 5333->5332 5333->5335 5336 406175 2 API calls 5333->5336 5337 401f11 5334->5337 5338 401f08 5334->5338 5336->5332 5337->5331 5340 405cfe wsprintfA 5338->5340 5340->5337 4327 402336 4328 402ace 18 API calls 4327->4328 4329 402347 4328->4329 4330 402ace 18 API calls 4329->4330 4331 402350 4330->4331 4332 402ace 18 API calls 4331->4332 4333 40235a GetPrivateProfileStringA 4332->4333 5341 404936 GetDlgItem GetDlgItem 5342 404988 7 API calls 5341->5342 5348 404ba0 5341->5348 5343 404a2b DeleteObject 5342->5343 5344 404a1e SendMessageA 5342->5344 5345 404a34 5343->5345 5344->5343 5346 404a6b 5345->5346 5347 405dc2 18 API calls 5345->5347 5349 403f85 19 API calls 5346->5349 5351 404a4d SendMessageA SendMessageA 5347->5351 5355 404c84 5348->5355 5358 404884 5 API calls 5348->5358 5378 404c11 5348->5378 5354 404a7f 5349->5354 5350 404d30 5352 404d42 5350->5352 5353 404d3a SendMessageA 5350->5353 5351->5345 5362 404d54 ImageList_Destroy 5352->5362 5363 404d5b 5352->5363 5373 404d6b 5352->5373 5353->5352 5359 403f85 19 API calls 5354->5359 5355->5350 5360 404cdd SendMessageA 5355->5360 5384 404b93 5355->5384 5356 403fec 8 API calls 5361 404f26 5356->5361 5357 404c76 SendMessageA 5357->5355 5358->5378 5379 404a8d 5359->5379 5364 404cf2 SendMessageA 5360->5364 5360->5384 5362->5363 5366 404d64 GlobalFree 5363->5366 5363->5373 5368 404d05 5364->5368 5365 404eda 5369 404eec ShowWindow GetDlgItem ShowWindow 5365->5369 5365->5384 5366->5373 5367 404b61 GetWindowLongA SetWindowLongA 5370 404b7a 5367->5370 5374 404d16 SendMessageA 5368->5374 5369->5384 5371 404b80 ShowWindow 5370->5371 5372 404b98 5370->5372 5392 403fba SendMessageA 5371->5392 5393 403fba SendMessageA 5372->5393 5373->5365 5383 404904 4 API calls 5373->5383 5388 404da6 5373->5388 5374->5350 5375 404b5b 5375->5367 5375->5370 5378->5355 5378->5357 5379->5367 5379->5375 5380 404adc SendMessageA 5379->5380 5381 404b18 SendMessageA 5379->5381 5382 404b29 SendMessageA 5379->5382 5380->5379 5381->5379 5382->5379 5383->5388 5384->5356 5385 404eb0 InvalidateRect 5385->5365 5386 404ec6 5385->5386 5389 40483f 21 API calls 5386->5389 5387 404dd4 SendMessageA 5391 404dea 5387->5391 5388->5387 5388->5391 5389->5365 5390 404e5e SendMessageA SendMessageA 5390->5391 5391->5385 5391->5390 5392->5384 5393->5348 5394 4014b7 5395 4014bd 5394->5395 5396 401389 2 API calls 5395->5396 5397 4014c5 5396->5397 5398 401b39 5399 402ace 18 API calls 5398->5399 5400 401b40 5399->5400 5401 402aac 18 API calls 5400->5401 5402 401b49 wsprintfA 5401->5402 5403 40295e 5402->5403 5404 402939 SendMessageA 5405 402953 InvalidateRect 5404->5405 5406 40295e 5404->5406 5405->5406 4409 4015bb 4410 402ace 18 API calls 4409->4410 4411 4015c2 4410->4411 4412 4058ab 4 API calls 4411->4412 4425 4015ca 4412->4425 4413 401624 4415 401629 4413->4415 4417 401652 4413->4417 4414 40583d CharNextA 4414->4425 4428 401423 4415->4428 4419 401423 25 API calls 4417->4419 4424 40164a 4419->4424 4421 4054fc 2 API calls 4421->4425 4422 405519 5 API calls 4422->4425 4423 40163b SetCurrentDirectoryA 4423->4424 4425->4413 4425->4414 4425->4421 4425->4422 4426 40160c GetFileAttributesA 4425->4426 4427 40547f 4 API calls 4425->4427 4426->4425 4427->4425 4429 404fb9 25 API calls 4428->4429 4430 401431 4429->4430 4431 405da0 lstrcpynA 4430->4431 4431->4423 5407 4016bb 5408 402ace 18 API calls 5407->5408 5409 4016c1 GetFullPathNameA 5408->5409 5410 4016d8 5409->5410 5416 4016f9 5409->5416 5413 4060a4 2 API calls 5410->5413 5410->5416 5411 40170d GetShortPathNameA 5412 40295e 5411->5412 5414 4016e9 5413->5414 5414->5416 5417 405da0 lstrcpynA 5414->5417 5416->5411 5416->5412 5417->5416 5418 401d3b GetDlgItem GetClientRect 5419 402ace 18 API calls 5418->5419 5420 401d6b LoadImageA SendMessageA 5419->5420 5421 401d89 DeleteObject 5420->5421 5422 40295e 5420->5422 5421->5422

                                  Executed Functions

                                  Function 00403180 Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 357stringcomfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 403180-4031b5 SetErrorMode GetVersion 1 4031b7-4031bf call 406139 0->1 2 4031c8 0->2 1->2 7 4031c1 1->7 4 4031cd-4031e0 call 4060cb lstrlenA 2->4 9 4031e2-403255 call 406139 * 2 #17 OleInitialize SHGetFileInfoA call 405da0 GetCommandLineA call 405da0 GetModuleHandleA 4->9 7->2 18 403261-403276 call 40583d CharNextA 9->18 19 403257-40325c 9->19 22 40333b-40333f 18->22 19->18 23 403345 22->23 24 40327b-40327e 22->24 27 403358-403372 GetTempPathA call 40314f 23->27 25 403280-403284 24->25 26 403286-40328e 24->26 25->25 25->26 28 403290-403291 26->28 29 403296-403299 26->29 34 403374-403392 GetWindowsDirectoryA lstrcatA call 40314f 27->34 35 4033ca-4033e4 DeleteFileA call 402cfa 27->35 28->29 31 40332b-403338 call 40583d 29->31 32 40329f-4032a3 29->32 31->22 51 40333a 31->51 37 4032a5-4032ab 32->37 38 4032bb-4032e8 32->38 34->35 52 403394-4033c4 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40314f 34->52 53 403478-403488 call 403646 OleUninitialize 35->53 54 4033ea-4033f0 35->54 44 4032b1 37->44 45 4032ad-4032af 37->45 40 4032ea-4032f0 38->40 41 4032fb-403329 38->41 47 4032f2-4032f4 40->47 48 4032f6 40->48 41->31 49 403347-403353 call 405da0 41->49 44->38 45->38 45->44 47->41 47->48 48->41 49->27 51->22 52->35 52->53 66 4035ac-4035b2 53->66 67 40348e-40349e call 405596 ExitProcess 53->67 57 4033f2-4033fd call 40583d 54->57 58 403468-40346f call 403720 54->58 71 403433-40343d 57->71 72 4033ff-403428 57->72 64 403474 58->64 64->53 69 4035b4-4035cd GetCurrentProcess OpenProcessToken 66->69 70 40362e-403636 66->70 78 4035ff-40360d call 406139 69->78 79 4035cf-4035f9 LookupPrivilegeValueA AdjustTokenPrivileges 69->79 73 403638 70->73 74 40363c-403640 ExitProcess 70->74 76 4034a4-4034b8 call 405519 lstrcatA 71->76 77 40343f-40344c call 405900 71->77 80 40342a-40342c 72->80 73->74 89 4034c5-4034df lstrcatA lstrcmpiA 76->89 90 4034ba-4034c0 lstrcatA 76->90 77->53 88 40344e-403464 call 405da0 * 2 77->88 91 40361b-403625 ExitWindowsEx 78->91 92 40360f-403619 78->92 79->78 80->71 84 40342e-403431 80->84 84->71 84->80 88->58 89->53 94 4034e1-4034e4 89->94 90->89 91->70 95 403627-403629 call 40140b 91->95 92->91 92->95 97 4034e6-4034eb call 40547f 94->97 98 4034ed call 4054fc 94->98 95->70 106 4034f2-4034ff SetCurrentDirectoryA 97->106 98->106 107 403501-403507 call 405da0 106->107 108 40350c-403534 call 405da0 106->108 107->108 112 40353a-403556 call 405dc2 DeleteFileA 108->112 115 403597-40359e 112->115 116 403558-403568 CopyFileA 112->116 115->112 117 4035a0-4035a7 call 405c5b 115->117 116->115 118 40356a-40358a call 405c5b call 405dc2 call 405531 116->118 117->53 118->115 127 40358c-403593 CloseHandle 118->127 127->115
                                  APIs
                                  • SetErrorMode.KERNELBASE ref: 004031A5
                                  • GetVersion.KERNEL32 ref: 004031AB
                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004031D4
                                  • #17.COMCTL32(00000007,00000009), ref: 004031F6
                                  • OleInitialize.OLE32(00000000), ref: 004031FD
                                  • SHGetFileInfoA.SHELL32(0079D500,00000000,?,00000160,00000000), ref: 00403219
                                  • GetCommandLineA.KERNEL32(Pongids Setup,NSIS Error), ref: 0040322E
                                  • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\nRNzqQOQwk.exe",00000000), ref: 00403241
                                  • CharNextA.USER32(00000000,"C:\Users\user\Desktop\nRNzqQOQwk.exe",00000020), ref: 0040326C
                                  • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403369
                                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040337A
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403386
                                  • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040339A
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033A2
                                  • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004033B3
                                  • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004033BB
                                  • DeleteFileA.KERNELBASE(1033), ref: 004033CF
                                    • Part of subcall function 00406139: GetModuleHandleA.KERNEL32(?,?,?,004031EA,00000009), ref: 0040614B
                                    • Part of subcall function 00406139: GetProcAddress.KERNEL32(00000000,?), ref: 00406166
                                  • OleUninitialize.OLE32(?), ref: 0040347D
                                  • ExitProcess.KERNEL32 ref: 0040349E
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 004035BB
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004035C2
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004035DA
                                  • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004035F9
                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 0040361D
                                  • ExitProcess.KERNEL32 ref: 00403640
                                    • Part of subcall function 00405596: MessageBoxIndirectA.USER32(00409218), ref: 004055F1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                  • String ID: "$"C:\Users\user\Desktop\nRNzqQOQwk.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\nRNzqQOQwk.exe$C:\Users\user\slavelivets$C:\Users\user\slavelivets$Error launching installer$Low$NSIS Error$Pongids Setup$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                  • API String ID: 3329125770-738695933
                                  • Opcode ID: bbf1fb5b53fc7b28b57eed0d95e8f77975159f1cadf5f6a8baec224272584505
                                  • Instruction ID: 9be49b359e088d3119d2258a489a24960a077000951b0681bd3593dcca7d42e2
                                  • Opcode Fuzzy Hash: bbf1fb5b53fc7b28b57eed0d95e8f77975159f1cadf5f6a8baec224272584505
                                  • Instruction Fuzzy Hash: 03C107706086816EE7116F719D4DA2F3EACAF86306F44457FF482B52E2C77C4A058B2E
                                  Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                  • GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 10001B67
                                  • lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
                                  • lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
                                  • GlobalFree.KERNEL32(00000000), ref: 10001BCC
                                  • GlobalFree.KERNEL32(?), ref: 10001CC4
                                  • GlobalFree.KERNEL32(?), ref: 10001CC9
                                  • GlobalFree.KERNEL32(?), ref: 10001CCE
                                  • GlobalFree.KERNEL32(00000000), ref: 10001E76
                                  • lstrcpyA.KERNEL32(?,?), ref: 10001FCA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3796539761.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                  • Associated: 00000000.00000002.3796514530.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796598036.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796620571.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10000000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Global$Free$lstrcpy$Alloc
                                  • String ID:
                                  • API String ID: 4227406936-0
                                  • Opcode ID: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
                                  • Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
                                  • Opcode Fuzzy Hash: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
                                  • Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51
                                  Function 00405DC2 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 469 405dc2-405dcd 470 405de0-405df5 469->470 471 405dcf-405dde 469->471 472 405fe8-405fec 470->472 473 405dfb-405e06 470->473 471->470 474 405ff2-405ffc 472->474 475 405e18-405e22 472->475 473->472 476 405e0c-405e13 473->476 477 406007-406008 474->477 478 405ffe-406002 call 405da0 474->478 475->474 479 405e28-405e2f 475->479 476->472 478->477 481 405e35-405e6a 479->481 482 405fdb 479->482 483 405e70-405e7b GetVersion 481->483 484 405f85-405f88 481->484 485 405fe5-405fe7 482->485 486 405fdd-405fe3 482->486 487 405e95 483->487 488 405e7d-405e81 483->488 489 405fb8-405fbb 484->489 490 405f8a-405f8d 484->490 485->472 486->472 494 405e9c-405ea3 487->494 488->487 491 405e83-405e87 488->491 495 405fc9-405fd9 lstrlenA 489->495 496 405fbd-405fc4 call 405dc2 489->496 492 405f9d-405fa9 call 405da0 490->492 493 405f8f-405f9b call 405cfe 490->493 491->487 497 405e89-405e8d 491->497 507 405fae-405fb4 492->507 493->507 499 405ea5-405ea7 494->499 500 405ea8-405eaa 494->500 495->472 496->495 497->487 503 405e8f-405e93 497->503 499->500 505 405ee3-405ee6 500->505 506 405eac-405ec7 call 405c87 500->506 503->494 508 405ef6-405ef9 505->508 509 405ee8-405ef4 GetSystemDirectoryA 505->509 515 405ecc-405ecf 506->515 507->495 511 405fb6 507->511 513 405f63-405f65 508->513 514 405efb-405f09 GetWindowsDirectoryA 508->514 512 405f67-405f6a 509->512 516 405f7d-405f83 call 40600b 511->516 512->516 520 405f6c-405f70 512->520 513->512 518 405f0b-405f15 513->518 514->513 519 405ed5-405ede call 405dc2 515->519 515->520 516->495 522 405f17-405f1a 518->522 523 405f2f-405f45 SHGetSpecialFolderLocation 518->523 519->512 520->516 525 405f72-405f78 lstrcatA 520->525 522->523 526 405f1c-405f23 522->526 527 405f60 523->527 528 405f47-405f5e SHGetPathFromIDListA CoTaskMemFree 523->528 525->516 530 405f2b-405f2d 526->530 527->513 528->512 528->527 530->512 530->523
                                  APIs
                                  • GetVersion.KERNEL32(00000006,0079DD20,00000000,00404FF1,0079DD20,00000000), ref: 00405E73
                                  • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405EEE
                                  • GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405F01
                                  • SHGetSpecialFolderLocation.SHELL32(?,0078FCF8), ref: 00405F3D
                                  • SHGetPathFromIDListA.SHELL32(0078FCF8,Call), ref: 00405F4B
                                  • CoTaskMemFree.OLE32(0078FCF8), ref: 00405F56
                                  • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F78
                                  • lstrlenA.KERNEL32(Call,00000006,0079DD20,00000000,00404FF1,0079DD20,00000000), ref: 00405FCA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                  • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                  • API String ID: 900638850-1230650788
                                  • Opcode ID: 8aaebd9e83df3b37401bec0d629d687f6ba259a9d136d118ad02b0f801d1bc8a
                                  • Instruction ID: 6cdfcc9d134e5fa542626d346f44b404821d9f3efcf53b1aa70e88c92b4f8a03
                                  • Opcode Fuzzy Hash: 8aaebd9e83df3b37401bec0d629d687f6ba259a9d136d118ad02b0f801d1bc8a
                                  • Instruction Fuzzy Hash: A4610271A04A06AEEB115B24CC84BBF3BA8EB56314F54813BE541BA2D0D37D4981DF4E
                                  Function 00405642 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 531 405642-405668 call 405900 534 405681-405688 531->534 535 40566a-40567c DeleteFileA 531->535 537 40568a-40568c 534->537 538 40569b-4056ab call 405da0 534->538 536 40580b-40580f 535->536 539 405692-405695 537->539 540 4057b9-4057be 537->540 544 4056ba-4056bb call 405859 538->544 545 4056ad-4056b8 lstrcatA 538->545 539->538 539->540 540->536 543 4057c0-4057c3 540->543 546 4057c5-4057cb 543->546 547 4057cd-4057d5 call 4060a4 543->547 549 4056c0-4056c3 544->549 545->549 546->536 547->536 554 4057d7-4057eb call 405812 call 4055fa 547->554 552 4056c5-4056cc 549->552 553 4056ce-4056d4 lstrcatA 549->553 552->553 555 4056d9-4056f7 lstrlenA FindFirstFileA 552->555 553->555 570 405803-405806 call 404fb9 554->570 571 4057ed-4057f0 554->571 557 4056fd-405714 call 40583d 555->557 558 4057af-4057b3 555->558 564 405716-40571a 557->564 565 40571f-405722 557->565 558->540 560 4057b5 558->560 560->540 564->565 567 40571c 564->567 568 405724-405729 565->568 569 405735-405743 call 405da0 565->569 567->565 572 40572b-40572d 568->572 573 40578e-4057a0 FindNextFileA 568->573 581 405745-40574d 569->581 582 40575a-405765 call 4055fa 569->582 570->536 571->546 575 4057f2-405801 call 404fb9 call 405c5b 571->575 572->569 577 40572f-405733 572->577 573->557 579 4057a6-4057a9 FindClose 573->579 575->536 577->569 577->573 579->558 581->573 584 40574f-405758 call 405642 581->584 590 405786-405789 call 404fb9 582->590 591 405767-40576a 582->591 584->573 590->573 593 40576c-40577c call 404fb9 call 405c5b 591->593 594 40577e-405784 591->594 593->573 594->573
                                  APIs
                                  • DeleteFileA.KERNELBASE(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040566B
                                  • lstrcatA.KERNEL32(0079F548,\*.*,0079F548,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056B3
                                  • lstrcatA.KERNEL32(?,00409014,?,0079F548,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056D4
                                  • lstrlenA.KERNEL32(?,?,00409014,?,0079F548,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056DA
                                  • FindFirstFileA.KERNEL32(0079F548,?,?,?,00409014,?,0079F548,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056EB
                                  • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405798
                                  • FindClose.KERNEL32(00000000), ref: 004057A9
                                  Strings
                                  • \*.*, xrefs: 004056AD
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 0040564F
                                  • "C:\Users\user\Desktop\nRNzqQOQwk.exe", xrefs: 00405642
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                  • String ID: "C:\Users\user\Desktop\nRNzqQOQwk.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                  • API String ID: 2035342205-4123645989
                                  • Opcode ID: 66d41853b2e100f8aa5dc84de00091d649ca301df736d3cc4483c22267dac329
                                  • Instruction ID: 760187f4f4892300bbc2109203202489edd73d97d78a60d5512a31c146a0733f
                                  • Opcode Fuzzy Hash: 66d41853b2e100f8aa5dc84de00091d649ca301df736d3cc4483c22267dac329
                                  • Instruction Fuzzy Hash: 8F51D631804A08EADB216B618C45BBF7B78DF42714F14813BF955721D1D77C8982EE6E
                                  Function 00402B0E Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 784 402b0e-402b37 RegOpenKeyExA 785 402ba2-402ba6 784->785 786 402b39-402b44 784->786 787 402b5f-402b6f RegEnumKeyA 786->787 788 402b71-402b83 RegCloseKey call 406139 787->788 789 402b46-402b49 787->789 797 402b85-402b94 788->797 798 402ba9-402baf 788->798 790 402b96-402b99 RegCloseKey 789->790 791 402b4b-402b5d call 402b0e 789->791 793 402b9f-402ba1 790->793 791->787 791->788 793->785 797->785 798->793 799 402bb1-402bbf RegDeleteKeyA 798->799 799->793 800 402bc1 799->800 800->785
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000000,?), ref: 00402B2F
                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B6B
                                  • RegCloseKey.ADVAPI32(?), ref: 00402B74
                                  • RegCloseKey.ADVAPI32(?), ref: 00402B99
                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402BB7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Close$DeleteEnumOpen
                                  • String ID:
                                  • API String ID: 1912718029-0
                                  • Opcode ID: 835a18ee0712391a14b10fd83abfdacb871c0e1db67dd3faae47ba34dcff1796
                                  • Instruction ID: e8770432982ab8decd1ca443e4f50ff6a20a1eaa2a88b85c41c9a6e6fa4e92e0
                                  • Opcode Fuzzy Hash: 835a18ee0712391a14b10fd83abfdacb871c0e1db67dd3faae47ba34dcff1796
                                  • Instruction Fuzzy Hash: 49117F36900109FFEF119F90DE89DAE3B7DEB55384F004076FA05B10A0D3B8AE51AB69
                                  Function 004060A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNELBASE(76F93410,0079FD90,C:\,00405943,C:\,C:\,00000000,C:\,C:\,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405662,?,76F93410,C:\Users\user\AppData\Local\Temp\), ref: 004060AF
                                  • FindClose.KERNELBASE(00000000), ref: 004060BB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Find$CloseFileFirst
                                  • String ID: C:\
                                  • API String ID: 2295610775-3404278061
                                  • Opcode ID: d30bbc16997dfcf9f9a572ec6341a2188e66bfdc939d37fad3f946c8dc482195
                                  • Instruction ID: 4d264840bddbdcf8954fb0232b098af143b8be61859f100819b52cc90bd9207d
                                  • Opcode Fuzzy Hash: d30bbc16997dfcf9f9a572ec6341a2188e66bfdc939d37fad3f946c8dc482195
                                  • Instruction Fuzzy Hash: AAD0127595A1205BC71197787C0C84B7A589B053307114A32F46AF22E0D6349C7686E9
                                  Function 00403720 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 128 403720-403738 call 406139 131 40373a-40374a call 405cfe 128->131 132 40374c-40377d call 405c87 128->132 140 4037a0-4037c9 call 4039e5 call 405900 131->140 136 403795-40379b lstrcatA 132->136 137 40377f-403790 call 405c87 132->137 136->140 137->136 146 403850-403858 call 405900 140->146 147 4037cf-4037d4 140->147 153 403866-40388b LoadImageA 146->153 154 40385a-403861 call 405dc2 146->154 147->146 148 4037d6-4037fa call 405c87 147->148 148->146 158 4037fc-4037fe 148->158 156 40390c-403914 call 40140b 153->156 157 40388d-4038bd RegisterClassA 153->157 154->153 171 403916-403919 156->171 172 40391e-403929 call 4039e5 156->172 159 4038c3-403907 SystemParametersInfoA CreateWindowExA 157->159 160 4039db 157->160 162 403800-40380d call 40583d 158->162 163 40380f-40381b lstrlenA 158->163 159->156 165 4039dd-4039e4 160->165 162->163 166 403843-40384b call 405812 call 405da0 163->166 167 40381d-40382b lstrcmpiA 163->167 166->146 167->166 170 40382d-403837 GetFileAttributesA 167->170 174 403839-40383b 170->174 175 40383d-40383e call 405859 170->175 171->165 181 4039b2-4039ba call 40508b 172->181 182 40392f-403949 ShowWindow call 4060cb 172->182 174->166 174->175 175->166 187 4039d4-4039d6 call 40140b 181->187 188 4039bc-4039c2 181->188 189 403955-403967 GetClassInfoA 182->189 190 40394b-403950 call 4060cb 182->190 187->160 188->171 193 4039c8-4039cf call 40140b 188->193 191 403969-403979 GetClassInfoA RegisterClassA 189->191 192 40397f-4039b0 DialogBoxParamA call 40140b call 403670 189->192 190->189 191->192 192->165 193->171
                                  APIs
                                    • Part of subcall function 00406139: GetModuleHandleA.KERNEL32(?,?,?,004031EA,00000009), ref: 0040614B
                                    • Part of subcall function 00406139: GetProcAddress.KERNEL32(00000000,?), ref: 00406166
                                  • lstrcatA.KERNEL32(1033,0079E540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079E540,00000000,00000002,76F93410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\nRNzqQOQwk.exe",00000000), ref: 0040379B
                                  • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\slavelivets,1033,0079E540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079E540,00000000,00000002,76F93410), ref: 00403810
                                  • lstrcmpiA.KERNEL32(?,.exe), ref: 00403823
                                  • GetFileAttributesA.KERNEL32(Call), ref: 0040382E
                                  • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\slavelivets), ref: 00403877
                                    • Part of subcall function 00405CFE: wsprintfA.USER32 ref: 00405D0B
                                  • RegisterClassA.USER32(007A16E0), ref: 004038B4
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004038CC
                                  • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403901
                                  • ShowWindow.USER32(00000005,00000000), ref: 00403937
                                  • GetClassInfoA.USER32(00000000,RichEdit20A,007A16E0), ref: 00403963
                                  • GetClassInfoA.USER32(00000000,RichEdit,007A16E0), ref: 00403970
                                  • RegisterClassA.USER32(007A16E0), ref: 00403979
                                  • DialogBoxParamA.USER32(?,00000000,00403AB2,00000000), ref: 00403998
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                  • String ID: "C:\Users\user\Desktop\nRNzqQOQwk.exe"$.DEFAULT\Control Panel\International$.exe$1033$@y$C:\Users\user\AppData\Local\Temp\$C:\Users\user\slavelivets$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                  • API String ID: 1975747703-971541054
                                  • Opcode ID: 72abac218aef0aa68c8201db2a2c7bc2da9bafc71593619d8738dd7e58f1acdc
                                  • Instruction ID: 69823c21e20ed545a36681f3e22a73ce5ba8c54c43716b07ce110ef4df70eff0
                                  • Opcode Fuzzy Hash: 72abac218aef0aa68c8201db2a2c7bc2da9bafc71593619d8738dd7e58f1acdc
                                  • Instruction Fuzzy Hash: 1361D6B5544240AEE310BF619C45F3B3AACEB85789F40857FF941B22E2D77D9D018A2D
                                  Function 00402CFA Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 202 402cfa-402d48 GetTickCount GetModuleFileNameA call 405a13 205 402d54-402d82 call 405da0 call 405859 call 405da0 GetFileSize 202->205 206 402d4a-402d4f 202->206 214 402d88 205->214 215 402e6f-402e7d call 402c96 205->215 207 402f2c-402f30 206->207 217 402d8d-402da4 214->217 221 402ed2-402ed7 215->221 222 402e7f-402e82 215->222 219 402da6 217->219 220 402da8-402db1 call 403122 217->220 219->220 227 402db7-402dbe 220->227 228 402ed9-402ee1 call 402c96 220->228 221->207 225 402e84-402e9c call 403138 call 403122 222->225 226 402ea6-402ed0 GlobalAlloc call 403138 call 402f33 222->226 225->221 249 402e9e-402ea4 225->249 226->221 253 402ee3-402ef4 226->253 231 402dc0-402dd4 call 4059ce 227->231 232 402e3a-402e3e 227->232 228->221 240 402e48-402e4e 231->240 251 402dd6-402ddd 231->251 239 402e40-402e47 call 402c96 232->239 232->240 239->240 244 402e50-402e5a call 4061ae 240->244 245 402e5d-402e67 240->245 244->245 245->217 252 402e6d 245->252 249->221 249->226 251->240 255 402ddf-402de6 251->255 252->215 256 402ef6 253->256 257 402efc-402f01 253->257 255->240 258 402de8-402def 255->258 256->257 259 402f02-402f08 257->259 258->240 260 402df1-402df8 258->260 259->259 261 402f0a-402f25 SetFilePointer call 4059ce 259->261 260->240 263 402dfa-402e1a 260->263 264 402f2a 261->264 263->221 265 402e20-402e24 263->265 264->207 266 402e26-402e2a 265->266 267 402e2c-402e34 265->267 266->252 266->267 267->240 268 402e36-402e38 267->268 268->240
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00402D0B
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\nRNzqQOQwk.exe,00000400), ref: 00402D27
                                    • Part of subcall function 00405A13: GetFileAttributesA.KERNELBASE(?,00402D3A,C:\Users\user\Desktop\nRNzqQOQwk.exe,80000000,?), ref: 00405A17
                                    • Part of subcall function 00405A13: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A39
                                  • GetFileSize.KERNEL32(00000000,00000000,007AA000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\nRNzqQOQwk.exe,C:\Users\user\Desktop\nRNzqQOQwk.exe,80000000,?), ref: 00402D73
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: File$AttributesCountCreateModuleNameSizeTick
                                  • String ID: T$"C:\Users\user\Desktop\nRNzqQOQwk.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\nRNzqQOQwk.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$`i$soft
                                  • API String ID: 4283519449-467953008
                                  • Opcode ID: 01abee4385eb3164d7f4254af187e376370b625cc9aa48c6f885a033e7c9399e
                                  • Instruction ID: 3261349ff2f4a6e0e52cb66aedc5a428c749111a9fc88119453a55b84fe8b48b
                                  • Opcode Fuzzy Hash: 01abee4385eb3164d7f4254af187e376370b625cc9aa48c6f885a033e7c9399e
                                  • Instruction Fuzzy Hash: 9A510671940215AFDB119F60DE89B9E7BB8EB44364F20413BF904B62D1D7BC8D408B9D
                                  Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 600 401759-40177c call 402ace call 40587f 605 401786-401798 call 405da0 call 405812 lstrcatA 600->605 606 40177e-401784 call 405da0 600->606 611 40179d-4017a3 call 40600b 605->611 606->611 616 4017a8-4017ac 611->616 617 4017ae-4017b8 call 4060a4 616->617 618 4017df-4017e2 616->618 626 4017ca-4017dc 617->626 627 4017ba-4017c8 CompareFileTime 617->627 620 4017e4-4017e5 call 4059ee 618->620 621 4017ea-401806 call 405a13 618->621 620->621 628 401808-40180b 621->628 629 40187e-4018a7 call 404fb9 call 402f33 621->629 626->618 627->626 630 401860-40186a call 404fb9 628->630 631 40180d-40184f call 405da0 * 2 call 405dc2 call 405da0 call 405596 628->631 643 4018a9-4018ad 629->643 644 4018af-4018bb SetFileTime 629->644 641 401873-401879 630->641 631->616 663 401855-401856 631->663 645 402967 641->645 643->644 647 4018c1-4018cc CloseHandle 643->647 644->647 650 402969-40296d 645->650 648 4018d2-4018d5 647->648 649 40295e-402961 647->649 652 4018d7-4018e8 call 405dc2 lstrcatA 648->652 653 4018ea-4018ed call 405dc2 648->653 649->645 659 4018f2-4022d8 652->659 653->659 664 4022dd-4022e2 659->664 665 4022d8 call 405596 659->665 663->641 666 401858-401859 663->666 664->650 665->664 666->630
                                  APIs
                                  • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\slavelivets,00000000,00000000,00000031), ref: 00401798
                                  • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\slavelivets,00000000,00000000,00000031), ref: 004017C2
                                    • Part of subcall function 00405DA0: lstrcpynA.KERNEL32(?,?,00000400,0040322E,Pongids Setup,NSIS Error), ref: 00405DAD
                                    • Part of subcall function 00404FB9: lstrlenA.KERNEL32(0079DD20,00000000,0078FCF8,76F923A0,?,?,?,?,?,?,?,?,?,0040306B,00000000,?), ref: 00404FF2
                                    • Part of subcall function 00404FB9: lstrlenA.KERNEL32(0040306B,0079DD20,00000000,0078FCF8,76F923A0,?,?,?,?,?,?,?,?,?,0040306B,00000000), ref: 00405002
                                    • Part of subcall function 00404FB9: lstrcatA.KERNEL32(0079DD20,0040306B,0040306B,0079DD20,00000000,0078FCF8,76F923A0), ref: 00405015
                                    • Part of subcall function 00404FB9: SetWindowTextA.USER32(0079DD20,0079DD20), ref: 00405027
                                    • Part of subcall function 00404FB9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040504D
                                    • Part of subcall function 00404FB9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405067
                                    • Part of subcall function 00404FB9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405075
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                  • String ID: C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp$C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp\System.dll$C:\Users\user\slavelivets$Call
                                  • API String ID: 1941528284-3652099504
                                  • Opcode ID: cdcb808499d7bb2f0a4c73bf048b8b395a32dade74052f7c380448fa0df2b33b
                                  • Instruction ID: dbbb128bf7935f0aed0e50e9380fc9841c9442f81e714e1827c6660095eaabca
                                  • Opcode Fuzzy Hash: cdcb808499d7bb2f0a4c73bf048b8b395a32dade74052f7c380448fa0df2b33b
                                  • Instruction Fuzzy Hash: FE41E772910515BACB107BB5CC49DAF7AB9EF45368B20C23BF121F10E1C77C8A418A6D
                                  Function 0040547F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 667 40547f-4054ca CreateDirectoryA 668 4054d0-4054dd GetLastError 667->668 669 4054cc-4054ce 667->669 670 4054f7-4054f9 668->670 671 4054df-4054f3 SetFileSecurityA 668->671 669->670 671->669 672 4054f5 GetLastError 671->672 672->670
                                  APIs
                                  • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004054C2
                                  • GetLastError.KERNEL32 ref: 004054D6
                                  • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004054EB
                                  • GetLastError.KERNEL32 ref: 004054F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
                                  • API String ID: 3449924974-3398839520
                                  • Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                  • Instruction ID: 09fe99030eccae78cb9d2ce19bbf77f9f972de75acbbd1990c032815ad2a971a
                                  • Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                  • Instruction Fuzzy Hash: 2F010871D14259EADF119BA4C944BEFBFB8EB14315F00417AE904B6280E378A644CFAA
                                  Function 00401D95 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetDC.USER32(?), ref: 00401D98
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
                                  • ReleaseDC.USER32(?,00000000), ref: 00401DCB
                                  • CreateFontIndirectA.GDI32(0040A7F0), ref: 00401E1A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                  • String ID: Times New Roman
                                  • API String ID: 3808545654-927190056
                                  • Opcode ID: 648d7b0dc9db80ea036042f47a1e498ac7e57b814f90c6129580178fecebfba8
                                  • Instruction ID: 37723da549b7de6e047f5ddf6566bf04a0332ae81d9da388354d8b2e576e77f8
                                  • Opcode Fuzzy Hash: 648d7b0dc9db80ea036042f47a1e498ac7e57b814f90c6129580178fecebfba8
                                  • Instruction Fuzzy Hash: 3A015272948340AFE7006B70AE49F9A3FF4AB55315F10847AF241B62E2C6B904569B3E
                                  Function 004060CB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 682 4060cb-4060eb GetSystemDirectoryA 683 4060ed 682->683 684 4060ef-4060f1 682->684 683->684 685 406101-406103 684->685 686 4060f3-4060fb 684->686 687 406104-406136 wsprintfA LoadLibraryExA 685->687 686->685 688 4060fd-4060ff 686->688 688->687
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004060E2
                                  • wsprintfA.USER32 ref: 0040611B
                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040612F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                  • String ID: %s%s.dll$UXTHEME$\
                                  • API String ID: 2200240437-4240819195
                                  • Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                  • Instruction ID: e39d6de12310bdbc02ec2e887020ee50980fcceaee6e7f6f8e64b4e94942106c
                                  • Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                  • Instruction Fuzzy Hash: 80F0FC30A40115A6EF1497A4DC0DFEB365CAB08305F140176A547E51D2D5B8E9248B69
                                  Function 00402F33 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 689 402f33-402f47 690 402f50-402f59 689->690 691 402f49 689->691 692 402f62-402f67 690->692 693 402f5b 690->693 691->690 694 402f77-402f84 call 403122 692->694 695 402f69-402f72 call 403138 692->695 693->692 699 403110 694->699 700 402f8a-402f8e 694->700 695->694 701 403112-403113 699->701 702 402f94-402fba GetTickCount 700->702 703 4030bb-4030bd 700->703 706 40311b-40311f 701->706 707 402fc0-402fc8 702->707 708 403118 702->708 704 4030fd-403100 703->704 705 4030bf-4030c2 703->705 711 403102 704->711 712 403105-40310e call 403122 704->712 705->708 713 4030c4 705->713 709 402fca 707->709 710 402fcd-402fdb call 403122 707->710 708->706 709->710 710->699 722 402fe1-402fea 710->722 711->712 712->699 723 403115 712->723 716 4030c7-4030cd 713->716 719 4030d1-4030df call 403122 716->719 720 4030cf 716->720 719->699 726 4030e1-4030ed call 405aba 719->726 720->719 725 402ff0-403010 call 40621c 722->725 723->708 731 4030b3-4030b5 725->731 732 403016-403029 GetTickCount 725->732 733 4030b7-4030b9 726->733 734 4030ef-4030f9 726->734 731->701 735 40302b-403033 732->735 736 40306e-403070 732->736 733->701 734->716 737 4030fb 734->737 738 403035-403039 735->738 739 40303b-40306b MulDiv wsprintfA call 404fb9 735->739 740 403072-403076 736->740 741 4030a7-4030ab 736->741 737->708 738->736 738->739 739->736 742 403078-40307f call 405aba 740->742 743 40308d-403098 740->743 741->707 744 4030b1 741->744 749 403084-403086 742->749 747 40309b-40309f 743->747 744->708 747->725 750 4030a5 747->750 749->733 751 403088-40308b 749->751 750->708 751->747
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CountTick$wsprintf
                                  • String ID: ... %d%%
                                  • API String ID: 551687249-2449383134
                                  • Opcode ID: 85c538cc075ba04794855290aa18cdf04ceba737772e139ba8f68ecbd5a835b1
                                  • Instruction ID: c8fbb3e8d9104581ad396ff7879acfc5b753e67115e275f424ba67d933986381
                                  • Opcode Fuzzy Hash: 85c538cc075ba04794855290aa18cdf04ceba737772e139ba8f68ecbd5a835b1
                                  • Instruction Fuzzy Hash: 6551A27280121AABCB10DF65DA44A9F7BB8EF44756F10413BF800B72C5C7788E51DBAA
                                  Function 004023D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73registrystringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 752 4023d3-402419 call 402bc3 call 402ace * 2 RegCreateKeyExA 759 40295e-40296d 752->759 760 40241f-402427 752->760 762 402437-40243a 760->762 763 402429-402436 call 402ace lstrlenA 760->763 764 40243c-40244d call 402aac 762->764 765 40244e-402451 762->765 763->762 764->765 770 402462-402476 RegSetValueExA 765->770 771 402453-40245d call 402f33 765->771 774 402478 770->774 775 40247b-402555 RegCloseKey 770->775 771->770 774->775 775->759 777 402729-402730 775->777 777->759
                                  APIs
                                  • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402411
                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402431
                                  • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040246E
                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040254F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CloseCreateValuelstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp
                                  • API String ID: 1356686001-1975534377
                                  • Opcode ID: 58ca12bb9b10d669de694a7c47c1b43db751d89a42ce97c50d122ce1fa55df52
                                  • Instruction ID: 00e854f1b6d20388f4b464fcc1b804607db5fe0ac9957b4d3390b69bb90c797e
                                  • Opcode Fuzzy Hash: 58ca12bb9b10d669de694a7c47c1b43db751d89a42ce97c50d122ce1fa55df52
                                  • Instruction Fuzzy Hash: 3921A1B1E00109BEEB00EFA4DE49EAF7A78EB50358F20403AF505B61D1C6B85D019B28
                                  Function 00405A42 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 778 405a42-405a4c 779 405a4d-405a78 GetTickCount GetTempFileNameA 778->779 780 405a87-405a89 779->780 781 405a7a-405a7c 779->781 783 405a81-405a84 780->783 781->779 782 405a7e 781->782 782->783
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00405A56
                                  • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405A70
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A45
                                  • nsa, xrefs: 00405A4D
                                  • "C:\Users\user\Desktop\nRNzqQOQwk.exe", xrefs: 00405A42
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CountFileNameTempTick
                                  • String ID: "C:\Users\user\Desktop\nRNzqQOQwk.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                  • API String ID: 1716503409-1669564857
                                  • Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                  • Instruction ID: a3d8867ec022398f00e7cc0b64f9ef92c2764b579e17a6718397eb4594f2c545
                                  • Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                  • Instruction Fuzzy Hash: 07F0E2327082047BDB108F55EC44B9B7B9CDF91750F10C037FE049A180D2B198448F59
                                  Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 802 100016bd-100016f9 call 10001a5d 806 1000180a-1000180c 802->806 807 100016ff-10001703 802->807 808 10001705-1000170b call 100021b0 807->808 809 1000170c-10001719 call 100021fa 807->809 808->809 814 10001749-10001750 809->814 815 1000171b-10001720 809->815 816 10001770-10001774 814->816 817 10001752-1000176e call 100023da call 10001559 call 10001266 GlobalFree 814->817 818 10001722-10001723 815->818 819 1000173b-1000173e 815->819 823 100017b2-100017b8 call 100023da 816->823 824 10001776-100017b0 call 10001559 call 100023da 816->824 839 100017b9-100017bd 817->839 821 10001725-10001726 818->821 822 1000172b-1000172c call 100027e8 818->822 819->814 825 10001740-10001741 call 10002aa3 819->825 827 10001733-10001739 call 10002589 821->827 828 10001728-10001729 821->828 834 10001731 822->834 823->839 824->839 837 10001746 825->837 843 10001748 827->843 828->814 828->822 834->837 837->843 844 100017fa-10001801 839->844 845 100017bf-100017cd call 100023a0 839->845 843->814 844->806 850 10001803-10001804 GlobalFree 844->850 852 100017e5-100017ec 845->852 853 100017cf-100017d2 845->853 850->806 852->844 855 100017ee-100017f9 call 100014e2 852->855 853->852 854 100017d4-100017dc 853->854 854->852 856 100017de-100017df FreeLibrary 854->856 855->844 856->852
                                  APIs
                                    • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
                                    • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
                                    • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE
                                  • GlobalFree.KERNEL32(00000000), ref: 10001768
                                  • FreeLibrary.KERNEL32(?), ref: 100017DF
                                  • GlobalFree.KERNEL32(00000000), ref: 10001804
                                    • Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2
                                    • Part of subcall function 10002589: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FB
                                    • Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,10004010,00000000,10001695,00000000), ref: 10001572
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3796539761.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                  • Associated: 00000000.00000002.3796514530.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796598036.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796620571.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10000000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Global$Free$Alloc$Librarylstrcpy
                                  • String ID:
                                  • API String ID: 1791698881-3916222277
                                  • Opcode ID: ee4c9fc9ebc314f30cf8369a5322713cb2bdaef71cd7754c4cd252d6b1501433
                                  • Instruction ID: 7bd52774c71d274dd6e07030a7ef65efb9a892d3f5f2eddd47f658e3267813e4
                                  • Opcode Fuzzy Hash: ee4c9fc9ebc314f30cf8369a5322713cb2bdaef71cd7754c4cd252d6b1501433
                                  • Instruction Fuzzy Hash: B5319C79408205DAFB41DF649CC5BCA37ECFF042D5F018465FA0A9A09EDF78A8858B60
                                  Function 00405900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 859 405900-40591b call 405da0 call 4058ab 864 405921-40592e call 40600b 859->864 865 40591d-40591f 859->865 869 405930-405934 864->869 870 40593a-40593c 864->870 866 405973-405975 865->866 869->865 871 405936-405938 869->871 872 405952-40595b lstrlenA 870->872 871->865 871->870 873 40595d-405971 call 405812 GetFileAttributesA 872->873 874 40593e-405945 call 4060a4 872->874 873->866 879 405947-40594a 874->879 880 40594c-40594d call 405859 874->880 879->865 879->880 880->872
                                  APIs
                                    • Part of subcall function 00405DA0: lstrcpynA.KERNEL32(?,?,00000400,0040322E,Pongids Setup,NSIS Error), ref: 00405DAD
                                    • Part of subcall function 004058AB: CharNextA.USER32(?,?,C:\,?,00405917,C:\,C:\,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405662,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B9
                                    • Part of subcall function 004058AB: CharNextA.USER32(00000000), ref: 004058BE
                                    • Part of subcall function 004058AB: CharNextA.USER32(00000000), ref: 004058D2
                                  • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405662,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405953
                                  • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405662,?,76F93410,C:\Users\user\AppData\Local\Temp\), ref: 00405963
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                  • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 3248276644-263117582
                                  • Opcode ID: 2b232cbcfe35a2a259e0e65083c3ab1013c8774cdbeba63489dc7f6696da3121
                                  • Instruction ID: 7328fd33adb38864c40c3ad9044401c3b5e3aae7bd0e1b9e961d96be1e2df883
                                  • Opcode Fuzzy Hash: 2b232cbcfe35a2a259e0e65083c3ab1013c8774cdbeba63489dc7f6696da3121
                                  • Instruction Fuzzy Hash: D5F0A466115D6096D722333A1C05B9F1A48CEC2374759453BF891F12D2DB3C8953DD7E
                                  Function 00401FFF Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 0040202A
                                    • Part of subcall function 00404FB9: lstrlenA.KERNEL32(0079DD20,00000000,0078FCF8,76F923A0,?,?,?,?,?,?,?,?,?,0040306B,00000000,?), ref: 00404FF2
                                    • Part of subcall function 00404FB9: lstrlenA.KERNEL32(0040306B,0079DD20,00000000,0078FCF8,76F923A0,?,?,?,?,?,?,?,?,?,0040306B,00000000), ref: 00405002
                                    • Part of subcall function 00404FB9: lstrcatA.KERNEL32(0079DD20,0040306B,0040306B,0079DD20,00000000,0078FCF8,76F923A0), ref: 00405015
                                    • Part of subcall function 00404FB9: SetWindowTextA.USER32(0079DD20,0079DD20), ref: 00405027
                                    • Part of subcall function 00404FB9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040504D
                                    • Part of subcall function 00404FB9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405067
                                    • Part of subcall function 00404FB9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405075
                                  • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040203A
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040204A
                                  • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                  • String ID:
                                  • API String ID: 2987980305-0
                                  • Opcode ID: 4202f4d316499dad14767a3dddc2a55a2a20820dc3803045f4bbb6100d55ec8c
                                  • Instruction ID: 6acd92e4f6ebcd949653744c87f359efbc1ef98484dd96508818b65b31ed9250
                                  • Opcode Fuzzy Hash: 4202f4d316499dad14767a3dddc2a55a2a20820dc3803045f4bbb6100d55ec8c
                                  • Instruction Fuzzy Hash: 5921F671E00225EBDF307FA48F48AAE7A706B45354F20023BF701B22D1C6BE4A42D65E
                                  Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004058AB: CharNextA.USER32(?,?,C:\,?,00405917,C:\,C:\,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405662,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B9
                                    • Part of subcall function 004058AB: CharNextA.USER32(00000000), ref: 004058BE
                                    • Part of subcall function 004058AB: CharNextA.USER32(00000000), ref: 004058D2
                                  • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                    • Part of subcall function 0040547F: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004054C2
                                  • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\slavelivets,00000000,00000000,000000F0), ref: 0040163C
                                  Strings
                                  • C:\Users\user\slavelivets, xrefs: 00401631
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                  • String ID: C:\Users\user\slavelivets
                                  • API String ID: 1892508949-3386343164
                                  • Opcode ID: 6bc0dae3d02dedea01775736eece2e422667a5252a9e6a0cfe147c79ae2cd54f
                                  • Instruction ID: f4e9a0c94948f709858838e9eb50a0f2792b4ff72a3a1ac07d5dbe4c8cdc963c
                                  • Opcode Fuzzy Hash: 6bc0dae3d02dedea01775736eece2e422667a5252a9e6a0cfe147c79ae2cd54f
                                  • Instruction Fuzzy Hash: D3112731508052EBDB217BB54D409BF26B09E92324B28457FF8D2B22E2D63D4D43A63F
                                  Function 00405C87 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000002,00405ECC,00000000,00000002,?,00000002,003804CD,?,00405ECC,80000002,Software\Microsoft\Windows\CurrentVersion,003804CD,Call,00B22445), ref: 00405CB0
                                  • RegQueryValueExA.KERNELBASE(003804CD,?,00000000,00405ECC,003804CD,00405ECC), ref: 00405CD1
                                  • RegCloseKey.KERNELBASE(?), ref: 00405CF2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
                                  • Instruction ID: a78e2699c87532439836dc2b9ae7a1408ac691edae8af3cd19914ba1cc6957ae
                                  • Opcode Fuzzy Hash: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
                                  • Instruction Fuzzy Hash: 9C015A7254420AEFEB128F65EC45EEB3FACEF14354F004436F905A6220D235D964DBA5
                                  Function 100027E8 Relevance: 3.2, APIs: 2, Instructions: 156memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(00000000), ref: 100028A7
                                  • GetLastError.KERNEL32 ref: 100029AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3796539761.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                  • Associated: 00000000.00000002.3796514530.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796598036.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796620571.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10000000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: AllocErrorLastVirtual
                                  • String ID:
                                  • API String ID: 497505419-0
                                  • Opcode ID: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
                                  • Instruction ID: 700bf99a33fcd989ee77f819fa46e2371db99389a88ce2eb288524e3b596c0af
                                  • Opcode Fuzzy Hash: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
                                  • Instruction Fuzzy Hash: 9751A2BA908214DFFB10DF64DCC674937A4EB443D4F21842AEA08E726DCF34A9808B95
                                  Function 00402483 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402BD8: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C00
                                  • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B3
                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsp9F8A.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040254F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 4dbe4e27a5dd0c3d8049c72a419abcba5a776563f6d5143b74a27c3584d80593
                                  • Instruction ID: 0483b46094dd03155b9d0e3ed9d5b90596ace3d3fa60599072770b53af9213ab
                                  • Opcode Fuzzy Hash: 4dbe4e27a5dd0c3d8049c72a419abcba5a776563f6d5143b74a27c3584d80593
                                  • Instruction Fuzzy Hash: 8811E371A05205EFDB20CF60CA985AEBBB4AF00359F20443FE142B72C0D2B84A81DB5A
                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                  • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: b63ad44f694a207690e677ec35bda8f999f5426b301403e6904e10af90410016
                                  • Instruction ID: 00097469377630013da62b9f7c31fbdee85021c234e60ac5accdaffcc3ed26dc
                                  • Opcode Fuzzy Hash: b63ad44f694a207690e677ec35bda8f999f5426b301403e6904e10af90410016
                                  • Instruction Fuzzy Hash: BE01F4316242209BF7194B389C04B6A3698E751354F10813BF811F62F1D678DC028B4D
                                  Function 00402377 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402BD8: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C00
                                  • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402396
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040239F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CloseDeleteOpenValue
                                  • String ID:
                                  • API String ID: 849931509-0
                                  • Opcode ID: 70659a9ee038d5685ea3a72684203d97b2a691ce60163f99cecfca3f3fbf0de4
                                  • Instruction ID: 60c1e4243d723511b4c64426b25872ec533dbc6a778a8c73d92c97a5d2103592
                                  • Opcode Fuzzy Hash: 70659a9ee038d5685ea3a72684203d97b2a691ce60163f99cecfca3f3fbf0de4
                                  • Instruction Fuzzy Hash: 37F0A472A00111ABD710AFA09A8E9BE72A89B40344F24043BF201B71C0D5BD5D019769
                                  Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A31
                                  • lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A44
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: EnvironmentExpandStringslstrcmp
                                  • String ID:
                                  • API String ID: 1938659011-0
                                  • Opcode ID: 226ebda8d49e57add1e4023c770b03d66c0131867e800262347fb4bcf4abde27
                                  • Instruction ID: 4f813d77772bd54bf890c65dc17d1f1cff84f8c3aa104cf5f65d7bfaad8725e5
                                  • Opcode Fuzzy Hash: 226ebda8d49e57add1e4023c770b03d66c0131867e800262347fb4bcf4abde27
                                  • Instruction Fuzzy Hash: 3BF08231B05241EBCB20DF659D45A9A7FE8EFD1394B10843BE145F6190D2388541DA69
                                  Function 00406139 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,?,?,004031EA,00000009), ref: 0040614B
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00406166
                                    • Part of subcall function 004060CB: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004060E2
                                    • Part of subcall function 004060CB: wsprintfA.USER32 ref: 0040611B
                                    • Part of subcall function 004060CB: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040612F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                  • String ID:
                                  • API String ID: 2547128583-0
                                  • Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                  • Instruction ID: 8cdf97aa15b56aed8909a69d1313546704d2aaf6dd9f7bed8459987902a8e277
                                  • Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                  • Instruction Fuzzy Hash: EFE08632608111AAD31067705E0493B73B89A84710302083EF506F6292D7389C2196A9
                                  Function 00405A13 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesA.KERNELBASE(?,00402D3A,C:\Users\user\Desktop\nRNzqQOQwk.exe,80000000,?), ref: 00405A17
                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A39
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: File$AttributesCreate
                                  • String ID:
                                  • API String ID: 415043291-0
                                  • Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                  • Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
                                  • Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                  • Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26
                                  Function 004054FC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryA.KERNELBASE(?,00000000,00403173,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403370), ref: 00405502
                                  • GetLastError.KERNEL32 ref: 00405510
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CreateDirectoryErrorLast
                                  • String ID:
                                  • API String ID: 1375471231-0
                                  • Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                  • Instruction ID: 104873d821a1170e2273ca40e0eecd38832efcbc0b1179f41fab49dbd7078dd9
                                  • Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                  • Instruction Fuzzy Hash: 23C04C70629501FBDA106B209E097177D55AB90745F1049766106E20F4DA749451D92E
                                  Function 004025D7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: wsprintf
                                  • String ID:
                                  • API String ID: 2111968516-0
                                  • Opcode ID: 4ba2856da63ff7f435db743ac2a14cc2248dd3629aba4a8dceb7604ea70bc87f
                                  • Instruction ID: cbf00d81cb97437f3a5b335f5c35441536f11fd869f9e222d526ef6a243a720c
                                  • Opcode Fuzzy Hash: 4ba2856da63ff7f435db743ac2a14cc2248dd3629aba4a8dceb7604ea70bc87f
                                  • Instruction Fuzzy Hash: 9521C970D0429ABEDF218B9885486AEBF749F01314F1445BFEC95B63D1C2BE8A81CF19
                                  Function 00402695 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026B3
                                    • Part of subcall function 00405CFE: wsprintfA.USER32 ref: 00405D0B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: FilePointerwsprintf
                                  • String ID:
                                  • API String ID: 327478801-0
                                  • Opcode ID: abf4405e99e4dcb85fe8fe58243fd46f792263ec105484f86c7cee990d7a89bb
                                  • Instruction ID: fecccce0915ab20f046520e702d9d3c2ebd546ffbad39029680d96f2603726cc
                                  • Opcode Fuzzy Hash: abf4405e99e4dcb85fe8fe58243fd46f792263ec105484f86c7cee990d7a89bb
                                  • Instruction Fuzzy Hash: B8E01BB1B05115AFD701EB956A4987F7769DF40328F10443BF141F50D1C67E4D429B6D
                                  Function 004022F2 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040232B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: PrivateProfileStringWrite
                                  • String ID:
                                  • API String ID: 390214022-0
                                  • Opcode ID: 6b5e48cc008279052f1a47b51cc32cf127a00dc2733201354761e156b3ebbbdf
                                  • Instruction ID: 5f6267e841dd840bf6295cbe1617e7a0042591bb1814ca2e8a4844537e2a2c78
                                  • Opcode Fuzzy Hash: 6b5e48cc008279052f1a47b51cc32cf127a00dc2733201354761e156b3ebbbdf
                                  • Instruction Fuzzy Hash: 67E04F31B001246BD7307AB10F8E97F10999BC4304B39153ABA01B62C6EDBC4C414AB9
                                  Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: PathSearch
                                  • String ID:
                                  • API String ID: 2203818243-0
                                  • Opcode ID: 65278b850fb128378873a50eca4da36d0eedd748e79966e133675203528cf855
                                  • Instruction ID: e4e3c42305c0b2198e0aecdca264a5a1b937f2a52f25dfaad176198492f8ea82
                                  • Opcode Fuzzy Hash: 65278b850fb128378873a50eca4da36d0eedd748e79966e133675203528cf855
                                  • Instruction Fuzzy Hash: CFE026B2304111AFE740DF68DE48EAA3B98DB10368F30453AF151F60C0E2BA9A41A769
                                  Function 00402BD8 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C00
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 2def34932d008b1c6cdd5ca58b5769b0c908390d8f7109fb18f9f363c944e71c
                                  • Instruction ID: 12eae925539b7dc367c8ab6fa63785f67f6a0dd6345a275e5017c2f2efb43849
                                  • Opcode Fuzzy Hash: 2def34932d008b1c6cdd5ca58b5769b0c908390d8f7109fb18f9f363c944e71c
                                  • Instruction Fuzzy Hash: ADE0B676250108BEDB00EFA9EE4AE9977ECAB58740F108421B608E70A1C678E5508B69
                                  Function 00405A8B Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403135,00000000,00000000,00402F82,000000FF,00000004,00000000,00000000,00000000), ref: 00405A9F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                  • Instruction ID: 3049aa00f6096361bf05a549768cb7fbda67778921cce1d2793645b00ea59393
                                  • Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                  • Instruction Fuzzy Hash: 56E08C3260521ABBEF119E508C40EEB3B6CEB043A0F008933F914E2180E230E8219FE4
                                  Function 00405ABA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004030EB,00000000,007890F8,000000FF,007890F8,000000FF,000000FF,00000004,00000000), ref: 00405ACE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                  • Instruction ID: 32d48f6e8b76b53ead5095efbfc7dc84fe3b04974c76bcad3a7819726962f715
                                  • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                  • Instruction Fuzzy Hash: CEE0B63261429AABDF109E659C40AAB7B6CFF05360F148533B915E6150E231E8219EA5
                                  Function 1000270B Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002729
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3796539761.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                  • Associated: 00000000.00000002.3796514530.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796598036.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796620571.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10000000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID:
                                  • API String ID: 544645111-0
                                  • Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                  • Instruction ID: 4f82052a8ee677216feeb46ba648c84afb962adc58c95b92ee0d34447feb5494
                                  • Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                  • Instruction Fuzzy Hash: B5F09BF19092A0DEF360DF688CC4B063FE4E3983D5B03892AE358F6269EB7441448B19
                                  Function 00402336 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402369
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: PrivateProfileString
                                  • String ID:
                                  • API String ID: 1096422788-0
                                  • Opcode ID: 90e07bb3a0b3f4804eab7f86ac5a4e71b50077df0b3d61eb17d11243db03f5ce
                                  • Instruction ID: 863d308e192ce4c0f66b0ae01519e0470cfafd3cecd099ef988cf845eccf6abb
                                  • Opcode Fuzzy Hash: 90e07bb3a0b3f4804eab7f86ac5a4e71b50077df0b3d61eb17d11243db03f5ce
                                  • Instruction Fuzzy Hash: D1E08630A04208BADB10AFA08F09EAD3A79AF41710F24003AF9507B0D1EAB84481DB2D
                                  Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: d0fe9b386de643ef5aeea880a78091cb5ab4581d5f0663080ab49c8656d349c5
                                  • Instruction ID: 089d8403b4a3c67af6c4af196b8dedf915adbd4a042e4b2ee6fd832a67879694
                                  • Opcode Fuzzy Hash: d0fe9b386de643ef5aeea880a78091cb5ab4581d5f0663080ab49c8656d349c5
                                  • Instruction Fuzzy Hash: 34D05B72704115DBDB10DBE5EB0869D77A0AB40364F304537D151F21D0D2BADA559719
                                  Function 00403138 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EC1,0002FFE4), ref: 00403146
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                  • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                  • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                  • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                  Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(00000000), ref: 004014E9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 5103c2e833fb6cec983ac643f83c5405fcf5b56718913b7927d61a5481dde75b
                                  • Instruction ID: a8a1054ff6e124a16992140d9831d4e67a861e682019e3b6a28de944f62df8e5
                                  • Opcode Fuzzy Hash: 5103c2e833fb6cec983ac643f83c5405fcf5b56718913b7927d61a5481dde75b
                                  • Instruction Fuzzy Hash: B5D05E73B141519BD750EBB8BAC445E77E4EB403257304837E502E2091E67989429618

                                  Non-executed Functions

                                  Function 004050F7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,00000403), ref: 00405156
                                  • GetDlgItem.USER32(?,000003EE), ref: 00405165
                                  • GetClientRect.USER32(?,?), ref: 004051A2
                                  • GetSystemMetrics.USER32(00000002), ref: 004051A9
                                  • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004051CA
                                  • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004051DB
                                  • SendMessageA.USER32(?,00001001,00000000,?), ref: 004051EE
                                  • SendMessageA.USER32(?,00001026,00000000,?), ref: 004051FC
                                  • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040520F
                                  • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405231
                                  • ShowWindow.USER32(?,00000008), ref: 00405245
                                  • GetDlgItem.USER32(?,000003EC), ref: 00405266
                                  • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405276
                                  • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040528F
                                  • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040529B
                                  • GetDlgItem.USER32(?,000003F8), ref: 00405174
                                    • Part of subcall function 00403FBA: SendMessageA.USER32(00000028,?,00000001,00403DEB), ref: 00403FC8
                                  • GetDlgItem.USER32(?,000003EC), ref: 004052B7
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000508B,00000000), ref: 004052C5
                                  • CloseHandle.KERNEL32(00000000), ref: 004052CC
                                  • ShowWindow.USER32(00000000), ref: 004052EF
                                  • ShowWindow.USER32(?,00000008), ref: 004052F6
                                  • ShowWindow.USER32(00000008), ref: 0040533C
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405370
                                  • CreatePopupMenu.USER32 ref: 00405381
                                  • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405396
                                  • GetWindowRect.USER32(?,000000FF), ref: 004053B6
                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053CF
                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040540B
                                  • OpenClipboard.USER32(00000000), ref: 0040541B
                                  • EmptyClipboard.USER32 ref: 00405421
                                  • GlobalAlloc.KERNEL32(00000042,?), ref: 0040542A
                                  • GlobalLock.KERNEL32(00000000), ref: 00405434
                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405448
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00405461
                                  • SetClipboardData.USER32(00000001,00000000), ref: 0040546C
                                  • CloseClipboard.USER32 ref: 00405472
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                  • String ID: @y
                                  • API String ID: 590372296-2793234042
                                  • Opcode ID: fb478b241302d14890c8e569f688314f17ac97b328ad1953f1dfc7460e5c88c7
                                  • Instruction ID: 669047f9f67e304dd712f5be3c8e464dbcc99e7ae4a165c688d328355b6db051
                                  • Opcode Fuzzy Hash: fb478b241302d14890c8e569f688314f17ac97b328ad1953f1dfc7460e5c88c7
                                  • Instruction Fuzzy Hash: 9DA16970900249BFEF119FA0DD89EAE7F79EB08354F00806AFA05B61A0C7795E50DF69
                                  Function 00404936 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003F9), ref: 0040494E
                                  • GetDlgItem.USER32(?,00000408), ref: 00404959
                                  • GlobalAlloc.KERNEL32(00000040,00000002), ref: 004049A3
                                  • LoadBitmapA.USER32(0000006E), ref: 004049B6
                                  • SetWindowLongA.USER32(?,000000FC,00404F2D), ref: 004049CF
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004049E3
                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004049F5
                                  • SendMessageA.USER32(?,00001109,00000002), ref: 00404A0B
                                  • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A17
                                  • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A29
                                  • DeleteObject.GDI32(00000000), ref: 00404A2C
                                  • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A57
                                  • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A63
                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AF8
                                  • SendMessageA.USER32(?,0000110A,?,00000000), ref: 00404B23
                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B37
                                  • GetWindowLongA.USER32(?,000000F0), ref: 00404B66
                                  • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B74
                                  • ShowWindow.USER32(?,00000005), ref: 00404B85
                                  • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C82
                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404CE7
                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404CFC
                                  • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D20
                                  • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D40
                                  • ImageList_Destroy.COMCTL32(?), ref: 00404D55
                                  • GlobalFree.KERNEL32(?), ref: 00404D65
                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404DDE
                                  • SendMessageA.USER32(?,00001102,?,?), ref: 00404E87
                                  • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E96
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EB6
                                  • ShowWindow.USER32(?,00000000), ref: 00404F04
                                  • GetDlgItem.USER32(?,000003FE), ref: 00404F0F
                                  • ShowWindow.USER32(00000000), ref: 00404F16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                  • String ID: $M$N
                                  • API String ID: 1638840714-813528018
                                  • Opcode ID: c0a9e003325bbf4aeebb07f179cc8a2e0ae178da990d22459e7e34e95fc5cae9
                                  • Instruction ID: 10d6cb261f95093856db0383de4589f8155b4d68da151c8c89fd000e0678f767
                                  • Opcode Fuzzy Hash: c0a9e003325bbf4aeebb07f179cc8a2e0ae178da990d22459e7e34e95fc5cae9
                                  • Instruction Fuzzy Hash: AB027CB0900209AFEB14DF64DC85AAE7BB9FB84314F10817AF610BA2E1D7789D51CF58
                                  Function 004043C3 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003FB), ref: 00404412
                                  • SetWindowTextA.USER32(00000000,?), ref: 0040443C
                                  • SHBrowseForFolderA.SHELL32(?,0079D918,?), ref: 004044ED
                                  • CoTaskMemFree.OLE32(00000000), ref: 004044F8
                                  • lstrcmpiA.KERNEL32(Call,0079E540), ref: 0040452A
                                  • lstrcatA.KERNEL32(?,Call), ref: 00404536
                                  • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404548
                                    • Part of subcall function 0040557A: GetDlgItemTextA.USER32(?,?,00000400,0040457F), ref: 0040558D
                                    • Part of subcall function 0040600B: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\nRNzqQOQwk.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,0040315B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403370), ref: 00406063
                                    • Part of subcall function 0040600B: CharNextA.USER32(?,?,?,00000000), ref: 00406070
                                    • Part of subcall function 0040600B: CharNextA.USER32(?,"C:\Users\user\Desktop\nRNzqQOQwk.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,0040315B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403370), ref: 00406075
                                    • Part of subcall function 0040600B: CharPrevA.USER32(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000,0040315B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403370), ref: 00406085
                                  • GetDiskFreeSpaceA.KERNEL32(0079D510,?,?,0000040F,?,0079D510,0079D510,?,00000001,0079D510,?,?,000003FB,?), ref: 00404606
                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404621
                                    • Part of subcall function 0040477A: lstrlenA.KERNEL32(0079E540,0079E540,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404695,000000DF,00000000,00000400,?), ref: 00404818
                                    • Part of subcall function 0040477A: wsprintfA.USER32 ref: 00404820
                                    • Part of subcall function 0040477A: SetDlgItemTextA.USER32(?,0079E540), ref: 00404833
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                  • String ID: @y$A$C:\Users\user\slavelivets$Call
                                  • API String ID: 2624150263-76115890
                                  • Opcode ID: 3d12c395db0b8a5e031a22e6692dd266f1d5deac6801d88cb2d33c24727f66a7
                                  • Instruction ID: b79cf5757fdebc40129ea8bf430174fd55c22843b8008fc959c2d10819856cf3
                                  • Opcode Fuzzy Hash: 3d12c395db0b8a5e031a22e6692dd266f1d5deac6801d88cb2d33c24727f66a7
                                  • Instruction Fuzzy Hash: A3A170B1900209ABDB11EFA5CC45BAF77B8EF85314F10843BF611B62D1E77C9A418B69
                                  Function 004020CD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214C
                                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                  Strings
                                  • C:\Users\user\slavelivets, xrefs: 0040218C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID: C:\Users\user\slavelivets
                                  • API String ID: 123533781-3386343164
                                  • Opcode ID: 024ddeff904ea4e2027849ef916676ab51d53d58e968f5afcffc77d785a09d8a
                                  • Instruction ID: 3b959fe0d73b6f2ff8ba1a3dad26e84ad0429d5bc67268e837327fa781b0949d
                                  • Opcode Fuzzy Hash: 024ddeff904ea4e2027849ef916676ab51d53d58e968f5afcffc77d785a09d8a
                                  • Instruction Fuzzy Hash: 705116B5E00208BFCB00DFE4C988A9DBBB6EF48314B2445AAF515FB2D1DA799941CB54
                                  Function 0040270B Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040271A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: FileFindFirst
                                  • String ID:
                                  • API String ID: 1974802433-0
                                  • Opcode ID: 561abc1235fbb0d1b1b6368a868e1f0093475e7d00ee5c355f47c34ff1fd805f
                                  • Instruction ID: 3ccff3199aeab2db1e2dd923352da36f4292fa18247536f83ce369c7762b159a
                                  • Opcode Fuzzy Hash: 561abc1235fbb0d1b1b6368a868e1f0093475e7d00ee5c355f47c34ff1fd805f
                                  • Instruction Fuzzy Hash: 76F05572604110EFD700EBA49A089FEB768DF15324FA0407BF181F20C0CBBC8A429B2A
                                  Function 00403AB2 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403AEE
                                  • ShowWindow.USER32(?), ref: 00403B0B
                                  • DestroyWindow.USER32 ref: 00403B1F
                                  • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403B3B
                                  • GetDlgItem.USER32(?,?), ref: 00403B5C
                                  • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403B70
                                  • IsWindowEnabled.USER32(00000000), ref: 00403B77
                                  • GetDlgItem.USER32(?,00000001), ref: 00403C25
                                  • GetDlgItem.USER32(?,00000002), ref: 00403C2F
                                  • SetClassLongA.USER32(?,000000F2,?), ref: 00403C49
                                  • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C9A
                                  • GetDlgItem.USER32(?,?), ref: 00403D40
                                  • ShowWindow.USER32(00000000,?), ref: 00403D61
                                  • EnableWindow.USER32(?,?), ref: 00403D73
                                  • EnableWindow.USER32(?,?), ref: 00403D8E
                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403DA4
                                  • EnableMenuItem.USER32(00000000), ref: 00403DAB
                                  • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403DC3
                                  • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403DD6
                                  • lstrlenA.KERNEL32(0079E540,?,0079E540,Pongids Setup), ref: 00403DFF
                                  • SetWindowTextA.USER32(?,0079E540), ref: 00403E0E
                                  • ShowWindow.USER32(?,0000000A), ref: 00403F42
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                  • String ID: @y$Pongids Setup
                                  • API String ID: 184305955-1393332770
                                  • Opcode ID: c2e5c8a98494131a3f5258506286a32dbf8d0bdf9ff6fe3114ac61fbbd238155
                                  • Instruction ID: 1a58b870ca21ce47ba752d56327be38b30dd2316994c96cb4837d6e7696a1104
                                  • Opcode Fuzzy Hash: c2e5c8a98494131a3f5258506286a32dbf8d0bdf9ff6fe3114ac61fbbd238155
                                  • Instruction Fuzzy Hash: 81C1AF71904201ABEB216F61ED89E2A7EBCEB4570AF40853EF601B11F1C73DA941DB1E
                                  Function 004040CE Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404159
                                  • GetDlgItem.USER32(00000000,000003E8), ref: 0040416D
                                  • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040418B
                                  • GetSysColor.USER32(?), ref: 0040419C
                                  • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004041AB
                                  • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004041BA
                                  • lstrlenA.KERNEL32(?), ref: 004041BD
                                  • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004041CC
                                  • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004041E1
                                  • GetDlgItem.USER32(?,0000040A), ref: 00404243
                                  • SendMessageA.USER32(00000000), ref: 00404246
                                  • GetDlgItem.USER32(?,000003E8), ref: 00404271
                                  • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004042B1
                                  • LoadCursorA.USER32(00000000,00007F02), ref: 004042C0
                                  • SetCursor.USER32(00000000), ref: 004042C9
                                  • ShellExecuteA.SHELL32(0000070B,open,007A0EE0,00000000,00000000,00000001), ref: 004042DC
                                  • LoadCursorA.USER32(00000000,00007F00), ref: 004042E9
                                  • SetCursor.USER32(00000000), ref: 004042EC
                                  • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404318
                                  • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040432C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                  • String ID: Call$N$open
                                  • API String ID: 3615053054-2563687911
                                  • Opcode ID: 2bd72d0c45eb893bd58c56080fda348c45ce57ca2b38d375d74f0412c252b757
                                  • Instruction ID: 601bc5fe35b3c5de407f3786c3433e5d67f1b6e9b87549a619d2750a8ed94523
                                  • Opcode Fuzzy Hash: 2bd72d0c45eb893bd58c56080fda348c45ce57ca2b38d375d74f0412c252b757
                                  • Instruction Fuzzy Hash: 6B61A5B1A40209BFEB109F61CC45F6A7B79FB84705F108026FB05BA2D1C7B8A951CF58
                                  Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                  • BeginPaint.USER32(?,?), ref: 00401047
                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                  • DeleteObject.GDI32(?), ref: 004010ED
                                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                  • SetTextColor.GDI32(00000000,?), ref: 00401130
                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                  • DrawTextA.USER32(00000000,Pongids Setup,000000FF,00000010,00000820), ref: 00401156
                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                  • DeleteObject.GDI32(?), ref: 00401165
                                  • EndPaint.USER32(?,?), ref: 0040116E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                  • String ID: F$Pongids Setup
                                  • API String ID: 941294808-3581732227
                                  • Opcode ID: 0a68615732e4b88a98f313291f6562efd0598cab8c65ff7e1a40b4ddd25604da
                                  • Instruction ID: 5377a76c68583d826c01589a66ce84b6d9bb3dc06a218cd9f98f6b2c798b1645
                                  • Opcode Fuzzy Hash: 0a68615732e4b88a98f313291f6562efd0598cab8c65ff7e1a40b4ddd25604da
                                  • Instruction Fuzzy Hash: 74419C71804249AFCB058FA5CD459BFBFB9FF45310F00812AF961AA1A0C738EA50DFA5
                                  Function 00405AE9 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpyA.KERNEL32(007A02D0,NUL,?,00000000,?,00000000,00405C7C,?,?), ref: 00405AF8
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C7C,?,?), ref: 00405B1C
                                  • GetShortPathNameA.KERNEL32(?,007A02D0,00000400), ref: 00405B25
                                    • Part of subcall function 00405978: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405BD5,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405988
                                    • Part of subcall function 00405978: lstrlenA.KERNEL32(00000000,?,00000000,00405BD5,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004059BA
                                  • GetShortPathNameA.KERNEL32(007A06D0,007A06D0,00000400), ref: 00405B42
                                  • wsprintfA.USER32 ref: 00405B60
                                  • GetFileSize.KERNEL32(00000000,00000000,007A06D0,C0000000,00000004,007A06D0,?,?,?,?,?), ref: 00405B9B
                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405BAA
                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BE2
                                  • SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,0079FED0,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405C38
                                  • GlobalFree.KERNEL32(00000000), ref: 00405C49
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405C50
                                    • Part of subcall function 00405A13: GetFileAttributesA.KERNELBASE(?,00402D3A,C:\Users\user\Desktop\nRNzqQOQwk.exe,80000000,?), ref: 00405A17
                                    • Part of subcall function 00405A13: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A39
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                  • String ID: %s=%s$NUL$[Rename]
                                  • API String ID: 222337774-4148678300
                                  • Opcode ID: 470faa373d492393558750a21a749fa660293524ffa589413fd4618ea5f3d9a4
                                  • Instruction ID: 1eed59494e777df17b5db6228b66ba1829f219dd2eba3e9b173e6ae731b9f24b
                                  • Opcode Fuzzy Hash: 470faa373d492393558750a21a749fa660293524ffa589413fd4618ea5f3d9a4
                                  • Instruction Fuzzy Hash: 503125B0A08B05ABE6203B615D48F6B3A5CDF45794F14053BFE01F62D2DA7CAC408EAD
                                  Function 00402C13 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C2E
                                  • MulDiv.KERNEL32(00095409,00000064,00096960), ref: 00402C59
                                  • wsprintfA.USER32 ref: 00402C69
                                  • SetWindowTextA.USER32(?,?), ref: 00402C79
                                  • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402C8B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Text$ItemTimerWindowwsprintf
                                  • String ID: T$`i$verifying installer: %d%%
                                  • API String ID: 1451636040-1135715120
                                  • Opcode ID: 3ae07b054ad9b81f5b6108b272be1fee9de0c5ac9c6f7af5c303f160919c41b2
                                  • Instruction ID: 21607a1dc9e24acd8111b7ab95824f47c5a1c8f1a2671c4e1062bfa223269d08
                                  • Opcode Fuzzy Hash: 3ae07b054ad9b81f5b6108b272be1fee9de0c5ac9c6f7af5c303f160919c41b2
                                  • Instruction Fuzzy Hash: 8B014F70944209FBEF209F60DD4AEAE37A9AB04304F008039FA16A92D0D7B89951CB59
                                  Function 0040600B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\nRNzqQOQwk.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,0040315B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403370), ref: 00406063
                                  • CharNextA.USER32(?,?,?,00000000), ref: 00406070
                                  • CharNextA.USER32(?,"C:\Users\user\Desktop\nRNzqQOQwk.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,0040315B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403370), ref: 00406075
                                  • CharPrevA.USER32(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000,0040315B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403370), ref: 00406085
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 0040600C
                                  • *?|<>/":, xrefs: 00406053
                                  • "C:\Users\user\Desktop\nRNzqQOQwk.exe", xrefs: 00406047
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Char$Next$Prev
                                  • String ID: "C:\Users\user\Desktop\nRNzqQOQwk.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 589700163-445350357
                                  • Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                  • Instruction ID: 5800177166b7667d3eaf53a22357e4554d28550b3292ec339307e94a63baae70
                                  • Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                  • Instruction Fuzzy Hash: 5011276184479129FB3296384C00B7B6FD94F567A0F19007BE9C6722C2C67C5C62836D
                                  Function 00403FEC Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowLongA.USER32(?,000000EB), ref: 00404009
                                  • GetSysColor.USER32(00000000), ref: 00404025
                                  • SetTextColor.GDI32(?,00000000), ref: 00404031
                                  • SetBkMode.GDI32(?,?), ref: 0040403D
                                  • GetSysColor.USER32(?), ref: 00404050
                                  • SetBkColor.GDI32(?,?), ref: 00404060
                                  • DeleteObject.GDI32(?), ref: 0040407A
                                  • CreateBrushIndirect.GDI32(?), ref: 00404084
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                  • String ID:
                                  • API String ID: 2320649405-0
                                  • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                  • Instruction ID: c3620b6f473fad47e7a0c0791398936244beda297bc66feae6272bbc27e0e58c
                                  • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                  • Instruction Fuzzy Hash: D7214FB1904704ABCB319F78DD48B5BBBF8AF41714F048A29EB96B22E0D734E944CB55
                                  Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalFree.KERNEL32(00000000), ref: 1000234A
                                    • Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234
                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 100022C3
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
                                  • GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E7
                                  • CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
                                  • GlobalFree.KERNEL32(00000000), ref: 100022FB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3796539761.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                  • Associated: 00000000.00000002.3796514530.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796598036.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796620571.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10000000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                  • String ID:
                                  • API String ID: 3730416702-0
                                  • Opcode ID: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
                                  • Instruction ID: bfa8c22ebd78897ea4dc14f883c746723b208fa17a75ef0c69fbb79ff87ab60c
                                  • Opcode Fuzzy Hash: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
                                  • Instruction Fuzzy Hash: B541ABB1108311EFF320DFA48884B5BB7F8FF443D1F218529F946D61A9DB34AA448B61
                                  Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                  • GlobalFree.KERNEL32(?), ref: 100024B5
                                  • GlobalFree.KERNEL32(00000000), ref: 100024EF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3796539761.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                  • Associated: 00000000.00000002.3796514530.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796598036.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796620571.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10000000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Global$Free$Alloc
                                  • String ID:
                                  • API String ID: 1780285237-0
                                  • Opcode ID: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
                                  • Instruction ID: 4e6b36a645f71e2aed4a85f2c36ff1861f2741140ba068ae73f9b0a79c1593cf
                                  • Opcode Fuzzy Hash: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
                                  • Instruction Fuzzy Hash: EA319CB1504250EFF322CF64CCC4C6B7BBDEB852D4B124529FA4193168CB31AC94DB62
                                  Function 00404FB9 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(0079DD20,00000000,0078FCF8,76F923A0,?,?,?,?,?,?,?,?,?,0040306B,00000000,?), ref: 00404FF2
                                  • lstrlenA.KERNEL32(0040306B,0079DD20,00000000,0078FCF8,76F923A0,?,?,?,?,?,?,?,?,?,0040306B,00000000), ref: 00405002
                                  • lstrcatA.KERNEL32(0079DD20,0040306B,0040306B,0079DD20,00000000,0078FCF8,76F923A0), ref: 00405015
                                  • SetWindowTextA.USER32(0079DD20,0079DD20), ref: 00405027
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040504D
                                  • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405067
                                  • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405075
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                  • String ID:
                                  • API String ID: 2531174081-0
                                  • Opcode ID: 8aca45e27811aa21f79b642ec133e9ff2e42e250cada4605035ec104fac27bf5
                                  • Instruction ID: d1dd411a73e10bc413e7a6ba64919406d2bbbb657998d141ba589d50d7388124
                                  • Opcode Fuzzy Hash: 8aca45e27811aa21f79b642ec133e9ff2e42e250cada4605035ec104fac27bf5
                                  • Instruction Fuzzy Hash: 0D214C71900519AADF119FA5DD849DEBFA9EF09354F14807AF944A6290C7398D40CFA8
                                  Function 00404884 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040489F
                                  • GetMessagePos.USER32 ref: 004048A7
                                  • ScreenToClient.USER32(?,?), ref: 004048C1
                                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 004048D3
                                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004048F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Message$Send$ClientScreen
                                  • String ID: f
                                  • API String ID: 41195575-1993550816
                                  • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                  • Instruction ID: 53a3bc3e7d347c8b02fcccb5944648bd46d0fd351ff65b71f1969629af7e9ac2
                                  • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                  • Instruction Fuzzy Hash: 12019275D00219BAEB00DBA5DC41BFEBBBCAF55711F10412BBA00B71D0C7B469018BA5
                                  Function 00402749 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,00030000,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027B9
                                  • GlobalFree.KERNEL32(?), ref: 004027F2
                                  • GlobalFree.KERNEL32(00000000), ref: 00402805
                                  • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040281D
                                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402831
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                  • String ID:
                                  • API String ID: 2667972263-0
                                  • Opcode ID: 7f207ce07f6c5f0df932277b8913aa87d9610340000502d5a090f6ef4d334f19
                                  • Instruction ID: ecef423f8b7fb5116dd0415946ee68b484c5f893cd0af9153c7a5222f957d578
                                  • Opcode Fuzzy Hash: 7f207ce07f6c5f0df932277b8913aa87d9610340000502d5a090f6ef4d334f19
                                  • Instruction Fuzzy Hash: B921AE71C00128BBCF216FA5CE49D9E7E79EF09324F14423AF511762D0C6794D419FA9
                                  Function 0040477A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(0079E540,0079E540,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404695,000000DF,00000000,00000400,?), ref: 00404818
                                  • wsprintfA.USER32 ref: 00404820
                                  • SetDlgItemTextA.USER32(?,0079E540), ref: 00404833
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: ItemTextlstrlenwsprintf
                                  • String ID: %u.%u%s%s$@y
                                  • API String ID: 3540041739-3020698753
                                  • Opcode ID: ca56fcb4ff96a92767a948c37e1cdc386e941f7d7930a18b2193be96cb950031
                                  • Instruction ID: 9c2068d9445a5b6f252536eabbf1c91049bb0fb02782bdd1491d607ad1f2c465
                                  • Opcode Fuzzy Hash: ca56fcb4ff96a92767a948c37e1cdc386e941f7d7930a18b2193be96cb950031
                                  • Instruction Fuzzy Hash: E711E773A041283BDB0065699C45EAF3698DB86334F254237FA25F31D1EA78CC1182E9
                                  Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3796539761.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                  • Associated: 00000000.00000002.3796514530.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796598036.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796620571.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10000000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: FreeGlobal
                                  • String ID:
                                  • API String ID: 2979337801-0
                                  • Opcode ID: 83a27a6a764e204457f331ddef67b06d43c1ca0f526d792f63dc3af4834dec0e
                                  • Instruction ID: adaf369aa6dab84e94bee76403d526b7d43184adb12fe210256c1aedb67fe499
                                  • Opcode Fuzzy Hash: 83a27a6a764e204457f331ddef67b06d43c1ca0f526d792f63dc3af4834dec0e
                                  • Instruction Fuzzy Hash: 43512536D04159AEFB55DFB488A4AEEBBF6EF453C0F124169E841B315DCA306E4087D2
                                  Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?), ref: 00401D3F
                                  • GetClientRect.USER32(00000000,?), ref: 00401D4C
                                  • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
                                  • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
                                  • DeleteObject.GDI32(00000000), ref: 00401D8A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                  • String ID:
                                  • API String ID: 1849352358-0
                                  • Opcode ID: 10b4ba4544f36a944a3439ba9066f9e77615bff6391fe62bbc71dfdeb426500d
                                  • Instruction ID: b8adc288744d91ba617009adb3e02bef21eb0d6e3f954176feac09388768b409
                                  • Opcode Fuzzy Hash: 10b4ba4544f36a944a3439ba9066f9e77615bff6391fe62bbc71dfdeb426500d
                                  • Instruction Fuzzy Hash: 45F0FFB2A04119BFE701EBA4DE88DAFB7BCEB44301B104466F601F2191C7749D018B79
                                  Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
                                  • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: MessageSend$Timeout
                                  • String ID: !
                                  • API String ID: 1777923405-2657877971
                                  • Opcode ID: 8f69d8f01904616b30ba50563f994ab03a06e4adbc220725d3c81c21ac0e34de
                                  • Instruction ID: 44e87a32571ed3235eb7b96b36fbe9a42cad9ebb5189372230b031547819aef2
                                  • Opcode Fuzzy Hash: 8f69d8f01904616b30ba50563f994ab03a06e4adbc220725d3c81c21ac0e34de
                                  • Instruction Fuzzy Hash: ED21A271E44208BEEB15EFA4DA46AED7FB1EF84314F24403EF101B61D1DA788640DB28
                                  Function 004039E5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowTextA.USER32(00000000,Pongids Setup), ref: 00403A7D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: TextWindow
                                  • String ID: "C:\Users\user\Desktop\nRNzqQOQwk.exe"$1033$Pongids Setup
                                  • API String ID: 530164218-427815720
                                  • Opcode ID: 6c45f722f9a7ae4fb793d3ca626f1132432b1c01d3db27434527fc1e6ec0313f
                                  • Instruction ID: 535a85070ebab7a8ba56d21747a6201fabbada84c5c70f31dda2a066eb9b82e2
                                  • Opcode Fuzzy Hash: 6c45f722f9a7ae4fb793d3ca626f1132432b1c01d3db27434527fc1e6ec0313f
                                  • Instruction Fuzzy Hash: D1110E35B002019FD7209F15DC80A377B6CEBCA355728823BE841A73A0D73D9D028BA8
                                  Function 00405812 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040316D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403370), ref: 00405818
                                  • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040316D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403370), ref: 00405821
                                  • lstrcatA.KERNEL32(?,00409014), ref: 00405832
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405812
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CharPrevlstrcatlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 2659869361-297319885
                                  • Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                  • Instruction ID: 0a665bc2143073433464dc8fd220d9afc6aaff2f2e3703ee86bb110f897cf778
                                  • Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                  • Instruction Fuzzy Hash: DDD0A9A3606930AAE30222158C09EDF2A58CF12340B048037F200B22A2C63C8E418BFE
                                  Function 004058AB Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharNextA.USER32(?,?,C:\,?,00405917,C:\,C:\,76F93410,?,C:\Users\user\AppData\Local\Temp\,00405662,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B9
                                  • CharNextA.USER32(00000000), ref: 004058BE
                                  • CharNextA.USER32(00000000), ref: 004058D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CharNext
                                  • String ID: C:\
                                  • API String ID: 3213498283-3404278061
                                  • Opcode ID: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
                                  • Instruction ID: e63bfe958a3d000d539ac339b3831bddf0e80049928d73a3bf58654b49e63fc9
                                  • Opcode Fuzzy Hash: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
                                  • Instruction Fuzzy Hash: 5CF0F653904F552AFB3272280C40B775B88DB5A361F14C077EE40B62C1D27C4C609FAA
                                  Function 00402C96 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(00000000,00000000,00402E76,00000001), ref: 00402CA9
                                  • GetTickCount.KERNEL32 ref: 00402CC7
                                  • CreateDialogParamA.USER32(0000006F,00000000,00402C13,00000000), ref: 00402CE4
                                  • ShowWindow.USER32(00000000,00000005), ref: 00402CF2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                  • String ID:
                                  • API String ID: 2102729457-0
                                  • Opcode ID: e47f6d303f75ebd17c716a95d6a18f35b6dc664df62f34b119683803831f88dc
                                  • Instruction ID: 9ab3963fa07bdcc1a95f8d1ddaaeb6e773ff80e4731962a5f71ef67b0361f4de
                                  • Opcode Fuzzy Hash: e47f6d303f75ebd17c716a95d6a18f35b6dc664df62f34b119683803831f88dc
                                  • Instruction Fuzzy Hash: B9F03030809521AFD6125B24FF8EDDE7A64AB41701B114477F414B11E4D7781885CBD9
                                  Function 00404F2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 00404F5C
                                  • CallWindowProcA.USER32(?,?,?,?), ref: 00404FAD
                                    • Part of subcall function 00403FD1: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403FE3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Window$CallMessageProcSendVisible
                                  • String ID:
                                  • API String ID: 3748168415-3916222277
                                  • Opcode ID: ba6800c79a5e421cc747068b2104ef880767bd6b1526ac3d2082a385ebb11f2d
                                  • Instruction ID: b201a4cd8f35b1f81cb2229438f9677fc33f9f69eb2c65fa3af33e2f38b160ff
                                  • Opcode Fuzzy Hash: ba6800c79a5e421cc747068b2104ef880767bd6b1526ac3d2082a385ebb11f2d
                                  • Instruction Fuzzy Hash: C9015EB150424AAFDF209F61DD81A5B3A26E7C4758F104037FB04B52D1D37AAC929A6E
                                  Function 00405531 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0079FD48,Error launching installer), ref: 0040555A
                                  • CloseHandle.KERNEL32(?), ref: 00405567
                                  Strings
                                  • Error launching installer, xrefs: 00405544
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CloseCreateHandleProcess
                                  • String ID: Error launching installer
                                  • API String ID: 3712363035-66219284
                                  • Opcode ID: 9f0b0f85f0295080a22e5d155a7c66e390f8f607a8e504552004f12f3aafe87f
                                  • Instruction ID: a44fcad5754d04da23f251c2f5d6a8b7866741138784f0b9a4d91a551686e283
                                  • Opcode Fuzzy Hash: 9f0b0f85f0295080a22e5d155a7c66e390f8f607a8e504552004f12f3aafe87f
                                  • Instruction Fuzzy Hash: 93E0BFF4A002097FEB10AB64ED49F7B7BADEB00644F408561FD10F6190E674A9549A79
                                  Function 0040368B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • FreeLibrary.KERNEL32(?,76F93410,00000000,C:\Users\user\AppData\Local\Temp\,00403663,0040347D,?), ref: 004036A5
                                  • GlobalFree.KERNEL32(00B189F8), ref: 004036AC
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 0040368B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Free$GlobalLibrary
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 1100898210-297319885
                                  • Opcode ID: f64556832675c450ee94ce825956f3fa5fe3b9abfe3e42bbbd50814105250277
                                  • Instruction ID: cb5700cda5be72b1964cac96af1ae0fa6ff587f55f39b04be5f0e3e76017d6e4
                                  • Opcode Fuzzy Hash: f64556832675c450ee94ce825956f3fa5fe3b9abfe3e42bbbd50814105250277
                                  • Instruction Fuzzy Hash: 78E0C2338011206BC7315F04EE04B2A777C6F48B26F020467ED447B3A087792C524BDC
                                  Function 00405859 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402D66,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\nRNzqQOQwk.exe,C:\Users\user\Desktop\nRNzqQOQwk.exe,80000000,?), ref: 0040585F
                                  • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D66,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\nRNzqQOQwk.exe,C:\Users\user\Desktop\nRNzqQOQwk.exe,80000000,?), ref: 0040586D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: CharPrevlstrlen
                                  • String ID: C:\Users\user\Desktop
                                  • API String ID: 2709904686-2743851969
                                  • Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                  • Instruction ID: 48f05854ad55b04522f039bc0829861de91cdd92fb90a6685f37373cdb6fd5ef
                                  • Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                  • Instruction Fuzzy Hash: 05D0C773409DB05EF30362259C04B9F6A98DF17700F094466E580E6191C6789D518BAE
                                  Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
                                  • GlobalFree.KERNEL32(00000000), ref: 100011B4
                                  • GlobalFree.KERNEL32(?), ref: 100011C7
                                  • GlobalFree.KERNEL32(?), ref: 100011F5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3796539761.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                  • Associated: 00000000.00000002.3796514530.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796598036.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000000.00000002.3796620571.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_10000000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: Global$Free$Alloc
                                  • String ID:
                                  • API String ID: 1780285237-0
                                  • Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                  • Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
                                  • Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                  • Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24
                                  Function 00405978 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405BD5,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405988
                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 004059A0
                                  • CharNextA.USER32(00000000,?,00000000,00405BD5,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004059B1
                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405BD5,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004059BA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3789251743.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.3789230297.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789271823.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789304557.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3789586334.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_nRNzqQOQwk.jbxd
                                  Similarity
                                  • API ID: lstrlen$CharNextlstrcmpi
                                  • String ID:
                                  • API String ID: 190613189-0
                                  • Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                  • Instruction ID: 2b31bcc4a158946671b74a97661090b9e56dbbcbef6738157e9c676b7350d0db
                                  • Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                  • Instruction Fuzzy Hash: 7DF0C272515518FFCB029FA5DC00D9EBBA8EF16360B2540AAF800F7310D274EE019BA9