Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shiits.exe

Overview

General Information

Sample name:Shiits.exe
Analysis ID:1527846
MD5:d2511e01ff27f951a58bc2e848d1f6e6
SHA1:1cd2625285abcac930c0899aeafe2fe12a3b2207
SHA256:6d0f9739a3fabe26232452cec79ec7706f811c6ea22f4eb7e63739e8bf6da926
Tags:exeuser-adrian__luca
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • Shiits.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\Shiits.exe" MD5: D2511E01FF27F951A58BC2E848D1F6E6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Shiits.exeReversingLabs: Detection: 31%
Source: Shiits.exeVirustotal: Detection: 43%Perma Link
Source: Shiits.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Shiits.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_004066F3 FindFirstFileW,FindClose,0_2_004066F3
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405ABE
Source: Shiits.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405553
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403489
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00404D900_2_00404D90
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00406ABA0_2_00406ABA
Source: Shiits.exe, 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameloyaliteters radierne.exeR vs Shiits.exe
Source: Shiits.exeBinary or memory string: OriginalFilenameloyaliteters radierne.exeR vs Shiits.exe
Source: Shiits.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403489
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00404814 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404814
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_004020FE CoCreateInstance,0_2_004020FE
Source: C:\Users\user\Desktop\Shiits.exeFile created: C:\Users\user\AppData\Local\Temp\nsiA846.tmpJump to behavior
Source: Shiits.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Shiits.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Shiits.exeReversingLabs: Detection: 31%
Source: Shiits.exeVirustotal: Detection: 43%
Source: C:\Users\user\Desktop\Shiits.exeFile read: C:\Users\user\Desktop\Shiits.exeJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Shiits.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Shiits.exeStatic PE information: real checksum: 0x9103c should be: 0x7de48
Source: C:\Users\user\Desktop\Shiits.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Shiits.exeAPI coverage: 8.1 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_004066F3 FindFirstFileW,FindClose,0_2_004066F3
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405ABE
Source: C:\Users\user\Desktop\Shiits.exeAPI call chain: ExitProcess graph end nodegraph_0-3236
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Shiits.exeCode function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403489

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping2
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory4
System Information Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Shiits.exe32%ReversingLabsWin32.Trojan.Nemesis
Shiits.exe43%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorErrorShiits.exefalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1527846
Start date and time:2024-10-07 10:47:40 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 53s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Shiits.exe
Detection:MAL
Classification:mal48.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 8
  • Number of non-executed functions: 43
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):6.939054194001629
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Shiits.exe
File size:454'242 bytes
MD5:d2511e01ff27f951a58bc2e848d1f6e6
SHA1:1cd2625285abcac930c0899aeafe2fe12a3b2207
SHA256:6d0f9739a3fabe26232452cec79ec7706f811c6ea22f4eb7e63739e8bf6da926
SHA512:eb209069678714a7533ce13ee54515b9bd83ec1926aeea09bae399e20794112ed47695ec01d026d2ac1ceca0710e2ec4d85101cd7d88570eb4468465632b6950
SSDEEP:6144:2Iw3/aCrR1V49Y/iujf+NRESDnnCFvnzGu0NDvkB4BUkKvmj5AmzVuGOmF:GaC1v49qizNWAns0NmocS5dVuE
TLSH:0AA4BD9B2ED3C9DED8030A7099A6B1B1B1F6ACF49B135D0723B33AEC6D32D514E42255
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....uY.................d...*.....

File Icon

Icon Hash:5ce633391c1c0601

Static PE Info

General

Entrypoint:0x403489
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x5975952E [Mon Jul 24 06:35:26 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:1f23f452093b5c1ff091a2f9fb4fa3e9

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
    Subject Chain
      Version:
      Thumbprint MD5:
      Thumbprint SHA-1:
      Thumbprint SHA-256:
      Serial:

      Entrypoint Preview

      Instruction
      sub esp, 000002D4h
      push ebx
      push esi
      push edi
      push 00000020h
      pop edi
      xor ebx, ebx
      push 00008001h
      mov dword ptr [esp+14h], ebx
      mov dword ptr [esp+10h], 0040A230h
      mov dword ptr [esp+1Ch], ebx
      call dword ptr [004080ACh]
      call dword ptr [004080A8h]
      and eax, BFFFFFFFh
      cmp ax, 00000006h
      mov dword ptr [0042A24Ch], eax
      je 00007F5AB0DE90A3h
      push ebx
      call 00007F5AB0DEC351h
      cmp eax, ebx
      je 00007F5AB0DE9099h
      push 00000C00h
      call eax
      mov esi, 004082B0h
      push esi
      call 00007F5AB0DEC2CBh
      push esi
      call dword ptr [00408150h]
      lea esi, dword ptr [esi+eax+01h]
      cmp byte ptr [esi], 00000000h
      jne 00007F5AB0DE907Ch
      push 0000000Ah
      call 00007F5AB0DEC324h
      push 00000008h
      call 00007F5AB0DEC31Dh
      push 00000006h
      mov dword ptr [0042A244h], eax
      call 00007F5AB0DEC311h
      cmp eax, ebx
      je 00007F5AB0DE90A1h
      push 0000001Eh
      call eax
      test eax, eax
      je 00007F5AB0DE9099h
      or byte ptr [0042A24Fh], 00000040h
      push ebp
      call dword ptr [00408044h]
      push ebx
      call dword ptr [004082A0h]
      mov dword ptr [0042A318h], eax
      push ebx
      lea eax, dword ptr [esp+34h]
      push 000002B4h
      push eax
      push ebx
      push 004216E8h
      call dword ptr [00408188h]
      push 0040A384h

      Rich Headers

      Programming Language:
      • [EXP] VC++ 6.0 SP5 build 8804

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x220b8.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x8a8080x1390
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x63d10x6400139645791b76bd6f7b8c4472edbbdfe5False0.66515625data6.479451209065IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x80000x138e0x1400007eff248f0493620a3fd3f7cadc755bFalse0.45data5.143831732151552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xa0000x203580x600ec5bcec782f43a3fb7e8dfbe0d0db4dbFalse0.501953125data4.000739070159718IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .ndata0x2b0000x2c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x570000x220b80x2220030cc4d5ad2d805f600d8d9358a38829aFalse0.1827066163003663data2.9689436080399076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0x572c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.14975452502070272
      RT_ICON0x67af00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.18344019339920117
      RT_ICON0x70f980x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.21953235710911667
      RT_ICON0x751c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.2731327800829875
      RT_ICON0x777680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.3428705440900563
      RT_DIALOG0x788100x120dataEnglishUnited States0.5138888888888888
      RT_DIALOG0x789300x11cdataEnglishUnited States0.6056338028169014
      RT_DIALOG0x78a500xc4dataEnglishUnited States0.5918367346938775
      RT_DIALOG0x78b180x60dataEnglishUnited States0.7291666666666666
      RT_GROUP_ICON0x78b780x4cdataEnglishUnited States0.8026315789473685
      RT_VERSION0x78bc80x1b0dataEnglishUnited States0.5601851851851852
      RT_MANIFEST0x78d780x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

      Imports

      DLLImport
      KERNEL32.dllExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
      USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
      SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
      ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
      COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:04:48:35
      Start date:07/10/2024
      Path:C:\Users\user\Desktop\Shiits.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\Shiits.exe"
      Imagebase:0x400000
      File size:454'242 bytes
      MD5 hash:D2511E01FF27F951A58BC2E848D1F6E6
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:4.9%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:20.4%
        Total number of Nodes:1359
        Total number of Limit Nodes:18
        execution_graph 3703 401941 3704 401943 3703->3704 3709 402c37 3704->3709 3707 405abe 67 API calls 3708 401951 3707->3708 3710 402c43 3709->3710 3711 4063d2 17 API calls 3710->3711 3712 402c64 3711->3712 3713 401948 3712->3713 3714 406644 5 API calls 3712->3714 3713->3707 3714->3713 3715 4015c1 3716 402c37 17 API calls 3715->3716 3717 4015c8 3716->3717 3718 405d2c 4 API calls 3717->3718 3728 4015d1 3718->3728 3719 401631 3721 401663 3719->3721 3722 401636 3719->3722 3720 405cae CharNextW 3720->3728 3725 401423 24 API calls 3721->3725 3734 401423 3722->3734 3732 40165b 3725->3732 3726 405960 2 API calls 3726->3728 3728->3719 3728->3720 3728->3726 3729 40597d 5 API calls 3728->3729 3731 401617 GetFileAttributesW 3728->3731 3733 4058e3 4 API calls 3728->3733 3729->3728 3730 40164a SetCurrentDirectoryW 3730->3732 3731->3728 3733->3728 3735 405414 24 API calls 3734->3735 3736 401431 3735->3736 3737 4063b0 lstrcpynW 3736->3737 3737->3730 3738 401e43 3746 402c15 3738->3746 3740 401e49 3741 402c15 17 API calls 3740->3741 3742 401e55 3741->3742 3743 401e61 ShowWindow 3742->3743 3744 401e6c EnableWindow 3742->3744 3745 402abf 3743->3745 3744->3745 3747 4063d2 17 API calls 3746->3747 3748 402c2a 3747->3748 3748->3740 3756 402644 3757 402c15 17 API calls 3756->3757 3758 402653 3757->3758 3759 40269d ReadFile 3758->3759 3760 405f25 ReadFile 3758->3760 3762 402792 3758->3762 3763 4026dd MultiByteToWideChar 3758->3763 3765 402703 SetFilePointer MultiByteToWideChar 3758->3765 3766 4027a3 3758->3766 3768 402790 3758->3768 3769 405f83 SetFilePointer 3758->3769 3759->3758 3759->3768 3760->3758 3778 4062f7 wsprintfW 3762->3778 3763->3758 3765->3758 3767 4027c4 SetFilePointer 3766->3767 3766->3768 3767->3768 3770 405fbb 3769->3770 3771 405f9f 3769->3771 3770->3758 3772 405f25 ReadFile 3771->3772 3773 405fab 3772->3773 3773->3770 3774 405fc4 SetFilePointer 3773->3774 3775 405fec SetFilePointer 3773->3775 3774->3775 3776 405fcf 3774->3776 3775->3770 3777 405f54 WriteFile 3776->3777 3777->3770 3778->3768 3779 402348 3780 402c37 17 API calls 3779->3780 3781 402357 3780->3781 3782 402c37 17 API calls 3781->3782 3783 402360 3782->3783 3784 402c37 17 API calls 3783->3784 3785 40236a GetPrivateProfileStringW 3784->3785 3789 4016cc 3790 402c37 17 API calls 3789->3790 3791 4016d2 GetFullPathNameW 3790->3791 3792 4016ec 3791->3792 3798 40170e 3791->3798 3795 4066f3 2 API calls 3792->3795 3792->3798 3793 401723 GetShortPathNameW 3794 402abf 3793->3794 3796 4016fe 3795->3796 3796->3798 3799 4063b0 lstrcpynW 3796->3799 3798->3793 3798->3794 3799->3798 3800 401b4d 3801 402c37 17 API calls 3800->3801 3802 401b54 3801->3802 3803 402c15 17 API calls 3802->3803 3804 401b5d wsprintfW 3803->3804 3805 402abf 3804->3805 3806 4047cd 3807 404803 3806->3807 3808 4047dd 3806->3808 3816 4043ac 3807->3816 3813 404345 3808->3813 3812 4047ea SetDlgItemTextW 3812->3807 3814 4063d2 17 API calls 3813->3814 3815 404350 SetDlgItemTextW 3814->3815 3815->3812 3817 4043c4 GetWindowLongW 3816->3817 3827 40444d 3816->3827 3818 4043d5 3817->3818 3817->3827 3819 4043e4 GetSysColor 3818->3819 3820 4043e7 3818->3820 3819->3820 3821 4043f7 SetBkMode 3820->3821 3822 4043ed SetTextColor 3820->3822 3823 404415 3821->3823 3824 40440f GetSysColor 3821->3824 3822->3821 3825 404426 3823->3825 3826 40441c SetBkColor 3823->3826 3824->3823 3825->3827 3828 404440 CreateBrushIndirect 3825->3828 3829 404439 DeleteObject 3825->3829 3826->3825 3828->3827 3829->3828 3830 401f52 3831 402c37 17 API calls 3830->3831 3832 401f59 3831->3832 3833 4066f3 2 API calls 3832->3833 3834 401f5f 3833->3834 3836 401f70 3834->3836 3837 4062f7 wsprintfW 3834->3837 3837->3836 3838 405553 3839 405574 GetDlgItem GetDlgItem GetDlgItem 3838->3839 3840 4056fd 3838->3840 3883 40437a SendMessageW 3839->3883 3841 405706 GetDlgItem CreateThread CloseHandle 3840->3841 3842 40572e 3840->3842 3841->3842 3845 405759 3842->3845 3846 405745 ShowWindow ShowWindow 3842->3846 3847 40577e 3842->3847 3844 4055e4 3849 4055eb GetClientRect GetSystemMetrics SendMessageW SendMessageW 3844->3849 3848 4057b9 3845->3848 3851 405793 ShowWindow 3845->3851 3852 40576d 3845->3852 3885 40437a SendMessageW 3846->3885 3853 4043ac 8 API calls 3847->3853 3848->3847 3856 4057c7 SendMessageW 3848->3856 3854 405659 3849->3854 3855 40563d SendMessageW SendMessageW 3849->3855 3858 4057b3 3851->3858 3859 4057a5 3851->3859 3886 40431e 3852->3886 3864 40578c 3853->3864 3861 40566c 3854->3861 3862 40565e SendMessageW 3854->3862 3855->3854 3863 4057e0 CreatePopupMenu 3856->3863 3856->3864 3860 40431e SendMessageW 3858->3860 3865 405414 24 API calls 3859->3865 3860->3848 3867 404345 18 API calls 3861->3867 3862->3861 3866 4063d2 17 API calls 3863->3866 3865->3858 3868 4057f0 AppendMenuW 3866->3868 3869 40567c 3867->3869 3870 405820 TrackPopupMenu 3868->3870 3871 40580d GetWindowRect 3868->3871 3872 405685 ShowWindow 3869->3872 3873 4056b9 GetDlgItem SendMessageW 3869->3873 3870->3864 3874 40583b 3870->3874 3871->3870 3875 4056a8 3872->3875 3876 40569b ShowWindow 3872->3876 3873->3864 3877 4056e0 SendMessageW SendMessageW 3873->3877 3878 405857 SendMessageW 3874->3878 3884 40437a SendMessageW 3875->3884 3876->3875 3877->3864 3878->3878 3879 405874 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3878->3879 3881 405899 SendMessageW 3879->3881 3881->3881 3882 4058c2 GlobalUnlock SetClipboardData CloseClipboard 3881->3882 3882->3864 3883->3844 3884->3873 3885->3845 3887 404325 3886->3887 3888 40432b SendMessageW 3886->3888 3887->3888 3888->3847 3889 402253 3890 402c37 17 API calls 3889->3890 3891 402259 3890->3891 3892 402c37 17 API calls 3891->3892 3893 402262 3892->3893 3894 402c37 17 API calls 3893->3894 3895 40226b 3894->3895 3896 4066f3 2 API calls 3895->3896 3897 402274 3896->3897 3898 402285 lstrlenW lstrlenW 3897->3898 3899 402278 3897->3899 3901 405414 24 API calls 3898->3901 3900 405414 24 API calls 3899->3900 3903 402280 3899->3903 3900->3903 3902 4022c3 SHFileOperationW 3901->3902 3902->3899 3902->3903 3904 401956 3905 402c37 17 API calls 3904->3905 3906 40195d lstrlenW 3905->3906 3907 40258c 3906->3907 3908 401d57 GetDlgItem GetClientRect 3909 402c37 17 API calls 3908->3909 3910 401d89 LoadImageW SendMessageW 3909->3910 3911 401da7 DeleteObject 3910->3911 3912 402abf 3910->3912 3911->3912 3913 402dd7 3914 402e02 3913->3914 3915 402de9 SetTimer 3913->3915 3916 402e50 3914->3916 3917 402e56 MulDiv 3914->3917 3915->3914 3918 402e10 wsprintfW SetWindowTextW SetDlgItemTextW 3917->3918 3918->3916 3920 4014d7 3921 402c15 17 API calls 3920->3921 3922 4014dd Sleep 3921->3922 3924 402abf 3922->3924 3925 4022d7 3926 4022de 3925->3926 3929 4022f1 3925->3929 3927 4063d2 17 API calls 3926->3927 3928 4022eb 3927->3928 3930 405a12 MessageBoxIndirectW 3928->3930 3930->3929 3931 404459 lstrcpynW lstrlenW 3939 40175c 3940 402c37 17 API calls 3939->3940 3941 401763 3940->3941 3942 405ed1 2 API calls 3941->3942 3943 40176a 3942->3943 3943->3943 3944 4023de 3945 402c37 17 API calls 3944->3945 3946 4023f0 3945->3946 3947 402c37 17 API calls 3946->3947 3948 4023fa 3947->3948 3961 402cc7 3948->3961 3951 402885 3952 402432 3954 40243e 3952->3954 3956 402c15 17 API calls 3952->3956 3953 402c37 17 API calls 3955 402428 lstrlenW 3953->3955 3957 40245d RegSetValueExW 3954->3957 3958 4031ba 44 API calls 3954->3958 3955->3952 3956->3954 3959 402473 RegCloseKey 3957->3959 3958->3957 3959->3951 3962 402ce2 3961->3962 3965 40624b 3962->3965 3966 40625a 3965->3966 3967 40240a 3966->3967 3968 406265 RegCreateKeyExW 3966->3968 3967->3951 3967->3952 3967->3953 3968->3967 3969 402862 3970 402c37 17 API calls 3969->3970 3971 402869 FindFirstFileW 3970->3971 3972 402891 3971->3972 3975 40287c 3971->3975 3977 4062f7 wsprintfW 3972->3977 3974 40289a 3978 4063b0 lstrcpynW 3974->3978 3977->3974 3978->3975 3979 4044e2 3980 4044fa 3979->3980 3984 404614 3979->3984 3985 404345 18 API calls 3980->3985 3981 40467e 3982 404748 3981->3982 3983 404688 GetDlgItem 3981->3983 3988 4043ac 8 API calls 3982->3988 3989 4046a2 3983->3989 3990 404709 3983->3990 3984->3981 3984->3982 3986 40464f GetDlgItem SendMessageW 3984->3986 3987 404561 3985->3987 4012 404367 EnableWindow 3986->4012 3992 404345 18 API calls 3987->3992 3993 404743 3988->3993 3989->3990 3994 4046c8 SendMessageW LoadCursorW SetCursor 3989->3994 3990->3982 3995 40471b 3990->3995 3999 40456e CheckDlgButton 3992->3999 4016 404791 3994->4016 3996 404731 3995->3996 3997 404721 SendMessageW 3995->3997 3996->3993 4001 404737 SendMessageW 3996->4001 3997->3996 3998 404679 4013 40476d 3998->4013 4010 404367 EnableWindow 3999->4010 4001->3993 4005 40458c GetDlgItem 4011 40437a SendMessageW 4005->4011 4007 4045a2 SendMessageW 4008 4045c8 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4007->4008 4009 4045bf GetSysColor 4007->4009 4008->3993 4009->4008 4010->4005 4011->4007 4012->3998 4014 404780 SendMessageW 4013->4014 4015 40477b 4013->4015 4014->3981 4015->4014 4019 4059d8 ShellExecuteExW 4016->4019 4018 4046f7 LoadCursorW SetCursor 4018->3990 4019->4018 4020 401563 4021 402a65 4020->4021 4024 4062f7 wsprintfW 4021->4024 4023 402a6a 4024->4023 4025 401968 4026 402c15 17 API calls 4025->4026 4027 40196f 4026->4027 4028 402c15 17 API calls 4027->4028 4029 40197c 4028->4029 4030 402c37 17 API calls 4029->4030 4031 401993 lstrlenW 4030->4031 4033 4019a4 4031->4033 4032 4019e5 4033->4032 4037 4063b0 lstrcpynW 4033->4037 4035 4019d5 4035->4032 4036 4019da lstrlenW 4035->4036 4036->4032 4037->4035 4038 4027e9 4039 4027f0 4038->4039 4045 402a6a 4038->4045 4040 402c15 17 API calls 4039->4040 4041 4027f7 4040->4041 4042 402806 SetFilePointer 4041->4042 4043 402816 4042->4043 4042->4045 4046 4062f7 wsprintfW 4043->4046 4046->4045 4047 404b6a 4048 404b96 4047->4048 4049 404b7a 4047->4049 4051 404bc9 4048->4051 4052 404b9c SHGetPathFromIDListW 4048->4052 4058 4059f6 GetDlgItemTextW 4049->4058 4054 404bb3 SendMessageW 4052->4054 4055 404bac 4052->4055 4053 404b87 SendMessageW 4053->4048 4054->4051 4056 40140b 2 API calls 4055->4056 4056->4054 4058->4053 4059 40166a 4060 402c37 17 API calls 4059->4060 4061 401670 4060->4061 4062 4066f3 2 API calls 4061->4062 4063 401676 4062->4063 4064 403e6c 4065 403e84 4064->4065 4066 403fbf 4064->4066 4065->4066 4067 403e90 4065->4067 4068 403fd0 GetDlgItem GetDlgItem 4066->4068 4069 404010 4066->4069 4070 403e9b SetWindowPos 4067->4070 4071 403eae 4067->4071 4072 404345 18 API calls 4068->4072 4073 40406a 4069->4073 4081 401389 2 API calls 4069->4081 4070->4071 4074 403eb3 ShowWindow 4071->4074 4075 403ecb 4071->4075 4076 403ffa SetClassLongW 4072->4076 4077 404391 SendMessageW 4073->4077 4082 403fba 4073->4082 4074->4075 4078 403ed3 DestroyWindow 4075->4078 4079 403eed 4075->4079 4080 40140b 2 API calls 4076->4080 4103 40407c 4077->4103 4083 4042ce 4078->4083 4084 403ef2 SetWindowLongW 4079->4084 4085 403f03 4079->4085 4080->4069 4086 404042 4081->4086 4083->4082 4092 4042ff ShowWindow 4083->4092 4084->4082 4089 403f7a 4085->4089 4090 403f0f GetDlgItem 4085->4090 4086->4073 4091 404046 SendMessageW 4086->4091 4087 40140b 2 API calls 4087->4103 4088 4042d0 DestroyWindow EndDialog 4088->4083 4095 4043ac 8 API calls 4089->4095 4093 403f22 SendMessageW IsWindowEnabled 4090->4093 4094 403f3f 4090->4094 4091->4082 4092->4082 4093->4082 4093->4094 4097 403f4c 4094->4097 4098 403f93 SendMessageW 4094->4098 4099 403f5f 4094->4099 4107 403f44 4094->4107 4095->4082 4096 4063d2 17 API calls 4096->4103 4097->4098 4097->4107 4098->4089 4101 403f67 4099->4101 4102 403f7c 4099->4102 4100 40431e SendMessageW 4100->4089 4104 40140b 2 API calls 4101->4104 4105 40140b 2 API calls 4102->4105 4103->4082 4103->4087 4103->4088 4103->4096 4106 404345 18 API calls 4103->4106 4108 404345 18 API calls 4103->4108 4124 404210 DestroyWindow 4103->4124 4104->4107 4105->4107 4106->4103 4107->4089 4107->4100 4109 4040f7 GetDlgItem 4108->4109 4110 404114 ShowWindow EnableWindow 4109->4110 4111 40410c 4109->4111 4133 404367 EnableWindow 4110->4133 4111->4110 4113 40413e EnableWindow 4118 404152 4113->4118 4114 404157 GetSystemMenu EnableMenuItem SendMessageW 4115 404187 SendMessageW 4114->4115 4114->4118 4115->4118 4117 403e4d 18 API calls 4117->4118 4118->4114 4118->4117 4134 40437a SendMessageW 4118->4134 4135 4063b0 lstrcpynW 4118->4135 4120 4041b6 lstrlenW 4121 4063d2 17 API calls 4120->4121 4122 4041cc SetWindowTextW 4121->4122 4123 401389 2 API calls 4122->4123 4123->4103 4124->4083 4125 40422a CreateDialogParamW 4124->4125 4125->4083 4126 40425d 4125->4126 4127 404345 18 API calls 4126->4127 4128 404268 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4127->4128 4129 401389 2 API calls 4128->4129 4130 4042ae 4129->4130 4130->4082 4131 4042b6 ShowWindow 4130->4131 4132 404391 SendMessageW 4131->4132 4132->4083 4133->4113 4134->4118 4135->4120 4136 401ced 4137 402c15 17 API calls 4136->4137 4138 401cf3 IsWindow 4137->4138 4139 401a20 4138->4139 4140 40176f 4141 402c37 17 API calls 4140->4141 4142 401776 4141->4142 4143 401796 4142->4143 4144 40179e 4142->4144 4178 4063b0 lstrcpynW 4143->4178 4179 4063b0 lstrcpynW 4144->4179 4147 4017a9 4149 405c81 3 API calls 4147->4149 4148 40179c 4151 406644 5 API calls 4148->4151 4150 4017af lstrcatW 4149->4150 4150->4148 4167 4017bb 4151->4167 4152 4066f3 2 API calls 4152->4167 4153 405e7d 2 API calls 4153->4167 4155 4017cd CompareFileTime 4155->4167 4156 40188d 4158 405414 24 API calls 4156->4158 4157 401864 4159 405414 24 API calls 4157->4159 4169 401879 4157->4169 4161 401897 4158->4161 4159->4169 4160 4063b0 lstrcpynW 4160->4167 4162 4031ba 44 API calls 4161->4162 4163 4018aa 4162->4163 4164 4018be SetFileTime 4163->4164 4165 4018d0 CloseHandle 4163->4165 4164->4165 4168 4018e1 4165->4168 4165->4169 4166 4063d2 17 API calls 4166->4167 4167->4152 4167->4153 4167->4155 4167->4156 4167->4157 4167->4160 4167->4166 4174 405a12 MessageBoxIndirectW 4167->4174 4180 405ea2 GetFileAttributesW CreateFileW 4167->4180 4170 4018e6 4168->4170 4171 4018f9 4168->4171 4172 4063d2 17 API calls 4170->4172 4173 4063d2 17 API calls 4171->4173 4175 4018ee lstrcatW 4172->4175 4176 401901 4173->4176 4174->4167 4175->4176 4177 405a12 MessageBoxIndirectW 4176->4177 4177->4169 4178->4148 4179->4147 4180->4167 4188 402570 4189 402c37 17 API calls 4188->4189 4190 402577 4189->4190 4193 405ea2 GetFileAttributesW CreateFileW 4190->4193 4192 402583 4193->4192 4201 401b71 4202 401bc2 4201->4202 4203 401b7e 4201->4203 4204 401bc7 4202->4204 4205 401bec GlobalAlloc 4202->4205 4206 4022de 4203->4206 4211 401b95 4203->4211 4214 401c07 4204->4214 4222 4063b0 lstrcpynW 4204->4222 4207 4063d2 17 API calls 4205->4207 4208 4063d2 17 API calls 4206->4208 4207->4214 4210 4022eb 4208->4210 4216 405a12 MessageBoxIndirectW 4210->4216 4220 4063b0 lstrcpynW 4211->4220 4212 401bd9 GlobalFree 4212->4214 4215 401ba4 4221 4063b0 lstrcpynW 4215->4221 4216->4214 4218 401bb3 4223 4063b0 lstrcpynW 4218->4223 4220->4215 4221->4218 4222->4212 4223->4214 4224 401a72 4225 402c15 17 API calls 4224->4225 4226 401a78 4225->4226 4227 402c15 17 API calls 4226->4227 4228 401a20 4227->4228 4229 4024f2 4239 402c77 4229->4239 4232 402c15 17 API calls 4233 402505 4232->4233 4234 402521 RegEnumKeyW 4233->4234 4235 40252d RegEnumValueW 4233->4235 4236 402885 4233->4236 4237 402542 RegCloseKey 4234->4237 4235->4237 4237->4236 4240 402c37 17 API calls 4239->4240 4241 402c8e 4240->4241 4242 40621d RegOpenKeyExW 4241->4242 4243 4024fc 4242->4243 4243->4232 4244 401573 4245 401583 ShowWindow 4244->4245 4246 40158c 4244->4246 4245->4246 4247 40159a ShowWindow 4246->4247 4248 402abf 4246->4248 4247->4248 4249 4014f5 SetForegroundWindow 4250 402abf 4249->4250 4251 401e77 4252 402c37 17 API calls 4251->4252 4253 401e7d 4252->4253 4254 402c37 17 API calls 4253->4254 4255 401e86 4254->4255 4256 402c37 17 API calls 4255->4256 4257 401e8f 4256->4257 4258 402c37 17 API calls 4257->4258 4259 401e98 4258->4259 4260 401423 24 API calls 4259->4260 4261 401e9f 4260->4261 4268 4059d8 ShellExecuteExW 4261->4268 4263 401ee1 4266 402885 4263->4266 4269 40683b WaitForSingleObject 4263->4269 4265 401efb CloseHandle 4265->4266 4268->4263 4270 406855 4269->4270 4271 406867 GetExitCodeProcess 4270->4271 4272 4067c6 2 API calls 4270->4272 4271->4265 4273 40685c WaitForSingleObject 4272->4273 4273->4270 4281 40167b 4282 402c37 17 API calls 4281->4282 4283 401682 4282->4283 4284 402c37 17 API calls 4283->4284 4285 40168b 4284->4285 4286 402c37 17 API calls 4285->4286 4287 401694 MoveFileW 4286->4287 4288 4016a0 4287->4288 4289 4016a7 4287->4289 4291 401423 24 API calls 4288->4291 4290 4066f3 2 API calls 4289->4290 4293 40224a 4289->4293 4292 4016b6 4290->4292 4291->4293 4292->4293 4294 406176 36 API calls 4292->4294 4294->4288 4295 403a7c 4296 403a87 4295->4296 4297 403a8b 4296->4297 4298 403a8e GlobalAlloc 4296->4298 4298->4297 4299 40247e 4300 402c77 17 API calls 4299->4300 4301 402488 4300->4301 4302 402c37 17 API calls 4301->4302 4303 402491 4302->4303 4304 40249c RegQueryValueExW 4303->4304 4307 402885 4303->4307 4305 4024c2 RegCloseKey 4304->4305 4306 4024bc 4304->4306 4305->4307 4306->4305 4310 4062f7 wsprintfW 4306->4310 4310->4305 4311 4020fe 4312 402c37 17 API calls 4311->4312 4313 402105 4312->4313 4314 402c37 17 API calls 4313->4314 4315 40210f 4314->4315 4316 402c37 17 API calls 4315->4316 4317 402119 4316->4317 4318 402c37 17 API calls 4317->4318 4319 402123 4318->4319 4320 402c37 17 API calls 4319->4320 4321 40212d 4320->4321 4322 40216c CoCreateInstance 4321->4322 4323 402c37 17 API calls 4321->4323 4326 40218b 4322->4326 4323->4322 4324 401423 24 API calls 4325 40224a 4324->4325 4326->4324 4326->4325 4327 4019ff 4328 402c37 17 API calls 4327->4328 4329 401a06 4328->4329 4330 402c37 17 API calls 4329->4330 4331 401a0f 4330->4331 4332 401a16 lstrcmpiW 4331->4332 4333 401a28 lstrcmpW 4331->4333 4334 401a1c 4332->4334 4333->4334 4335 401000 4336 401037 BeginPaint GetClientRect 4335->4336 4338 40100c DefWindowProcW 4335->4338 4339 4010f3 4336->4339 4340 401179 4338->4340 4341 401073 CreateBrushIndirect FillRect DeleteObject 4339->4341 4342 4010fc 4339->4342 4341->4339 4343 401102 CreateFontIndirectW 4342->4343 4344 401167 EndPaint 4342->4344 4343->4344 4345 401112 6 API calls 4343->4345 4344->4340 4345->4344 4346 401f00 4347 402c37 17 API calls 4346->4347 4348 401f06 4347->4348 4349 405414 24 API calls 4348->4349 4350 401f10 4349->4350 4351 405995 2 API calls 4350->4351 4352 401f16 4351->4352 4353 401f39 CloseHandle 4352->4353 4354 40683b 5 API calls 4352->4354 4357 402885 4352->4357 4353->4357 4356 401f2b 4354->4356 4356->4353 4359 4062f7 wsprintfW 4356->4359 4359->4353 4360 401503 4361 40150b 4360->4361 4363 40151e 4360->4363 4362 402c15 17 API calls 4361->4362 4362->4363 4364 402306 4365 402314 4364->4365 4366 40230e 4364->4366 4368 402c37 17 API calls 4365->4368 4369 402322 4365->4369 4367 402c37 17 API calls 4366->4367 4367->4365 4368->4369 4370 402c37 17 API calls 4369->4370 4373 402330 4369->4373 4370->4373 4371 402c37 17 API calls 4372 402339 WritePrivateProfileStringW 4371->4372 4373->4371 4381 401f86 4382 402c37 17 API calls 4381->4382 4383 401f8d 4382->4383 4384 40678a 5 API calls 4383->4384 4385 401f9c 4384->4385 4386 401fb8 GlobalAlloc 4385->4386 4387 402020 4385->4387 4386->4387 4388 401fcc 4386->4388 4389 40678a 5 API calls 4388->4389 4390 401fd3 4389->4390 4391 40678a 5 API calls 4390->4391 4392 401fdd 4391->4392 4392->4387 4396 4062f7 wsprintfW 4392->4396 4394 402012 4397 4062f7 wsprintfW 4394->4397 4396->4394 4397->4387 4398 405388 4399 405398 4398->4399 4400 4053ac 4398->4400 4401 40539e 4399->4401 4410 4053f5 4399->4410 4402 4053b4 IsWindowVisible 4400->4402 4404 4053cb 4400->4404 4406 404391 SendMessageW 4401->4406 4403 4053c1 4402->4403 4402->4410 4411 404cde SendMessageW 4403->4411 4405 4053fa CallWindowProcW 4404->4405 4416 404d5e 4404->4416 4408 4053a8 4405->4408 4406->4408 4410->4405 4412 404d01 GetMessagePos ScreenToClient SendMessageW 4411->4412 4413 404d3d SendMessageW 4411->4413 4414 404d35 4412->4414 4415 404d3a 4412->4415 4413->4414 4414->4404 4415->4413 4425 4063b0 lstrcpynW 4416->4425 4418 404d71 4426 4062f7 wsprintfW 4418->4426 4420 404d7b 4421 40140b 2 API calls 4420->4421 4422 404d84 4421->4422 4427 4063b0 lstrcpynW 4422->4427 4424 404d8b 4424->4410 4425->4418 4426->4420 4427->4424 4428 402388 4429 402390 4428->4429 4430 4023bb 4428->4430 4432 402c77 17 API calls 4429->4432 4431 402c37 17 API calls 4430->4431 4433 4023c2 4431->4433 4434 402397 4432->4434 4439 402cf5 4433->4439 4436 402c37 17 API calls 4434->4436 4437 4023cf 4434->4437 4438 4023a8 RegDeleteValueW RegCloseKey 4436->4438 4438->4437 4440 402d0b 4439->4440 4442 402d21 4440->4442 4443 402d2a 4440->4443 4442->4437 4444 40621d RegOpenKeyExW 4443->4444 4449 402d58 4444->4449 4445 402d7e RegEnumKeyW 4446 402d95 RegCloseKey 4445->4446 4445->4449 4447 40678a 5 API calls 4446->4447 4450 402da5 4447->4450 4448 402db6 RegCloseKey 4453 402da9 4448->4453 4449->4445 4449->4446 4449->4448 4451 402d2a 6 API calls 4449->4451 4449->4453 4452 402dc4 RegDeleteKeyW 4450->4452 4450->4453 4451->4449 4452->4453 4453->4442 3186 403489 SetErrorMode GetVersion 3187 4034c8 3186->3187 3188 4034ce 3186->3188 3189 40678a 5 API calls 3187->3189 3280 40671a GetSystemDirectoryW 3188->3280 3189->3188 3191 4034e4 lstrlenA 3191->3188 3192 4034f4 3191->3192 3283 40678a GetModuleHandleA 3192->3283 3195 40678a 5 API calls 3196 403502 3195->3196 3197 40678a 5 API calls 3196->3197 3198 40350e #17 OleInitialize SHGetFileInfoW 3197->3198 3289 4063b0 lstrcpynW 3198->3289 3201 40355a GetCommandLineW 3290 4063b0 lstrcpynW 3201->3290 3203 40356c GetModuleHandleW 3204 403584 3203->3204 3291 405cae 3204->3291 3207 4036bd GetTempPathW 3295 403458 3207->3295 3209 4036d5 3210 4036d9 GetWindowsDirectoryW lstrcatW 3209->3210 3211 40372f DeleteFileW 3209->3211 3212 403458 12 API calls 3210->3212 3305 402f14 GetTickCount GetModuleFileNameW 3211->3305 3215 4036f5 3212->3215 3213 405cae CharNextW 3216 4035ac 3213->3216 3215->3211 3218 4036f9 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3215->3218 3216->3213 3221 4036a8 3216->3221 3223 4036a6 3216->3223 3222 403458 12 API calls 3218->3222 3219 4037fa 3337 4039cc 3219->3337 3350 4063b0 lstrcpynW 3221->3350 3227 403727 3222->3227 3223->3207 3224 4037e6 3368 403abe 3224->3368 3227->3211 3227->3219 3229 405cae CharNextW 3243 403762 3229->3243 3230 4037f6 3230->3219 3231 403930 3234 4039b4 3231->3234 3235 403938 GetCurrentProcess OpenProcessToken 3231->3235 3232 403810 3346 405a12 3232->3346 3236 4039c2 ExitProcess 3234->3236 3237 4039be 3234->3237 3241 403950 LookupPrivilegeValueW AdjustTokenPrivileges 3235->3241 3242 403984 3235->3242 3237->3236 3238 4037c0 3351 405d89 3238->3351 3239 403826 3424 40597d 3239->3424 3241->3242 3246 40678a 5 API calls 3242->3246 3243->3238 3243->3239 3249 40398b 3246->3249 3253 4039a0 ExitWindowsEx 3249->3253 3254 4039ad 3249->3254 3250 4037d0 3366 4063b0 lstrcpynW 3250->3366 3251 403847 lstrcatW lstrcmpiW 3251->3219 3256 403863 3251->3256 3252 40383c lstrcatW 3252->3251 3253->3234 3253->3254 3461 40140b 3254->3461 3259 403868 3256->3259 3260 40386f 3256->3260 3258 4037db 3367 4063b0 lstrcpynW 3258->3367 3427 4058e3 CreateDirectoryW 3259->3427 3432 405960 CreateDirectoryW 3260->3432 3265 403874 SetCurrentDirectoryW 3266 403884 3265->3266 3267 40388f 3265->3267 3435 4063b0 lstrcpynW 3266->3435 3436 4063b0 lstrcpynW 3267->3436 3272 4038db CopyFileW 3277 40389d 3272->3277 3273 403924 3274 406176 36 API calls 3273->3274 3274->3230 3276 4063d2 17 API calls 3276->3277 3277->3273 3277->3276 3279 40390f CloseHandle 3277->3279 3437 4063d2 3277->3437 3454 406176 MoveFileExW 3277->3454 3458 405995 CreateProcessW 3277->3458 3279->3277 3281 40673c wsprintfW LoadLibraryExW 3280->3281 3281->3191 3284 4067b0 GetProcAddress 3283->3284 3285 4067a6 3283->3285 3287 4034fb 3284->3287 3286 40671a 3 API calls 3285->3286 3288 4067ac 3286->3288 3287->3195 3288->3284 3288->3287 3289->3201 3290->3203 3292 405cb4 3291->3292 3293 403593 CharNextW 3292->3293 3294 405cbb CharNextW 3292->3294 3293->3207 3293->3216 3294->3292 3464 406644 3295->3464 3297 403464 3298 40346e 3297->3298 3473 405c81 lstrlenW CharPrevW 3297->3473 3298->3209 3301 405960 2 API calls 3302 40347c 3301->3302 3476 405ed1 3302->3476 3480 405ea2 GetFileAttributesW CreateFileW 3305->3480 3307 402f57 3308 402f64 3307->3308 3481 4063b0 lstrcpynW 3307->3481 3308->3219 3308->3224 3308->3229 3310 402f7a 3482 405ccd lstrlenW 3310->3482 3314 402f8b GetFileSize 3315 40308c 3314->3315 3334 402fa2 3314->3334 3316 402e72 32 API calls 3315->3316 3317 403093 3316->3317 3317->3308 3320 4030cf GlobalAlloc 3317->3320 3504 403441 SetFilePointer 3317->3504 3319 403127 3322 402e72 32 API calls 3319->3322 3321 4030e6 3320->3321 3326 405ed1 2 API calls 3321->3326 3336 40311d 3322->3336 3324 4030b0 3327 40342b ReadFile 3324->3327 3325 40305c 3325->3334 3490 402e72 3325->3490 3329 4030f7 CreateFileW 3326->3329 3330 4030bb 3327->3330 3331 403131 3329->3331 3329->3336 3330->3308 3330->3320 3505 403441 SetFilePointer 3331->3505 3333 40313f 3506 4031ba 3333->3506 3334->3308 3334->3315 3334->3319 3334->3325 3487 40342b 3334->3487 3336->3308 3338 4039e7 3337->3338 3339 4039dd CloseHandle 3337->3339 3340 4039f1 CloseHandle 3338->3340 3341 4039fb 3338->3341 3339->3338 3340->3341 3564 403a29 3341->3564 3347 405a27 3346->3347 3348 40381e ExitProcess 3347->3348 3349 405a3b MessageBoxIndirectW 3347->3349 3349->3348 3350->3223 3622 4063b0 lstrcpynW 3351->3622 3353 405d9a 3623 405d2c CharNextW CharNextW 3353->3623 3356 4037cc 3356->3219 3356->3250 3357 406644 5 API calls 3358 405db0 3357->3358 3358->3356 3363 405dc7 3358->3363 3359 405de1 lstrlenW 3360 405dec 3359->3360 3359->3363 3362 405c81 3 API calls 3360->3362 3361 4066f3 2 API calls 3361->3363 3364 405df1 GetFileAttributesW 3362->3364 3363->3356 3363->3359 3363->3361 3365 405ccd 2 API calls 3363->3365 3364->3356 3365->3359 3366->3258 3367->3224 3369 40678a 5 API calls 3368->3369 3370 403ad2 3369->3370 3371 403ad8 3370->3371 3372 403aea 3370->3372 3629 4062f7 wsprintfW 3371->3629 3630 40627e 3372->3630 3375 403b39 lstrcatW 3378 403ae8 3375->3378 3377 40627e 3 API calls 3377->3375 3635 403d94 3378->3635 3381 405d89 18 API calls 3382 403b6b 3381->3382 3383 403bff 3382->3383 3385 40627e 3 API calls 3382->3385 3384 405d89 18 API calls 3383->3384 3388 403c05 3384->3388 3386 403b9d 3385->3386 3386->3383 3394 403bbe lstrlenW 3386->3394 3395 405cae CharNextW 3386->3395 3387 403c15 LoadImageW 3390 403cbb 3387->3390 3391 403c3c RegisterClassW 3387->3391 3388->3387 3389 4063d2 17 API calls 3388->3389 3389->3387 3393 40140b 2 API calls 3390->3393 3392 403c72 SystemParametersInfoW CreateWindowExW 3391->3392 3423 403cc5 3391->3423 3392->3390 3398 403cc1 3393->3398 3396 403bf2 3394->3396 3397 403bcc lstrcmpiW 3394->3397 3399 403bbb 3395->3399 3401 405c81 3 API calls 3396->3401 3397->3396 3400 403bdc GetFileAttributesW 3397->3400 3403 403d94 18 API calls 3398->3403 3398->3423 3399->3394 3402 403be8 3400->3402 3404 403bf8 3401->3404 3402->3396 3405 405ccd 2 API calls 3402->3405 3406 403cd2 3403->3406 3643 4063b0 lstrcpynW 3404->3643 3405->3396 3408 403d61 3406->3408 3409 403cde ShowWindow 3406->3409 3644 4054e7 OleInitialize 3408->3644 3411 40671a 3 API calls 3409->3411 3413 403cf6 3411->3413 3412 403d67 3414 403d83 3412->3414 3415 403d6b 3412->3415 3416 403d04 GetClassInfoW 3413->3416 3420 40671a 3 API calls 3413->3420 3419 40140b 2 API calls 3414->3419 3422 40140b 2 API calls 3415->3422 3415->3423 3417 403d18 GetClassInfoW RegisterClassW 3416->3417 3418 403d2e DialogBoxParamW 3416->3418 3417->3418 3421 40140b 2 API calls 3418->3421 3419->3423 3420->3416 3421->3423 3422->3423 3423->3230 3425 40678a 5 API calls 3424->3425 3426 40382b lstrcatW 3425->3426 3426->3251 3426->3252 3428 40386d 3427->3428 3429 405934 GetLastError 3427->3429 3428->3265 3429->3428 3430 405943 SetFileSecurityW 3429->3430 3430->3428 3431 405959 GetLastError 3430->3431 3431->3428 3433 405974 GetLastError 3432->3433 3434 405970 3432->3434 3433->3434 3434->3265 3435->3267 3436->3277 3451 4063df 3437->3451 3438 40662a 3439 4038ce DeleteFileW 3438->3439 3668 4063b0 lstrcpynW 3438->3668 3439->3272 3439->3277 3441 4065f8 lstrlenW 3441->3451 3444 4063d2 10 API calls 3444->3441 3445 40650d GetSystemDirectoryW 3445->3451 3446 40627e 3 API calls 3446->3451 3447 406520 GetWindowsDirectoryW 3447->3451 3448 406644 5 API calls 3448->3451 3449 40659b lstrcatW 3449->3451 3450 406554 SHGetSpecialFolderLocation 3450->3451 3453 40656c SHGetPathFromIDListW CoTaskMemFree 3450->3453 3451->3438 3451->3441 3451->3444 3451->3445 3451->3446 3451->3447 3451->3448 3451->3449 3451->3450 3452 4063d2 10 API calls 3451->3452 3666 4062f7 wsprintfW 3451->3666 3667 4063b0 lstrcpynW 3451->3667 3452->3451 3453->3451 3455 406197 3454->3455 3456 40618a 3454->3456 3455->3277 3669 405ffc 3456->3669 3459 4059d4 3458->3459 3460 4059c8 CloseHandle 3458->3460 3459->3277 3460->3459 3462 401389 2 API calls 3461->3462 3463 401420 3462->3463 3463->3234 3471 406651 3464->3471 3465 4066cc CharPrevW 3468 4066c7 3465->3468 3466 4066ba CharNextW 3466->3468 3466->3471 3467 405cae CharNextW 3467->3471 3468->3465 3469 4066ed 3468->3469 3469->3297 3470 4066a6 CharNextW 3470->3471 3471->3466 3471->3467 3471->3468 3471->3470 3472 4066b5 CharNextW 3471->3472 3472->3466 3474 403476 3473->3474 3475 405c9d lstrcatW 3473->3475 3474->3301 3475->3474 3477 405ede GetTickCount GetTempFileNameW 3476->3477 3478 405f14 3477->3478 3479 403487 3477->3479 3478->3477 3478->3479 3479->3209 3480->3307 3481->3310 3483 405cdb 3482->3483 3484 405ce1 CharPrevW 3483->3484 3485 402f80 3483->3485 3484->3483 3484->3485 3486 4063b0 lstrcpynW 3485->3486 3486->3314 3521 405f25 ReadFile 3487->3521 3491 402e83 3490->3491 3492 402e9b 3490->3492 3495 402e8c DestroyWindow 3491->3495 3503 402e93 3491->3503 3493 402ea3 3492->3493 3494 402eab GetTickCount 3492->3494 3523 4067c6 3493->3523 3497 402eb9 3494->3497 3494->3503 3495->3503 3498 402ec1 3497->3498 3499 402eee CreateDialogParamW ShowWindow 3497->3499 3498->3503 3527 402e56 3498->3527 3499->3503 3501 402ecf wsprintfW 3530 405414 3501->3530 3503->3325 3504->3324 3505->3333 3507 4031e5 3506->3507 3508 4031c9 SetFilePointer 3506->3508 3541 4032c2 GetTickCount 3507->3541 3508->3507 3511 405f25 ReadFile 3512 403205 3511->3512 3513 4032c2 42 API calls 3512->3513 3520 403282 3512->3520 3514 40321c 3513->3514 3515 403288 ReadFile 3514->3515 3518 40322b 3514->3518 3514->3520 3515->3520 3517 405f25 ReadFile 3517->3518 3518->3517 3518->3520 3554 405f54 WriteFile 3518->3554 3520->3336 3522 40343e 3521->3522 3522->3334 3524 4067e3 PeekMessageW 3523->3524 3525 4067f3 3524->3525 3526 4067d9 DispatchMessageW 3524->3526 3525->3503 3526->3524 3528 402e65 3527->3528 3529 402e67 MulDiv 3527->3529 3528->3529 3529->3501 3531 40542f 3530->3531 3539 4054d1 3530->3539 3532 40544b lstrlenW 3531->3532 3533 4063d2 17 API calls 3531->3533 3534 405474 3532->3534 3535 405459 lstrlenW 3532->3535 3533->3532 3537 405487 3534->3537 3538 40547a SetWindowTextW 3534->3538 3536 40546b lstrcatW 3535->3536 3535->3539 3536->3534 3537->3539 3540 40548d SendMessageW SendMessageW SendMessageW 3537->3540 3538->3537 3539->3503 3540->3539 3542 4032f0 3541->3542 3543 40341a 3541->3543 3556 403441 SetFilePointer 3542->3556 3545 402e72 32 API calls 3543->3545 3550 4031ec 3545->3550 3546 4032fb SetFilePointer 3552 403320 3546->3552 3547 40342b ReadFile 3547->3552 3549 402e72 32 API calls 3549->3552 3550->3511 3550->3520 3551 405f54 WriteFile 3551->3552 3552->3547 3552->3549 3552->3550 3552->3551 3553 4033fb SetFilePointer 3552->3553 3557 40690b 3552->3557 3553->3543 3555 405f72 3554->3555 3555->3518 3556->3546 3558 406930 3557->3558 3559 406938 3557->3559 3558->3552 3559->3558 3560 4069c8 GlobalAlloc 3559->3560 3561 4069bf GlobalFree 3559->3561 3562 406a36 GlobalFree 3559->3562 3563 406a3f GlobalAlloc 3559->3563 3560->3558 3560->3559 3561->3560 3562->3563 3563->3558 3563->3559 3565 403a37 3564->3565 3566 403a00 3565->3566 3567 403a3c FreeLibrary GlobalFree 3565->3567 3568 405abe 3566->3568 3567->3566 3567->3567 3569 405d89 18 API calls 3568->3569 3570 405ade 3569->3570 3571 405ae6 DeleteFileW 3570->3571 3572 405afd 3570->3572 3573 4037ff CoUninitialize 3571->3573 3574 405c28 3572->3574 3606 4063b0 lstrcpynW 3572->3606 3573->3231 3573->3232 3574->3573 3579 405c1d 3574->3579 3576 405b23 3577 405b36 3576->3577 3578 405b29 lstrcatW 3576->3578 3581 405ccd 2 API calls 3577->3581 3580 405b3c 3578->3580 3579->3574 3616 4066f3 FindFirstFileW 3579->3616 3583 405b4c lstrcatW 3580->3583 3584 405b57 lstrlenW FindFirstFileW 3580->3584 3581->3580 3583->3584 3584->3579 3604 405b79 3584->3604 3586 405c81 3 API calls 3587 405c4c 3586->3587 3589 405a76 5 API calls 3587->3589 3588 405c00 FindNextFileW 3591 405c16 FindClose 3588->3591 3588->3604 3592 405c58 3589->3592 3591->3579 3593 405c72 3592->3593 3594 405c5c 3592->3594 3596 405414 24 API calls 3593->3596 3594->3573 3597 405414 24 API calls 3594->3597 3596->3573 3599 405c69 3597->3599 3598 405abe 60 API calls 3598->3604 3600 406176 36 API calls 3599->3600 3602 405c70 3600->3602 3601 405414 24 API calls 3601->3588 3602->3573 3603 405414 24 API calls 3603->3604 3604->3588 3604->3598 3604->3601 3604->3603 3605 406176 36 API calls 3604->3605 3607 4063b0 lstrcpynW 3604->3607 3608 405a76 3604->3608 3605->3604 3606->3576 3607->3604 3619 405e7d GetFileAttributesW 3608->3619 3610 405aa3 3610->3604 3612 405a91 RemoveDirectoryW 3614 405a9f 3612->3614 3613 405a99 DeleteFileW 3613->3614 3614->3610 3615 405aaf SetFileAttributesW 3614->3615 3615->3610 3617 405c42 3616->3617 3618 406709 FindClose 3616->3618 3617->3573 3617->3586 3618->3617 3620 405a82 3619->3620 3621 405e8f SetFileAttributesW 3619->3621 3620->3610 3620->3612 3620->3613 3621->3620 3622->3353 3624 405d49 3623->3624 3628 405d5b 3623->3628 3625 405d56 CharNextW 3624->3625 3624->3628 3626 405d7f 3625->3626 3626->3356 3626->3357 3627 405cae CharNextW 3627->3628 3628->3626 3628->3627 3629->3378 3651 40621d 3630->3651 3633 4062b2 RegQueryValueExW RegCloseKey 3634 403b1a 3633->3634 3634->3375 3634->3377 3636 403da8 3635->3636 3655 4062f7 wsprintfW 3636->3655 3638 403e19 3656 403e4d 3638->3656 3640 403b49 3640->3381 3641 403e1e 3641->3640 3642 4063d2 17 API calls 3641->3642 3642->3641 3643->3383 3659 404391 3644->3659 3646 404391 SendMessageW 3647 405543 OleUninitialize 3646->3647 3647->3412 3649 405531 3649->3646 3650 40550a 3650->3649 3662 401389 3650->3662 3652 40622c 3651->3652 3653 406230 3652->3653 3654 406235 RegOpenKeyExW 3652->3654 3653->3633 3653->3634 3654->3653 3655->3638 3657 4063d2 17 API calls 3656->3657 3658 403e5b SetWindowTextW 3657->3658 3658->3641 3660 4043a9 3659->3660 3661 40439a SendMessageW 3659->3661 3660->3650 3661->3660 3664 401390 3662->3664 3663 4013fe 3663->3650 3664->3663 3665 4013cb MulDiv SendMessageW 3664->3665 3665->3664 3666->3451 3667->3451 3668->3439 3670 406052 GetShortPathNameW 3669->3670 3671 40602c 3669->3671 3673 406171 3670->3673 3674 406067 3670->3674 3696 405ea2 GetFileAttributesW CreateFileW 3671->3696 3673->3455 3674->3673 3676 40606f wsprintfA 3674->3676 3675 406036 CloseHandle GetShortPathNameW 3675->3673 3677 40604a 3675->3677 3678 4063d2 17 API calls 3676->3678 3677->3670 3677->3673 3679 406097 3678->3679 3697 405ea2 GetFileAttributesW CreateFileW 3679->3697 3681 4060a4 3681->3673 3682 4060b3 GetFileSize GlobalAlloc 3681->3682 3683 4060d5 3682->3683 3684 40616a CloseHandle 3682->3684 3685 405f25 ReadFile 3683->3685 3684->3673 3686 4060dd 3685->3686 3686->3684 3698 405e07 lstrlenA 3686->3698 3689 4060f4 lstrcpyA 3692 406116 3689->3692 3690 406108 3691 405e07 4 API calls 3690->3691 3691->3692 3693 40614d SetFilePointer 3692->3693 3694 405f54 WriteFile 3693->3694 3695 406163 GlobalFree 3694->3695 3695->3684 3696->3675 3697->3681 3699 405e48 lstrlenA 3698->3699 3700 405e50 3699->3700 3701 405e21 lstrcmpiA 3699->3701 3700->3689 3700->3690 3701->3700 3702 405e3f CharNextA 3701->3702 3702->3699 4454 40190c 4455 401943 4454->4455 4456 402c37 17 API calls 4455->4456 4457 401948 4456->4457 4458 405abe 67 API calls 4457->4458 4459 401951 4458->4459 4460 401d0e 4461 402c15 17 API calls 4460->4461 4462 401d15 4461->4462 4463 402c15 17 API calls 4462->4463 4464 401d21 GetDlgItem 4463->4464 4465 40258c 4464->4465 4466 40190f 4467 402c37 17 API calls 4466->4467 4468 401916 4467->4468 4469 405a12 MessageBoxIndirectW 4468->4469 4470 40191f 4469->4470 4471 404d90 GetDlgItem GetDlgItem 4472 404de2 7 API calls 4471->4472 4481 404ffb 4471->4481 4473 404e85 DeleteObject 4472->4473 4474 404e78 SendMessageW 4472->4474 4475 404e8e 4473->4475 4474->4473 4476 404ec5 4475->4476 4480 4063d2 17 API calls 4475->4480 4478 404345 18 API calls 4476->4478 4477 4050df 4479 40518b 4477->4479 4483 404fee 4477->4483 4489 405138 SendMessageW 4477->4489 4482 404ed9 4478->4482 4484 405195 SendMessageW 4479->4484 4485 40519d 4479->4485 4486 404ea7 SendMessageW SendMessageW 4480->4486 4481->4477 4487 404cde 5 API calls 4481->4487 4505 40506c 4481->4505 4488 404345 18 API calls 4482->4488 4490 4043ac 8 API calls 4483->4490 4484->4485 4492 4051b6 4485->4492 4493 4051af ImageList_Destroy 4485->4493 4501 4051c6 4485->4501 4486->4475 4487->4505 4506 404ee7 4488->4506 4489->4483 4495 40514d SendMessageW 4489->4495 4496 405381 4490->4496 4491 4050d1 SendMessageW 4491->4477 4497 4051bf GlobalFree 4492->4497 4492->4501 4493->4492 4494 405335 4494->4483 4502 405347 ShowWindow GetDlgItem ShowWindow 4494->4502 4499 405160 4495->4499 4497->4501 4498 404fbc GetWindowLongW SetWindowLongW 4500 404fd5 4498->4500 4510 405171 SendMessageW 4499->4510 4503 404ff3 4500->4503 4504 404fdb ShowWindow 4500->4504 4501->4494 4515 404d5e 4 API calls 4501->4515 4516 405201 4501->4516 4502->4483 4523 40437a SendMessageW 4503->4523 4522 40437a SendMessageW 4504->4522 4505->4477 4505->4491 4506->4498 4509 404f37 SendMessageW 4506->4509 4511 404fb6 4506->4511 4513 404f73 SendMessageW 4506->4513 4514 404f84 SendMessageW 4506->4514 4509->4506 4510->4479 4511->4498 4511->4500 4512 405245 4517 40530b InvalidateRect 4512->4517 4521 4052b9 SendMessageW SendMessageW 4512->4521 4513->4506 4514->4506 4515->4516 4516->4512 4518 40522f SendMessageW 4516->4518 4517->4494 4519 405321 4517->4519 4518->4512 4524 404c99 4519->4524 4521->4512 4522->4483 4523->4481 4527 404bd0 4524->4527 4526 404cae 4526->4494 4529 404be9 4527->4529 4528 4063d2 17 API calls 4530 404c4d 4528->4530 4529->4528 4531 4063d2 17 API calls 4530->4531 4532 404c58 4531->4532 4533 4063d2 17 API calls 4532->4533 4534 404c6e lstrlenW wsprintfW SetDlgItemTextW 4533->4534 4534->4526 4535 401491 4536 405414 24 API calls 4535->4536 4537 401498 4536->4537 4538 402592 4539 4025c1 4538->4539 4540 4025a6 4538->4540 4542 4025f5 4539->4542 4543 4025c6 4539->4543 4541 402c15 17 API calls 4540->4541 4550 4025ad 4541->4550 4544 402c37 17 API calls 4542->4544 4545 402c37 17 API calls 4543->4545 4547 4025fc lstrlenW 4544->4547 4546 4025cd WideCharToMultiByte lstrlenA 4545->4546 4546->4550 4547->4550 4548 402629 4549 40263f 4548->4549 4551 405f54 WriteFile 4548->4551 4550->4548 4550->4549 4552 405f83 5 API calls 4550->4552 4551->4549 4552->4548 4553 404493 lstrlenW 4554 4044b2 4553->4554 4555 4044b4 WideCharToMultiByte 4553->4555 4554->4555 4556 404814 4557 404840 4556->4557 4558 404851 4556->4558 4617 4059f6 GetDlgItemTextW 4557->4617 4560 40485d GetDlgItem 4558->4560 4562 4048bc 4558->4562 4566 404871 4560->4566 4561 40484b 4563 406644 5 API calls 4561->4563 4567 4063d2 17 API calls 4562->4567 4577 4049a0 4562->4577 4615 404b4f 4562->4615 4563->4558 4565 404885 SetWindowTextW 4569 404345 18 API calls 4565->4569 4566->4565 4571 405d2c 4 API calls 4566->4571 4573 404930 SHBrowseForFolderW 4567->4573 4568 4049d0 4574 405d89 18 API calls 4568->4574 4575 4048a1 4569->4575 4570 4043ac 8 API calls 4576 404b63 4570->4576 4572 40487b 4571->4572 4572->4565 4581 405c81 3 API calls 4572->4581 4573->4577 4578 404948 CoTaskMemFree 4573->4578 4579 4049d6 4574->4579 4580 404345 18 API calls 4575->4580 4577->4615 4619 4059f6 GetDlgItemTextW 4577->4619 4582 405c81 3 API calls 4578->4582 4620 4063b0 lstrcpynW 4579->4620 4583 4048af 4580->4583 4581->4565 4584 404955 4582->4584 4618 40437a SendMessageW 4583->4618 4587 40498c SetDlgItemTextW 4584->4587 4592 4063d2 17 API calls 4584->4592 4587->4577 4588 4048b5 4590 40678a 5 API calls 4588->4590 4589 4049ed 4591 40678a 5 API calls 4589->4591 4590->4562 4598 4049f4 4591->4598 4593 404974 lstrcmpiW 4592->4593 4593->4587 4596 404985 lstrcatW 4593->4596 4594 404a35 4621 4063b0 lstrcpynW 4594->4621 4596->4587 4597 404a3c 4599 405d2c 4 API calls 4597->4599 4598->4594 4602 405ccd 2 API calls 4598->4602 4604 404a8d 4598->4604 4600 404a42 GetDiskFreeSpaceW 4599->4600 4603 404a66 MulDiv 4600->4603 4600->4604 4602->4598 4603->4604 4605 404afe 4604->4605 4607 404c99 20 API calls 4604->4607 4606 404b21 4605->4606 4608 40140b 2 API calls 4605->4608 4622 404367 EnableWindow 4606->4622 4609 404aeb 4607->4609 4608->4606 4611 404b00 SetDlgItemTextW 4609->4611 4612 404af0 4609->4612 4611->4605 4614 404bd0 20 API calls 4612->4614 4613 404b3d 4613->4615 4616 40476d SendMessageW 4613->4616 4614->4605 4615->4570 4616->4615 4617->4561 4618->4588 4619->4568 4620->4589 4621->4597 4622->4613 4623 401c19 4624 402c15 17 API calls 4623->4624 4625 401c20 4624->4625 4626 402c15 17 API calls 4625->4626 4627 401c2d 4626->4627 4628 402c37 17 API calls 4627->4628 4630 401c42 4627->4630 4628->4630 4629 401c52 4631 401ca9 4629->4631 4632 401c5d 4629->4632 4630->4629 4633 402c37 17 API calls 4630->4633 4635 402c37 17 API calls 4631->4635 4634 402c15 17 API calls 4632->4634 4633->4629 4636 401c62 4634->4636 4637 401cae 4635->4637 4638 402c15 17 API calls 4636->4638 4639 402c37 17 API calls 4637->4639 4640 401c6e 4638->4640 4641 401cb7 FindWindowExW 4639->4641 4642 401c99 SendMessageW 4640->4642 4643 401c7b SendMessageTimeoutW 4640->4643 4644 401cd9 4641->4644 4642->4644 4643->4644 4645 402a9a SendMessageW 4646 402ab4 InvalidateRect 4645->4646 4647 402abf 4645->4647 4646->4647 4648 40281b 4649 402821 4648->4649 4650 402829 FindClose 4649->4650 4651 402abf 4649->4651 4650->4651 4652 40149e 4653 4022f1 4652->4653 4654 4014ac PostQuitMessage 4652->4654 4654->4653 4662 4029a2 4663 402c15 17 API calls 4662->4663 4664 4029a8 4663->4664 4665 4029e8 4664->4665 4666 4029cf 4664->4666 4670 402885 4664->4670 4668 402a02 4665->4668 4669 4029f2 4665->4669 4667 4029d4 4666->4667 4675 4029e5 4666->4675 4676 4063b0 lstrcpynW 4667->4676 4672 4063d2 17 API calls 4668->4672 4671 402c15 17 API calls 4669->4671 4671->4675 4672->4675 4675->4670 4677 4062f7 wsprintfW 4675->4677 4676->4670 4677->4670 4678 4015a3 4679 402c37 17 API calls 4678->4679 4680 4015aa SetFileAttributesW 4679->4680 4681 4015bc 4680->4681 4682 4028a7 4683 402c37 17 API calls 4682->4683 4684 4028b5 4683->4684 4685 4028cb 4684->4685 4686 402c37 17 API calls 4684->4686 4687 405e7d 2 API calls 4685->4687 4686->4685 4688 4028d1 4687->4688 4710 405ea2 GetFileAttributesW CreateFileW 4688->4710 4690 4028de 4691 402981 4690->4691 4692 4028ea GlobalAlloc 4690->4692 4695 402989 DeleteFileW 4691->4695 4696 40299c 4691->4696 4693 402903 4692->4693 4694 402978 CloseHandle 4692->4694 4711 403441 SetFilePointer 4693->4711 4694->4691 4695->4696 4698 402909 4699 40342b ReadFile 4698->4699 4700 402912 GlobalAlloc 4699->4700 4701 402922 4700->4701 4702 402956 4700->4702 4704 4031ba 44 API calls 4701->4704 4703 405f54 WriteFile 4702->4703 4705 402962 GlobalFree 4703->4705 4709 40292f 4704->4709 4706 4031ba 44 API calls 4705->4706 4707 402975 4706->4707 4707->4694 4708 40294d GlobalFree 4708->4702 4709->4708 4710->4690 4711->4698 4712 40202c 4713 4020f0 4712->4713 4714 40203e 4712->4714 4716 401423 24 API calls 4713->4716 4715 402c37 17 API calls 4714->4715 4717 402045 4715->4717 4723 40224a 4716->4723 4718 402c37 17 API calls 4717->4718 4719 40204e 4718->4719 4720 402064 LoadLibraryExW 4719->4720 4721 402056 GetModuleHandleW 4719->4721 4720->4713 4722 402075 4720->4722 4721->4720 4721->4722 4732 4067f9 WideCharToMultiByte 4722->4732 4726 4020bf 4727 405414 24 API calls 4726->4727 4729 402096 4727->4729 4728 402086 4728->4729 4730 401423 24 API calls 4728->4730 4729->4723 4731 4020e2 FreeLibrary 4729->4731 4730->4729 4731->4723 4733 406823 GetProcAddress 4732->4733 4734 402080 4732->4734 4733->4734 4734->4726 4734->4728 4742 402a2f 4743 402c15 17 API calls 4742->4743 4744 402a35 4743->4744 4745 402a47 4744->4745 4746 402a6c 4744->4746 4747 402885 4744->4747 4745->4747 4750 4062f7 wsprintfW 4745->4750 4746->4747 4748 4063d2 17 API calls 4746->4748 4748->4747 4750->4747 4751 401a30 4752 402c37 17 API calls 4751->4752 4753 401a39 ExpandEnvironmentStringsW 4752->4753 4754 401a4d 4753->4754 4756 401a60 4753->4756 4755 401a52 lstrcmpW 4754->4755 4754->4756 4755->4756 4762 401db3 GetDC 4763 402c15 17 API calls 4762->4763 4764 401dc5 GetDeviceCaps MulDiv ReleaseDC 4763->4764 4765 402c15 17 API calls 4764->4765 4766 401df6 4765->4766 4767 4063d2 17 API calls 4766->4767 4768 401e33 CreateFontIndirectW 4767->4768 4769 40258c 4768->4769 4770 401735 4771 402c37 17 API calls 4770->4771 4772 40173c SearchPathW 4771->4772 4773 401757 4772->4773 4774 402835 4775 40283d 4774->4775 4776 402841 FindNextFileW 4775->4776 4778 402853 4775->4778 4777 40289a 4776->4777 4776->4778 4780 4063b0 lstrcpynW 4777->4780 4780->4778 4781 4014b8 4782 4014be 4781->4782 4783 401389 2 API calls 4782->4783 4784 4014c6 4783->4784 4785 406aba 4791 40693e 4785->4791 4786 4072a9 4787 4069c8 GlobalAlloc 4787->4786 4787->4791 4788 4069bf GlobalFree 4788->4787 4789 406a36 GlobalFree 4790 406a3f GlobalAlloc 4789->4790 4790->4786 4790->4791 4791->4786 4791->4787 4791->4788 4791->4789 4791->4790

        Executed Functions

        Function 00403489 Relevance: 80.9, APIs: 33, Strings: 13, Instructions: 412stringfilecomCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 403489-4034c6 SetErrorMode GetVersion 1 4034c8-4034d0 call 40678a 0->1 2 4034d9 0->2 1->2 8 4034d2 1->8 3 4034de-4034f2 call 40671a lstrlenA 2->3 9 4034f4-403510 call 40678a * 3 3->9 8->2 16 403521-403582 #17 OleInitialize SHGetFileInfoW call 4063b0 GetCommandLineW call 4063b0 GetModuleHandleW 9->16 17 403512-403518 9->17 24 403584-40358b 16->24 25 40358c-4035a6 call 405cae CharNextW 16->25 17->16 22 40351a 17->22 22->16 24->25 28 4035ac-4035b2 25->28 29 4036bd-4036d7 GetTempPathW call 403458 25->29 31 4035b4-4035b9 28->31 32 4035bb-4035bf 28->32 36 4036d9-4036f7 GetWindowsDirectoryW lstrcatW call 403458 29->36 37 40372f-40373e DeleteFileW call 402f14 29->37 31->31 31->32 34 4035c1-4035c5 32->34 35 4035c6-4035ca 32->35 34->35 38 4035d0-4035d6 35->38 39 403689-403696 call 405cae 35->39 36->37 54 4036f9-403729 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403458 36->54 49 403743-403749 37->49 43 4035f1-40362a 38->43 44 4035d8-4035e0 38->44 55 403698-403699 39->55 56 40369a-4036a0 39->56 45 403647-403681 43->45 46 40362c-403631 43->46 50 4035e2-4035e5 44->50 51 4035e7 44->51 45->39 53 403683-403687 45->53 46->45 52 403633-40363b 46->52 57 4037fa-40380a call 4039cc CoUninitialize 49->57 58 40374f-403755 49->58 50->43 50->51 51->43 60 403642 52->60 61 40363d-403640 52->61 53->39 62 4036a8-4036b6 call 4063b0 53->62 54->37 54->57 55->56 56->28 64 4036a6 56->64 75 403930-403936 57->75 76 403810-403820 call 405a12 ExitProcess 57->76 65 4037ea-4037f6 call 403abe 58->65 66 40375b-403766 call 405cae 58->66 60->45 61->45 61->60 70 4036bb 62->70 64->70 65->57 77 4037b4-4037be 66->77 78 403768-40379d 66->78 70->29 80 4039b4-4039bc 75->80 81 403938-40394e GetCurrentProcess OpenProcessToken 75->81 85 4037c0-4037ce call 405d89 77->85 86 403826-40383a call 40597d lstrcatW 77->86 82 40379f-4037a3 78->82 83 4039c2-4039c6 ExitProcess 80->83 84 4039be 80->84 88 403950-40397e LookupPrivilegeValueW AdjustTokenPrivileges 81->88 89 403984-403992 call 40678a 81->89 90 4037a5-4037aa 82->90 91 4037ac-4037b0 82->91 84->83 85->57 99 4037d0-4037e6 call 4063b0 * 2 85->99 100 403847-403861 lstrcatW lstrcmpiW 86->100 101 40383c-403842 lstrcatW 86->101 88->89 102 4039a0-4039ab ExitWindowsEx 89->102 103 403994-40399e 89->103 90->91 95 4037b2 90->95 91->82 91->95 95->77 99->65 100->57 106 403863-403866 100->106 101->100 102->80 104 4039ad-4039af call 40140b 102->104 103->102 103->104 104->80 110 403868-40386d call 4058e3 106->110 111 40386f call 405960 106->111 116 403874-403882 SetCurrentDirectoryW 110->116 111->116 118 403884-40388a call 4063b0 116->118 119 40388f-4038b8 call 4063b0 116->119 118->119 123 4038bd-4038d9 call 4063d2 DeleteFileW 119->123 126 40391a-403922 123->126 127 4038db-4038eb CopyFileW 123->127 126->123 128 403924-40392b call 406176 126->128 127->126 129 4038ed-40390d call 406176 call 4063d2 call 405995 127->129 128->57 129->126 138 40390f-403916 CloseHandle 129->138 138->126
        APIs
        • SetErrorMode.KERNELBASE ref: 004034AC
        • GetVersion.KERNEL32 ref: 004034B2
        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E5
        • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403522
        • OleInitialize.OLE32(00000000), ref: 00403529
        • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403545
        • GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 0040355A
        • GetModuleHandleW.KERNEL32(00000000,00435000,00000000,?,00000006,00000008,0000000A), ref: 0040356D
        • CharNextW.USER32(00000000,00435000,00000020,?,00000006,00000008,0000000A), ref: 00403594
          • Part of subcall function 0040678A: GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
          • Part of subcall function 0040678A: GetProcAddress.KERNEL32(00000000,?), ref: 004067B7
        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036CE
        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036DF
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004036EB
        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004036FF
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403707
        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403718
        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403720
        • DeleteFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsiA846.tmp,?,00000006,00000008,0000000A), ref: 00403734
          • Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD
        • CoUninitialize.COMBASE(00000006,?,00000006,00000008,0000000A), ref: 004037FF
        • ExitProcess.KERNEL32 ref: 00403820
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403833
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403842
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403859
        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403875
        • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038CF
        • CopyFileW.KERNEL32(00438800,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038E3
        • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 00403910
        • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040393F
        • OpenProcessToken.ADVAPI32(00000000), ref: 00403946
        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040395B
        • AdjustTokenPrivileges.ADVAPI32 ref: 0040397E
        • ExitWindowsEx.USER32(00000002,80040002), ref: 004039A3
        • ExitProcess.KERNEL32 ref: 004039C6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
        • String ID: .tmp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsiA846.tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
        • API String ID: 2488574733-3287612712
        • Opcode ID: 14ad559e36887b98628aa0b5c89eca8790ad75e7750f0c18f7d923cdc0b0105a
        • Instruction ID: aa49a9b5ba718b736b7abce3970f6df4d0a927ceef10040f9259c4205047f8e0
        • Opcode Fuzzy Hash: 14ad559e36887b98628aa0b5c89eca8790ad75e7750f0c18f7d923cdc0b0105a
        • Instruction Fuzzy Hash: 3DD103B1600311ABD3206F759D45B3B3AACEB4070AF10443FF981B62D2DBBD8D558A6E
        Function 0040671A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 139 40671a-40673a GetSystemDirectoryW 140 40673c 139->140 141 40673e-406740 139->141 140->141 142 406751-406753 141->142 143 406742-40674b 141->143 145 406754-406787 wsprintfW LoadLibraryExW 142->145 143->142 144 40674d-40674f 143->144 144->145
        APIs
        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406731
        • wsprintfW.USER32 ref: 0040676C
        • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406780
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: DirectoryLibraryLoadSystemwsprintf
        • String ID: %s%S.dll$UXTHEME$\
        • API String ID: 2200240437-1946221925
        • Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
        • Instruction ID: 212fe184e71725d5a8014c1118872f5233ada1a9ecb6260670121aae60094f83
        • Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
        • Instruction Fuzzy Hash: BBF02170510119ABCF10BB64DD0DF9B375CAB00305F50447AA546F20D1EBBCDA78C798
        Function 00405ED1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 146 405ed1-405edd 147 405ede-405f12 GetTickCount GetTempFileNameW 146->147 148 405f21-405f23 147->148 149 405f14-405f16 147->149 151 405f1b-405f1e 148->151 149->147 150 405f18 149->150 150->151
        APIs
        • GetTickCount.KERNEL32 ref: 00405EEF
        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00435000,00403487,C:\Users\user\AppData\Local\Temp\nsiA846.tmp,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004036D5), ref: 00405F0A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: CountFileNameTempTick
        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
        • API String ID: 1716503409-1331003597
        • Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
        • Instruction ID: 6418149b7de8853f47a359c443b4445f7a51012143164c36937b703eba88611a
        • Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
        • Instruction Fuzzy Hash: 51F03076A00204FBEB009F59ED05E9BB7ACEB95750F10803AED41F7250E6B49A54CB69
        Function 0040678A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 152 40678a-4067a4 GetModuleHandleA 153 4067b0-4067bd GetProcAddress 152->153 154 4067a6-4067a7 call 40671a 152->154 156 4067c1-4067c3 153->156 157 4067ac-4067ae 154->157 157->153 158 4067bf 157->158 158->156
        APIs
        • GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
        • GetProcAddress.KERNEL32(00000000,?), ref: 004067B7
          • Part of subcall function 0040671A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406731
          • Part of subcall function 0040671A: wsprintfW.USER32 ref: 0040676C
          • Part of subcall function 0040671A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406780
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
        • String ID:
        • API String ID: 2547128583-0
        • Opcode ID: 1fd694bbbc018e5f81eae6ff46d5e7dd0c39e86c0a2cf65890550c3579ed631a
        • Instruction ID: 6fedc38abd16d04710e8a636fd16f84820eabe090bba127bd882252d3fb3e83b
        • Opcode Fuzzy Hash: 1fd694bbbc018e5f81eae6ff46d5e7dd0c39e86c0a2cf65890550c3579ed631a
        • Instruction Fuzzy Hash: 21E0863250421156D21096745E4893772AC9AC4718307843EF956F3041DB389C35A76D
        Function 00405EA2 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 159 405ea2-405ece GetFileAttributesW CreateFileW
        APIs
        • GetFileAttributesW.KERNELBASE(00000003,00402F57,00438800,80000000,00000003), ref: 00405EA6
        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: File$AttributesCreate
        • String ID:
        • API String ID: 415043291-0
        • Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
        • Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
        • Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
        • Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15
        Function 00405960 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 160 405960-40596e CreateDirectoryW 161 405970-405972 160->161 162 405974 GetLastError 160->162 163 40597a 161->163 162->163
        APIs
        • CreateDirectoryW.KERNELBASE(?,00000000,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 00405966
        • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405974
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: CreateDirectoryErrorLast
        • String ID:
        • API String ID: 1375471231-0
        • Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
        • Instruction ID: a0b70af09676f49ae35af12b400ff138e6ea5c47fed9fef2c083bef2843b0e9d
        • Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
        • Instruction Fuzzy Hash: 97C04C71255506DADB105F31DE08F1B7A50AB60751F11843AA18AE51B0DA348455DD2D
        Function 004039CC Relevance: 2.5, APIs: 2, Instructions: 20COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 164 4039cc-4039db 165 4039e7-4039ef 164->165 166 4039dd-4039e0 CloseHandle 164->166 167 4039f1-4039f4 CloseHandle 165->167 168 4039fb-403a0d call 403a29 call 405abe 165->168 166->165 167->168
        APIs
        • CloseHandle.KERNELBASE(FFFFFFFF,75573420,004037FF,00000006,?,00000006,00000008,0000000A), ref: 004039DE
        • CloseHandle.KERNEL32(FFFFFFFF,75573420,004037FF,00000006,?,00000006,00000008,0000000A), ref: 004039F2
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: CloseHandle
        • String ID:
        • API String ID: 2962429428-0
        • Opcode ID: b55cff4552d52d76d05c17db1d45919cd3b2f7dc16ec8014ab047bfb7f0b1341
        • Instruction ID: fc38efd84d8d016dcd3317839c289eb32d5c21f0986e32e85f71fbf804eaa656
        • Opcode Fuzzy Hash: b55cff4552d52d76d05c17db1d45919cd3b2f7dc16ec8014ab047bfb7f0b1341
        • Instruction Fuzzy Hash: 32E0867150071496C524AF7CAE4A5863A185B45335B204726F0B8F21F0C77899675ED9
        Function 00405F25 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 186 405f25-405f41 ReadFile 187 405f43-405f46 186->187 188 405f4d 186->188 187->188 190 405f48-405f4b 187->190 189 405f4f-405f51 188->189 190->189
        APIs
        • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040343E,0040A230,0040A230,00403342,00414ED0,00004000,?,00000000,004031EC), ref: 00405F39
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: FileRead
        • String ID:
        • API String ID: 2738559852-0
        • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
        • Instruction ID: 9b2ea83f702eb3fffeb4c264c614e4c5cb206e28bf88f3110778221d7db1fef5
        • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
        • Instruction Fuzzy Hash: D7E08C3220021AEBCF109F508C00EEB3B6CEB04360F004472F925E2180E234E8219FA8

        Non-executed Functions

        Function 00405553 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 194 405553-40556e 195 405574-40563b GetDlgItem * 3 call 40437a call 404cb1 GetClientRect GetSystemMetrics SendMessageW * 2 194->195 196 4056fd-405704 194->196 214 405659-40565c 195->214 215 40563d-405657 SendMessageW * 2 195->215 197 405706-405728 GetDlgItem CreateThread CloseHandle 196->197 198 40572e-40573b 196->198 197->198 201 405759-405763 198->201 202 40573d-405743 198->202 206 405765-40576b 201->206 207 4057b9-4057bd 201->207 204 405745-405754 ShowWindow * 2 call 40437a 202->204 205 40577e-405787 call 4043ac 202->205 204->201 218 40578c-405790 205->218 211 405793-4057a3 ShowWindow 206->211 212 40576d-405779 call 40431e 206->212 207->205 209 4057bf-4057c5 207->209 209->205 216 4057c7-4057da SendMessageW 209->216 219 4057b3-4057b4 call 40431e 211->219 220 4057a5-4057ae call 405414 211->220 212->205 222 40566c-405683 call 404345 214->222 223 40565e-40566a SendMessageW 214->223 215->214 224 4057e0-40580b CreatePopupMenu call 4063d2 AppendMenuW 216->224 225 4058dc-4058de 216->225 219->207 220->219 233 405685-405699 ShowWindow 222->233 234 4056b9-4056da GetDlgItem SendMessageW 222->234 223->222 231 405820-405835 TrackPopupMenu 224->231 232 40580d-40581d GetWindowRect 224->232 225->218 231->225 235 40583b-405852 231->235 232->231 236 4056a8 233->236 237 40569b-4056a6 ShowWindow 233->237 234->225 238 4056e0-4056f8 SendMessageW * 2 234->238 239 405857-405872 SendMessageW 235->239 240 4056ae-4056b4 call 40437a 236->240 237->240 238->225 239->239 241 405874-405897 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 239->241 240->234 243 405899-4058c0 SendMessageW 241->243 243->243 244 4058c2-4058d6 GlobalUnlock SetClipboardData CloseClipboard 243->244 244->225
        APIs
        • GetDlgItem.USER32(?,00000403), ref: 004055B1
        • GetDlgItem.USER32(?,000003EE), ref: 004055C0
        • GetClientRect.USER32(?,?), ref: 004055FD
        • GetSystemMetrics.USER32(00000002), ref: 00405604
        • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405625
        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405636
        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405649
        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405657
        • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040566A
        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040568C
        • ShowWindow.USER32(?,00000008), ref: 004056A0
        • GetDlgItem.USER32(?,000003EC), ref: 004056C1
        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004056D1
        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004056EA
        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004056F6
        • GetDlgItem.USER32(?,000003F8), ref: 004055CF
          • Part of subcall function 0040437A: SendMessageW.USER32(00000028,?,00000001,004041A5), ref: 00404388
        • GetDlgItem.USER32(?,000003EC), ref: 00405713
        • CreateThread.KERNEL32(00000000,00000000,Function_000054E7,00000000), ref: 00405721
        • CloseHandle.KERNEL32(00000000), ref: 00405728
        • ShowWindow.USER32(00000000), ref: 0040574C
        • ShowWindow.USER32(?,00000008), ref: 00405751
        • ShowWindow.USER32(00000008), ref: 0040579B
        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057CF
        • CreatePopupMenu.USER32 ref: 004057E0
        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004057F4
        • GetWindowRect.USER32(?,?), ref: 00405814
        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040582D
        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405865
        • OpenClipboard.USER32(00000000), ref: 00405875
        • EmptyClipboard.USER32 ref: 0040587B
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405887
        • GlobalLock.KERNEL32(00000000), ref: 00405891
        • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A5
        • GlobalUnlock.KERNEL32(00000000), ref: 004058C5
        • SetClipboardData.USER32(0000000D,00000000), ref: 004058D0
        • CloseClipboard.USER32 ref: 004058D6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
        • String ID: (7B${
        • API String ID: 590372296-525222780
        • Opcode ID: 1142e3eee97fd8762b48b2f2c33544bf4d6ca7057cb45d9d802b0ed2d8ae9100
        • Instruction ID: f8c5fe522ebc9739dae7df13929d3a15495bf3740f19f89270c8c50aa4207807
        • Opcode Fuzzy Hash: 1142e3eee97fd8762b48b2f2c33544bf4d6ca7057cb45d9d802b0ed2d8ae9100
        • Instruction Fuzzy Hash: AFB15870900608FFDB11AFA0DD85AAE7B79FB44354F00847AFA45B61A0CB754E51DF68
        Function 00404D90 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 245 404d90-404ddc GetDlgItem * 2 246 404de2-404e76 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 245->246 247 404ffd-405004 245->247 248 404e85-404e8c DeleteObject 246->248 249 404e78-404e83 SendMessageW 246->249 250 405006-405016 247->250 251 405018 247->251 253 404e8e-404e96 248->253 249->248 252 40501b-405024 250->252 251->252 254 405026-405029 252->254 255 40502f-405035 252->255 256 404e98-404e9b 253->256 257 404ebf-404ec3 253->257 254->255 259 405113-40511a 254->259 262 405044-40504b 255->262 263 405037-40503e 255->263 260 404ea0-404ebd call 4063d2 SendMessageW * 2 256->260 261 404e9d 256->261 257->253 258 404ec5-404ef1 call 404345 * 2 257->258 301 404ef7-404efd 258->301 302 404fbc-404fcf GetWindowLongW SetWindowLongW 258->302 265 40518b-405193 259->265 266 40511c-405122 259->266 260->257 261->260 268 4050c0-4050c3 262->268 269 40504d-405050 262->269 263->259 263->262 276 405195-40519b SendMessageW 265->276 277 40519d-4051a4 265->277 273 405373-405385 call 4043ac 266->273 274 405128-405132 266->274 268->259 275 4050c5-4050cf 268->275 270 405052-405059 269->270 271 40505b-405070 call 404cde 269->271 270->268 270->271 271->268 300 405072-405083 271->300 274->273 283 405138-405147 SendMessageW 274->283 285 4050d1-4050dd SendMessageW 275->285 286 4050df-4050e9 275->286 276->277 279 4051a6-4051ad 277->279 280 4051d8-4051df 277->280 288 4051b6-4051bd 279->288 289 4051af-4051b0 ImageList_Destroy 279->289 292 405335-40533c 280->292 293 4051e5-4051f1 call 4011ef 280->293 283->273 294 40514d-40515e SendMessageW 283->294 285->286 286->259 287 4050eb-4050f5 286->287 296 405106-405110 287->296 297 4050f7-405104 287->297 298 4051c6-4051d2 288->298 299 4051bf-4051c0 GlobalFree 288->299 289->288 292->273 306 40533e-405345 292->306 319 405201-405204 293->319 320 4051f3-4051f6 293->320 304 405160-405166 294->304 305 405168-40516a 294->305 296->259 297->259 298->280 299->298 300->268 308 405085-405087 300->308 309 404f00-404f07 301->309 307 404fd5-404fd9 302->307 304->305 311 40516b-405184 call 401299 SendMessageW 304->311 305->311 306->273 312 405347-405371 ShowWindow GetDlgItem ShowWindow 306->312 313 404ff3-404ffb call 40437a 307->313 314 404fdb-404fee ShowWindow call 40437a 307->314 315 405089-405090 308->315 316 40509a 308->316 317 404f9d-404fb0 309->317 318 404f0d-404f35 309->318 311->265 312->273 313->247 314->273 324 405092-405094 315->324 325 405096-405098 315->325 328 40509d-4050b9 call 40117d 316->328 317->309 332 404fb6-404fba 317->332 326 404f37-404f6d SendMessageW 318->326 327 404f6f-404f71 318->327 333 405245-405269 call 4011ef 319->333 334 405206-40521f call 4012e2 call 401299 319->334 329 4051f8 320->329 330 4051f9-4051fc call 404d5e 320->330 324->328 325->328 326->317 339 404f73-404f82 SendMessageW 327->339 340 404f84-404f9a SendMessageW 327->340 328->268 329->330 330->319 332->302 332->307 347 40530b-40531f InvalidateRect 333->347 348 40526f 333->348 352 405221-405227 334->352 353 40522f-40523e SendMessageW 334->353 339->317 340->317 347->292 350 405321-405330 call 404cb1 call 404c99 347->350 351 405272-40527d 348->351 350->292 354 4052f3-405305 351->354 355 40527f-40528e 351->355 357 405229 352->357 358 40522a-40522d 352->358 353->333 354->347 354->351 360 405290-40529d 355->360 361 4052a1-4052a4 355->361 357->358 358->352 358->353 360->361 362 4052a6-4052a9 361->362 363 4052ab-4052b4 361->363 365 4052b9-4052f1 SendMessageW * 2 362->365 363->365 366 4052b6 363->366 365->354 366->365
        APIs
        • GetDlgItem.USER32(?,000003F9), ref: 00404DA8
        • GetDlgItem.USER32(?,00000408), ref: 00404DB3
        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404DFD
        • LoadBitmapW.USER32(0000006E), ref: 00404E10
        • SetWindowLongW.USER32(?,000000FC,00405388), ref: 00404E29
        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E3D
        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E4F
        • SendMessageW.USER32(?,00001109,00000002), ref: 00404E65
        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E71
        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404E83
        • DeleteObject.GDI32(00000000), ref: 00404E86
        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EB1
        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EBD
        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F53
        • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404F7E
        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F92
        • GetWindowLongW.USER32(?,000000F0), ref: 00404FC1
        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404FCF
        • ShowWindow.USER32(?,00000005), ref: 00404FE0
        • SendMessageW.USER32(?,00000419,00000000,?), ref: 004050DD
        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405142
        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405157
        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040517B
        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040519B
        • ImageList_Destroy.COMCTL32(?), ref: 004051B0
        • GlobalFree.KERNEL32(?), ref: 004051C0
        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405239
        • SendMessageW.USER32(?,00001102,?,?), ref: 004052E2
        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004052F1
        • InvalidateRect.USER32(?,00000000,00000001), ref: 00405311
        • ShowWindow.USER32(?,00000000), ref: 0040535F
        • GetDlgItem.USER32(?,000003FE), ref: 0040536A
        • ShowWindow.USER32(00000000), ref: 00405371
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
        • String ID: $M$N
        • API String ID: 1638840714-813528018
        • Opcode ID: 964e38d30da53f33d6cf26648c4d64b269b267384fffcb86a0e94ad1129913da
        • Instruction ID: 31ae2990ecb9e768136dc40aca02b7f59ce629e1f3cadc681249b7cbd6abf0de
        • Opcode Fuzzy Hash: 964e38d30da53f33d6cf26648c4d64b269b267384fffcb86a0e94ad1129913da
        • Instruction Fuzzy Hash: 09027DB0A00609EFDB209F54DC45AAE7BB5FB44354F10817AE610BA2E0C7798E52CF58
        Function 00404814 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003FB), ref: 00404863
        • SetWindowTextW.USER32(00000000,?), ref: 0040488D
        • SHBrowseForFolderW.SHELL32(?), ref: 0040493E
        • CoTaskMemFree.OLE32(00000000), ref: 00404949
        • lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 0040497B
        • lstrcatW.KERNEL32(?,004281E0), ref: 00404987
        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404999
          • Part of subcall function 004059F6: GetDlgItemTextW.USER32(?,?,00000400,004049D0), ref: 00405A09
          • Part of subcall function 00406644: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066A7
          • Part of subcall function 00406644: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066B6
          • Part of subcall function 00406644: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066BB
          • Part of subcall function 00406644: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066CE
        • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A5C
        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A77
          • Part of subcall function 00404BD0: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C71
          • Part of subcall function 00404BD0: wsprintfW.USER32 ref: 00404C7A
          • Part of subcall function 00404BD0: SetDlgItemTextW.USER32(?,00423728), ref: 00404C8D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
        • String ID: (7B$A
        • API String ID: 2624150263-3645020878
        • Opcode ID: bb96e213a8496881424259e6cbd0bd6d23bc34faf1090de0b5dc68148581936d
        • Instruction ID: 8d8d1438250e4d518a9e2371570913b63a9457987511b3c3302aefac7d34506d
        • Opcode Fuzzy Hash: bb96e213a8496881424259e6cbd0bd6d23bc34faf1090de0b5dc68148581936d
        • Instruction Fuzzy Hash: B3A184F1A00209ABDB119FA5CD45AAF77B8EF84314F14843BFA01B62D1D77C99418B6D
        Function 00405ABE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
        Download Yara Rule
        APIs
        • DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405AE7
        • lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405B2F
        • lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405B52
        • lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405B58
        • FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405B68
        • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C08
        • FindClose.KERNEL32(00000000), ref: 00405C17
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
        • String ID: 0WB$C:\Users\user\AppData\Local\Temp\$\*.*
        • API String ID: 2035342205-1432729950
        • Opcode ID: 58a57db92e176234dfdcd795847984f950d089582b805def6a4191489bc931e7
        • Instruction ID: 07f17dd178ac6d8b62b8dc139a3c49ba2dacd8a3a96bf447fe2624e5f5ce8b98
        • Opcode Fuzzy Hash: 58a57db92e176234dfdcd795847984f950d089582b805def6a4191489bc931e7
        • Instruction Fuzzy Hash: 1741D030904A18A6DB21AB618D89FBF7678EF42719F50813BF801B11D1D77C5982DEAE
        Function 00406ABA Relevance: 5.4, APIs: 4, Instructions: 382COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3c070ca994c387dc491d90c6da3338e95d076c4c889754936ff9c01511acbaf1
        • Instruction ID: 906bff5cfe4bf8fc25f5c52b70697fc94252e662920e9b50785524ea690ef068
        • Opcode Fuzzy Hash: 3c070ca994c387dc491d90c6da3338e95d076c4c889754936ff9c01511acbaf1
        • Instruction Fuzzy Hash: EBF17870D04229CBDF18CFA8C8946ADBBB1FF44305F15816ED856BB281D7386A86DF45
        Function 004066F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileW.KERNEL32(?,00426778,00425F30,00405DD2,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75572EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 004066FE
        • FindClose.KERNEL32(00000000), ref: 0040670A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Find$CloseFileFirst
        • String ID: xgB
        • API String ID: 2295610775-399326502
        • Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
        • Instruction ID: 551d457f2096baf6d1028c2489454c6ec1272a262abf728b5c7319079dd029a3
        • Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
        • Instruction Fuzzy Hash: DBD012315090209BC201173CBE4C85B7A989F953397128B37B466F71E0C7348C638AE8
        Function 004020FE Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
        Download Yara Rule
        APIs
        • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: CreateInstance
        • String ID:
        • API String ID: 542301482-0
        • Opcode ID: b0ea43b9426127999627eda76c13f447508a6f765bd63d1d7bcf9639832b8e12
        • Instruction ID: fcf7de762e0310186ccf97c85ab7d5ba58e988de4da68cff16f28a22b081737a
        • Opcode Fuzzy Hash: b0ea43b9426127999627eda76c13f447508a6f765bd63d1d7bcf9639832b8e12
        • Instruction Fuzzy Hash: EE414A75A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44
        Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: FileFindFirst
        • String ID:
        • API String ID: 1974802433-0
        • Opcode ID: 338ad2205bc69ca6630c18a290efee1c814df0dee72b7cae36df8742cac839e5
        • Instruction ID: 1506565ccd7b679c7f55cec76d0c208d7a3b57e4c41f2eb52868ec6bdbdc004a
        • Opcode Fuzzy Hash: 338ad2205bc69ca6630c18a290efee1c814df0dee72b7cae36df8742cac839e5
        • Instruction Fuzzy Hash: 38F05E71A04104ABD710EBA4DA499ADB368EF00314F2005BBF541F21D1D7B84D919B2A
        Function 00403E6C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 367 403e6c-403e7e 368 403e84-403e8a 367->368 369 403fbf-403fce 367->369 368->369 370 403e90-403e99 368->370 371 403fd0-404018 GetDlgItem * 2 call 404345 SetClassLongW call 40140b 369->371 372 40401d-404032 369->372 373 403e9b-403ea8 SetWindowPos 370->373 374 403eae-403eb1 370->374 371->372 376 404072-404077 call 404391 372->376 377 404034-404037 372->377 373->374 378 403eb3-403ec5 ShowWindow 374->378 379 403ecb-403ed1 374->379 384 40407c-404097 376->384 381 404039-404044 call 401389 377->381 382 40406a-40406c 377->382 378->379 385 403ed3-403ee8 DestroyWindow 379->385 386 403eed-403ef0 379->386 381->382 404 404046-404065 SendMessageW 381->404 382->376 389 404312 382->389 390 4040a0-4040a6 384->390 391 404099-40409b call 40140b 384->391 392 4042ef-4042f5 385->392 395 403ef2-403efe SetWindowLongW 386->395 396 403f03-403f09 386->396 394 404314-40431b 389->394 400 4042d0-4042e9 DestroyWindow EndDialog 390->400 401 4040ac-4040b7 390->401 391->390 392->389 399 4042f7-4042fd 392->399 395->394 402 403fac-403fba call 4043ac 396->402 403 403f0f-403f20 GetDlgItem 396->403 399->389 405 4042ff-404308 ShowWindow 399->405 400->392 401->400 406 4040bd-40410a call 4063d2 call 404345 * 3 GetDlgItem 401->406 402->394 407 403f22-403f39 SendMessageW IsWindowEnabled 403->407 408 403f3f-403f42 403->408 404->394 405->389 437 404114-404150 ShowWindow EnableWindow call 404367 EnableWindow 406->437 438 40410c-404111 406->438 407->389 407->408 412 403f44-403f45 408->412 413 403f47-403f4a 408->413 415 403f75-403f7a call 40431e 412->415 416 403f58-403f5d 413->416 417 403f4c-403f52 413->417 415->402 418 403f93-403fa6 SendMessageW 416->418 419 403f5f-403f65 416->419 417->418 422 403f54-403f56 417->422 418->402 423 403f67-403f6d call 40140b 419->423 424 403f7c-403f85 call 40140b 419->424 422->415 433 403f73 423->433 424->402 434 403f87-403f91 424->434 433->415 434->433 441 404152-404153 437->441 442 404155 437->442 438->437 443 404157-404185 GetSystemMenu EnableMenuItem SendMessageW 441->443 442->443 444 404187-404198 SendMessageW 443->444 445 40419a 443->445 446 4041a0-4041df call 40437a call 403e4d call 4063b0 lstrlenW call 4063d2 SetWindowTextW call 401389 444->446 445->446 446->384 457 4041e5-4041e7 446->457 457->384 458 4041ed-4041f1 457->458 459 404210-404224 DestroyWindow 458->459 460 4041f3-4041f9 458->460 459->392 462 40422a-404257 CreateDialogParamW 459->462 460->389 461 4041ff-404205 460->461 461->384 463 40420b 461->463 462->392 464 40425d-4042b4 call 404345 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 462->464 463->389 464->389 469 4042b6-4042ce ShowWindow call 404391 464->469 469->392
        APIs
        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA8
        • ShowWindow.USER32(?), ref: 00403EC5
        • DestroyWindow.USER32 ref: 00403ED9
        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF5
        • GetDlgItem.USER32(?,?), ref: 00403F16
        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F2A
        • IsWindowEnabled.USER32(00000000), ref: 00403F31
        • GetDlgItem.USER32(?,00000001), ref: 00403FDF
        • GetDlgItem.USER32(?,00000002), ref: 00403FE9
        • SetClassLongW.USER32(?,000000F2,?), ref: 00404003
        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404054
        • GetDlgItem.USER32(?,00000003), ref: 004040FA
        • ShowWindow.USER32(00000000,?), ref: 0040411B
        • EnableWindow.USER32(?,?), ref: 0040412D
        • EnableWindow.USER32(?,?), ref: 00404148
        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040415E
        • EnableMenuItem.USER32(00000000), ref: 00404165
        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040417D
        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404190
        • lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041BA
        • SetWindowTextW.USER32(?,00423728), ref: 004041CE
        • ShowWindow.USER32(?,0000000A), ref: 00404302
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
        • String ID: (7B
        • API String ID: 184305955-3251261122
        • Opcode ID: 853a3c556af8ee6f402cdef99284162f96bb5dd837bc7c3dcbbd131c320c4d43
        • Instruction ID: 85a8b1cb5875a9f0130709c86f20b78f231723f1bf47f2e7597622744019d293
        • Opcode Fuzzy Hash: 853a3c556af8ee6f402cdef99284162f96bb5dd837bc7c3dcbbd131c320c4d43
        • Instruction Fuzzy Hash: 88C1A1B1640200FFDB216F61EE85D2B3BA8EB95305F40053EFA41B21F0CB7959529B6E
        Function 00403ABE Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215stringregistryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 472 403abe-403ad6 call 40678a 475 403ad8-403ae8 call 4062f7 472->475 476 403aea-403b21 call 40627e 472->476 484 403b44-403b6d call 403d94 call 405d89 475->484 480 403b23-403b34 call 40627e 476->480 481 403b39-403b3f lstrcatW 476->481 480->481 481->484 490 403b73-403b78 484->490 491 403bff-403c07 call 405d89 484->491 490->491 492 403b7e-403ba6 call 40627e 490->492 497 403c15-403c3a LoadImageW 491->497 498 403c09-403c10 call 4063d2 491->498 492->491 502 403ba8-403bac 492->502 500 403cbb-403cc3 call 40140b 497->500 501 403c3c-403c6c RegisterClassW 497->501 498->497 515 403cc5-403cc8 500->515 516 403ccd-403cd8 call 403d94 500->516 503 403c72-403cb6 SystemParametersInfoW CreateWindowExW 501->503 504 403d8a 501->504 506 403bbe-403bca lstrlenW 502->506 507 403bae-403bbb call 405cae 502->507 503->500 509 403d8c-403d93 504->509 510 403bf2-403bfa call 405c81 call 4063b0 506->510 511 403bcc-403bda lstrcmpiW 506->511 507->506 510->491 511->510 514 403bdc-403be6 GetFileAttributesW 511->514 518 403be8-403bea 514->518 519 403bec-403bed call 405ccd 514->519 515->509 525 403d61-403d69 call 4054e7 516->525 526 403cde-403cf8 ShowWindow call 40671a 516->526 518->510 518->519 519->510 531 403d83-403d85 call 40140b 525->531 532 403d6b-403d71 525->532 533 403d04-403d16 GetClassInfoW 526->533 534 403cfa-403cff call 40671a 526->534 531->504 532->515 537 403d77-403d7e call 40140b 532->537 535 403d18-403d28 GetClassInfoW RegisterClassW 533->535 536 403d2e-403d5f DialogBoxParamW call 40140b call 403a0e 533->536 534->533 535->536 536->509 537->515
        APIs
          • Part of subcall function 0040678A: GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
          • Part of subcall function 0040678A: GetProcAddress.KERNEL32(00000000,?), ref: 004067B7
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiA846.tmp,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75573420,00435000,00000000), ref: 00403B3F
        • lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,00435800,C:\Users\user\AppData\Local\Temp\nsiA846.tmp,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BBF
        • lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,00435800,C:\Users\user\AppData\Local\Temp\nsiA846.tmp,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BD2
        • GetFileAttributesW.KERNEL32(004281E0), ref: 00403BDD
        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403C26
          • Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304
        • RegisterClassW.USER32(004291E0), ref: 00403C63
        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7B
        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CB0
        • ShowWindow.USER32(00000005,00000000), ref: 00403CE6
        • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D12
        • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D1F
        • RegisterClassW.USER32(004291E0), ref: 00403D28
        • DialogBoxParamW.USER32(?,00000000,00403E6C,00000000), ref: 00403D47
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
        • String ID: (7B$.DEFAULT\Control Panel\International$.exe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsiA846.tmp$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
        • API String ID: 1975747703-4010737094
        • Opcode ID: d3db0d3121add4d66fb87f4acf5a2b639ba72fc1abb7dffbf764bd30cccda0a2
        • Instruction ID: afe91a4761cf59ebc4b7da6c1f2e4a45d87dcf75ce704844472433b73fc63153
        • Opcode Fuzzy Hash: d3db0d3121add4d66fb87f4acf5a2b639ba72fc1abb7dffbf764bd30cccda0a2
        • Instruction Fuzzy Hash: 81619370200601BED720AF669D46E2B3A7CEB84B49F40447FFD45B62E2DB7D9912862D
        Function 004044E2 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 546 4044e2-4044f4 547 404614-404621 546->547 548 4044fa-404502 546->548 551 404623-40462c 547->551 552 40467e-404682 547->552 549 404504-404513 548->549 550 404515-404539 548->550 549->550 555 404542-4045bd call 404345 * 2 CheckDlgButton call 404367 GetDlgItem call 40437a SendMessageW 550->555 556 40453b 550->556 553 404632-404638 551->553 554 404757 551->554 557 404748-40474f 552->557 558 404688-4046a0 GetDlgItem 552->558 553->554 559 40463e-404649 553->559 562 40475a-404761 call 4043ac 554->562 588 4045c8-40460f SendMessageW * 2 lstrlenW SendMessageW * 2 555->588 589 4045bf-4045c2 GetSysColor 555->589 556->555 557->554 561 404751 557->561 563 4046a2-4046a9 558->563 564 404709-404710 558->564 559->554 565 40464f-404679 GetDlgItem SendMessageW call 404367 call 40476d 559->565 561->554 572 404766-40476a 562->572 563->564 568 4046ab-4046c6 563->568 564->562 569 404712-404719 564->569 565->552 568->564 573 4046c8-404706 SendMessageW LoadCursorW SetCursor call 404791 LoadCursorW SetCursor 568->573 569->562 574 40471b-40471f 569->574 573->564 575 404731-404735 574->575 576 404721-40472f SendMessageW 574->576 580 404743-404746 575->580 581 404737-404741 SendMessageW 575->581 576->575 580->572 581->580 588->572 589->588
        APIs
        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404580
        • GetDlgItem.USER32(?,000003E8), ref: 00404594
        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045B1
        • GetSysColor.USER32(?), ref: 004045C2
        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045D0
        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045DE
        • lstrlenW.KERNEL32(?), ref: 004045E3
        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004045F0
        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404605
        • GetDlgItem.USER32(?,0000040A), ref: 0040465E
        • SendMessageW.USER32(00000000), ref: 00404665
        • GetDlgItem.USER32(?,000003E8), ref: 00404690
        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046D3
        • LoadCursorW.USER32(00000000,00007F02), ref: 004046E1
        • SetCursor.USER32(00000000), ref: 004046E4
        • LoadCursorW.USER32(00000000,00007F00), ref: 004046FD
        • SetCursor.USER32(00000000), ref: 00404700
        • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040472F
        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404741
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
        • String ID: N$YD@
        • API String ID: 3103080414-2400581618
        • Opcode ID: 777072e4300f85645cf7ffde5545d8883defabb32dd208014d98b1e23baa6229
        • Instruction ID: b733f22c3e4a4344af423a89e947fb2470a434e6d87e1c723dfed1fecd84da00
        • Opcode Fuzzy Hash: 777072e4300f85645cf7ffde5545d8883defabb32dd208014d98b1e23baa6229
        • Instruction Fuzzy Hash: E16172B1A00209BFDB109F60DD85AAA7B69FB85354F00813AFB05BB1E0D7789951CF58
        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
        Download Yara Rule
        APIs
        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
        • BeginPaint.USER32(?,?), ref: 00401047
        • GetClientRect.USER32(?,?), ref: 0040105B
        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
        • DeleteObject.GDI32(?), ref: 004010ED
        • CreateFontIndirectW.GDI32(?), ref: 00401105
        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
        • SelectObject.GDI32(00000000,?), ref: 00401140
        • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
        • SelectObject.GDI32(00000000,00000000), ref: 00401160
        • DeleteObject.GDI32(?), ref: 00401165
        • EndPaint.USER32(?,?), ref: 0040116E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
        • String ID: F
        • API String ID: 941294808-1304234792
        • Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
        • Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
        • Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
        • Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4
        Function 00402F14 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 203memoryCOMMON
        Download Yara Rule
        APIs
        • GetTickCount.KERNEL32 ref: 00402F28
        • GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F44
          • Part of subcall function 00405EA2: GetFileAttributesW.KERNELBASE(00000003,00402F57,00438800,80000000,00000003), ref: 00405EA6
          • Part of subcall function 00405EA2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8
        • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003), ref: 00402F8D
        • GlobalAlloc.KERNEL32(00000040,0040A230), ref: 004030D4
        Strings
        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040316B
        • Null, xrefs: 0040300D
        • Error launching installer, xrefs: 00402F64
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F21, 004030EC
        • soft, xrefs: 00403004
        • Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311D
        • Inst, xrefs: 00402FFB
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
        • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
        • API String ID: 2803837635-2728130582
        • Opcode ID: b18acff72f02ea0088e0f0df401ccaed74f4a3352496cd5cd42df63db5d16f65
        • Instruction ID: 409c8f22eebac3ceeba7cf51205c68f93d68dba00e9ec32c8e3ebc1c19b8881b
        • Opcode Fuzzy Hash: b18acff72f02ea0088e0f0df401ccaed74f4a3352496cd5cd42df63db5d16f65
        • Instruction Fuzzy Hash: 8D61E031A00204ABDB20EF65DD85A9A7BA8EB04355F20817FF901F72D0C77C9A418BAD
        Function 00405FFC Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406197,?,?), ref: 00406037
        • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406040
          • Part of subcall function 00405E07: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E17
          • Part of subcall function 00405E07: lstrlenA.KERNEL32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E49
        • GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 0040605D
        • wsprintfA.USER32 ref: 0040607B
        • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060B6
        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060C5
        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FD
        • SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 00406153
        • GlobalFree.KERNEL32(00000000), ref: 00406164
        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040616B
          • Part of subcall function 00405EA2: GetFileAttributesW.KERNELBASE(00000003,00402F57,00438800,80000000,00000003), ref: 00405EA6
          • Part of subcall function 00405EA2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
        • String ID: %ls=%ls$[Rename]
        • API String ID: 2171350718-461813615
        • Opcode ID: bc28a8ad1a6adddbe70caed41eb6b9690640b3b2c44ce9cdbc76f8cf5a084b7d
        • Instruction ID: 7a97944e4ecdd21f919348e7cfc29446421eaa6be6f71a8f5a2bdcac5b6ce208
        • Opcode Fuzzy Hash: bc28a8ad1a6adddbe70caed41eb6b9690640b3b2c44ce9cdbc76f8cf5a084b7d
        • Instruction Fuzzy Hash: 953139703007157BC2206B259D49F673A6CEF45714F15003AFA42FA2D2DE7C992586AD
        Function 004063D2 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON
        Download Yara Rule
        APIs
        • GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 00406513
        • GetWindowsDirectoryW.KERNEL32(004281E0,00000400,00000000,00422708,?,0040544B,00422708,00000000), ref: 00406526
        • SHGetSpecialFolderLocation.SHELL32(0040544B,00000000,00000000,00422708,?,0040544B,00422708,00000000), ref: 00406562
        • SHGetPathFromIDListW.SHELL32(00000000,004281E0), ref: 00406570
        • CoTaskMemFree.OLE32(00000000), ref: 0040657B
        • lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065A1
        • lstrlenW.KERNEL32(004281E0,00000000,00422708,?,0040544B,00422708,00000000), ref: 004065F9
        Strings
        • \Microsoft\Internet Explorer\Quick Launch, xrefs: 0040659B
        • Software\Microsoft\Windows\CurrentVersion, xrefs: 004064E3
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
        • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
        • API String ID: 717251189-730719616
        • Opcode ID: e36355194c0ac44000380462c6850a236b3b3342d4e35d3608ced443cfa8c430
        • Instruction ID: 781aa6555cb08bc9a39a1310e2b7c8a7a94b670d8f790df7948cd7d686d0a9f3
        • Opcode Fuzzy Hash: e36355194c0ac44000380462c6850a236b3b3342d4e35d3608ced443cfa8c430
        • Instruction Fuzzy Hash: 52611771600101ABDF209F54ED40ABE37A5AF40314F56453FE947B62D4D73D8AA2CB5D
        Function 004043AC Relevance: 12.1, APIs: 8, Instructions: 61COMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(?,000000EB), ref: 004043C9
        • GetSysColor.USER32(00000000), ref: 004043E5
        • SetTextColor.GDI32(?,00000000), ref: 004043F1
        • SetBkMode.GDI32(?,?), ref: 004043FD
        • GetSysColor.USER32(?), ref: 00404410
        • SetBkColor.GDI32(?,?), ref: 00404420
        • DeleteObject.GDI32(?), ref: 0040443A
        • CreateBrushIndirect.GDI32(?), ref: 00404444
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
        • String ID:
        • API String ID: 2320649405-0
        • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
        • Instruction ID: 701ae6dfa2b2a9365c03cf2c9b1b76f0db24f0feb35c46e7544c905291b2d973
        • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
        • Instruction Fuzzy Hash: 4B216671500704AFCB219F68DE48B5BBBF8AF81714F04893EED95E22A1D774E944CB54
        Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
        Download Yara Rule
        APIs
        • ReadFile.KERNEL32(?,?,?,?), ref: 004026B0
        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724
          • Part of subcall function 00405F83: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405F99
        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: File$Pointer$ByteCharMultiWide$Read
        • String ID: 9
        • API String ID: 163830602-2366072709
        • Opcode ID: 9f6f6be0dbdb62f1cf4172f30af1bc5520461a1ec0f437dc2a8e21b892ed2c5d
        • Instruction ID: c360ee4afea2d2749c5a2d2d3cba589ababf6fe072d155cbc4f623872b1d9462
        • Opcode Fuzzy Hash: 9f6f6be0dbdb62f1cf4172f30af1bc5520461a1ec0f437dc2a8e21b892ed2c5d
        • Instruction Fuzzy Hash: 2E51F874D0021AAADF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58
        Function 00405414 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
        • lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
        • lstrcatW.KERNEL32(00422708,00402EEC,00402EEC,00422708,00000000,00000000,00000000), ref: 0040546F
        • SetWindowTextW.USER32(00422708,00422708), ref: 00405481
        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
        • SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: MessageSend$lstrlen$TextWindowlstrcat
        • String ID:
        • API String ID: 2531174081-0
        • Opcode ID: bb55d4159f20ec7dd7a157066d7d210ceb3b30911e3bcf83f8d5e5ffb0c0adb7
        • Instruction ID: b4c9d1203d7b93b364d12d55a96473d81469f1a16e33619bfa53f57c996d0385
        • Opcode Fuzzy Hash: bb55d4159f20ec7dd7a157066d7d210ceb3b30911e3bcf83f8d5e5ffb0c0adb7
        • Instruction Fuzzy Hash: 0E219071900518BACF119FA5DD85ADFBFB4EF45364F10803AF904B62A0C3794A90CFA8
        Function 00406644 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
        Download Yara Rule
        APIs
        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066A7
        • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066B6
        • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066BB
        • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066CE
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Char$Next$Prev
        • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
        • API String ID: 589700163-2246974252
        • Opcode ID: 77b224228f8c57f44dbd024cb25da7c2d773c522f2af8fdd1da9e6af7933f215
        • Instruction ID: 91382b34e261ab6a6b837a41ec70345278d3faa82d58aea2d88f3062b19e38b1
        • Opcode Fuzzy Hash: 77b224228f8c57f44dbd024cb25da7c2d773c522f2af8fdd1da9e6af7933f215
        • Instruction Fuzzy Hash: 8C11E61580070295DB302B149C40E7766B8EF587A4F12483FED86B32C0E77E4CD286AD
        Function 00402E72 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
        Download Yara Rule
        APIs
        • DestroyWindow.USER32(00000000,00000000), ref: 00402E8D
        • GetTickCount.KERNEL32 ref: 00402EAB
        • wsprintfW.USER32 ref: 00402ED9
          • Part of subcall function 00405414: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
          • Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
          • Part of subcall function 00405414: lstrcatW.KERNEL32(00422708,00402EEC,00402EEC,00422708,00000000,00000000,00000000), ref: 0040546F
          • Part of subcall function 00405414: SetWindowTextW.USER32(00422708,00422708), ref: 00405481
          • Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
          • Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
          • Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF
        • CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EFD
        • ShowWindow.USER32(00000000,00000005), ref: 00402F0B
          • Part of subcall function 00402E56: MulDiv.KERNEL32(0002A400,00000064,0006EE62), ref: 00402E6B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
        • String ID: ... %d%%
        • API String ID: 722711167-2449383134
        • Opcode ID: 9d96e1b775b00f8f1aa504ccf668d13eff31e418fbd4a6343fc61565dbea9545
        • Instruction ID: c2ec4548d439a14d597b05689786213ff5532ac021c242b5895b0761ec4a5705
        • Opcode Fuzzy Hash: 9d96e1b775b00f8f1aa504ccf668d13eff31e418fbd4a6343fc61565dbea9545
        • Instruction Fuzzy Hash: 0501C430440724EBCB31AB60EF4CB9B7B68AB00B44B50417FF945F12E0CAB844558BEE
        Function 00404CDE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404CF9
        • GetMessagePos.USER32 ref: 00404D01
        • ScreenToClient.USER32(?,?), ref: 00404D1B
        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D2D
        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D53
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Message$Send$ClientScreen
        • String ID: f
        • API String ID: 41195575-1993550816
        • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
        • Instruction ID: b067d4b0ecc7c77c1c3f0caef97ada8ed48413e9bef28a1d47140c0a876cf8aa
        • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
        • Instruction Fuzzy Hash: AD015E71A0021DBADB00DB94DD85BFEBBBCAF95715F10412BBA50B62D0C7B899018BA4
        Function 00402DD7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
        Download Yara Rule
        APIs
        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
        • wsprintfW.USER32 ref: 00402E29
        • SetWindowTextW.USER32(?,?), ref: 00402E39
        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E4B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Text$ItemTimerWindowwsprintf
        • String ID: unpacking data: %d%%$verifying installer: %d%%
        • API String ID: 1451636040-1158693248
        • Opcode ID: 5563c221c1669b5fd2184c8b70bdefae7b5ad080d5cf5862aa05c867891839d9
        • Instruction ID: 0bc749b122006b2f9f6abad3e9991ed6065550717762caf8ffdc158a825a6066
        • Opcode Fuzzy Hash: 5563c221c1669b5fd2184c8b70bdefae7b5ad080d5cf5862aa05c867891839d9
        • Instruction Fuzzy Hash: 69F0367154020DABDF206F50DD4ABEA3B69FB00714F00803AFA06B51D0DBFD55598F99
        Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
        Download Yara Rule
        APIs
        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
        • GlobalFree.KERNEL32(?), ref: 00402950
        • GlobalFree.KERNEL32(00000000), ref: 00402963
        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Global$AllocFree$CloseDeleteFileHandle
        • String ID:
        • API String ID: 2667972263-0
        • Opcode ID: 456daf24ba6bc504b003f5cd3f9106cb76bc591f325cec3fa9e516ede31b80e9
        • Instruction ID: c824e8dfb1c84b3956194132b72a9c46ff30f807773af65f81dcebc4e122496d
        • Opcode Fuzzy Hash: 456daf24ba6bc504b003f5cd3f9106cb76bc591f325cec3fa9e516ede31b80e9
        • Instruction Fuzzy Hash: 6521BFB1800128BBDF216FA5DE49D9E7E79EF09364F10023AF960762E0CB7949418B98
        Function 00404BD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C71
        • wsprintfW.USER32 ref: 00404C7A
        • SetDlgItemTextW.USER32(?,00423728), ref: 00404C8D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: ItemTextlstrlenwsprintf
        • String ID: %u.%u%s%s$(7B
        • API String ID: 3540041739-1320723960
        • Opcode ID: 3556ab9b25c9fd353ad00aebb64783684b98fb4b4fd3606fc9fd8df1e6bf5bc0
        • Instruction ID: 703546cccce40a16f7c4e0327b319c47dc4604cc2262111db7ea86f65ec4581c
        • Opcode Fuzzy Hash: 3556ab9b25c9fd353ad00aebb64783684b98fb4b4fd3606fc9fd8df1e6bf5bc0
        • Instruction Fuzzy Hash: 0911E7736041287BEB00556DAD46EAF329CDB85374F254237FA66F31D1DA79CC2182E8
        Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
        Download Yara Rule
        APIs
        • lstrcatW.KERNEL32(00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017B0
        • CompareFileTime.KERNEL32(-00000014,?,0040A5D8,0040A5D8,00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017D5
          • Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD
          • Part of subcall function 00405414: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
          • Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
          • Part of subcall function 00405414: lstrcatW.KERNEL32(00422708,00402EEC,00402EEC,00422708,00000000,00000000,00000000), ref: 0040546F
          • Part of subcall function 00405414: SetWindowTextW.USER32(00422708,00422708), ref: 00405481
          • Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
          • Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
          • Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
        • String ID:
        • API String ID: 1941528284-0
        • Opcode ID: 19af5bad0bbd58c757540672a75b23039a2354f6a1746a7a72e9310b0743d681
        • Instruction ID: 6d789f9af123ab0f865e5502c846d56d3cd3544f1fa5f1ae7e054fd30d3333f6
        • Opcode Fuzzy Hash: 19af5bad0bbd58c757540672a75b23039a2354f6a1746a7a72e9310b0743d681
        • Instruction Fuzzy Hash: E741D871510115BACF117BA5CD45EAF3679EF01328B20423FF922F10E1DB3C8A519AAE
        Function 00401DB3 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(?), ref: 00401DB6
        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
        • MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
        • ReleaseDC.USER32(?,00000000), ref: 00401DE9
        • CreateFontIndirectW.GDI32(0040CDE0), ref: 00401E38
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: CapsCreateDeviceFontIndirectRelease
        • String ID:
        • API String ID: 3808545654-0
        • Opcode ID: d6f3bd06ce70685548754ce76863b6c8a44100532a36dca626fd475c9b03e984
        • Instruction ID: c2f05a2c3ba2ec5405c4fe8fe652dd8f1d703414ee124caa90b8b383e79e86eb
        • Opcode Fuzzy Hash: d6f3bd06ce70685548754ce76863b6c8a44100532a36dca626fd475c9b03e984
        • Instruction Fuzzy Hash: 3201B171904241EFE7006BB0AF4AB9A7FB0BF55301F10493EF242B71E2CAB800469B2D
        Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,?), ref: 00401D5D
        • GetClientRect.USER32(00000000,?), ref: 00401D6A
        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
        • DeleteObject.GDI32(00000000), ref: 00401DA8
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
        • String ID:
        • API String ID: 1849352358-0
        • Opcode ID: b47ab1c1ae988305704e559d6771aa278b1168f33749fe1755fe3374a0ace47b
        • Instruction ID: a606f7d5b7d9f25f85f3a996f6cf1d54ca927bfb9af82e5c1f6e8eb7e31f2730
        • Opcode Fuzzy Hash: b47ab1c1ae988305704e559d6771aa278b1168f33749fe1755fe3374a0ace47b
        • Instruction Fuzzy Hash: 88F0FF72604518AFDB01DBE4DF88CEEB7BCEB08341B14047AF641F61A1CA749D518B78
        Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
        Download Yara Rule
        APIs
        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: MessageSend$Timeout
        • String ID: !
        • API String ID: 1777923405-2657877971
        • Opcode ID: 8f57c4960d5009b47da13ac1dbf9672dc76c0f1a0d468b1b2fcc5bc99a892ac9
        • Instruction ID: 90968196233f782bf8ff3785c90d26ea0bd53ded382d002e8ee2e27c6658862d
        • Opcode Fuzzy Hash: 8f57c4960d5009b47da13ac1dbf9672dc76c0f1a0d468b1b2fcc5bc99a892ac9
        • Instruction Fuzzy Hash: 6121C171948209AEEF05EFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB28
        Function 00405C81 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403476,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 00405C87
        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403476,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 00405C91
        • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405CA3
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C81
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: CharPrevlstrcatlstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 2659869361-4083868402
        • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
        • Instruction ID: 792cc20aee96bfe2db1a273563d78520df22e3750eb0c1a77993888458b10d09
        • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
        • Instruction Fuzzy Hash: DBD0A731111631AAC1116B458D05CDF769C9F46315342143BF501B30A1C77C1D6187FD
        Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
        Download Yara Rule
        APIs
        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
        • RegCloseKey.ADVAPI32(?), ref: 00402D98
        • RegCloseKey.ADVAPI32(?), ref: 00402DB9
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Close$Enum
        • String ID:
        • API String ID: 464197530-0
        • Opcode ID: 589b69b30b93e72d379e73a42f84ccf1a961e1a5d2401dd27ca86d8d7f2ff702
        • Instruction ID: 0f4b1bf7762f76a333ccd5711aab570045f86c75fcf3a50f9e11fcc9d843940a
        • Opcode Fuzzy Hash: 589b69b30b93e72d379e73a42f84ccf1a961e1a5d2401dd27ca86d8d7f2ff702
        • Instruction Fuzzy Hash: 21116A32540509FBDF129F90CE09BEE7B69EF58344F110076B905B50E0E7B5DE21AB68
        Function 004058E3 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
        Download Yara Rule
        APIs
        • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405926
        • GetLastError.KERNEL32 ref: 0040593A
        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040594F
        • GetLastError.KERNEL32 ref: 00405959
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: ErrorLast$CreateDirectoryFileSecurity
        • String ID:
        • API String ID: 3449924974-0
        • Opcode ID: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
        • Instruction ID: c49c088e9ba2396d105a9c54abfe353073567d613583196498a7e7de041cdc41
        • Opcode Fuzzy Hash: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
        • Instruction Fuzzy Hash: C8011AB1C10619DADF009FA1C9487EFBFB4EF14354F00403AD545B6291D7789618CFA9
        Function 00405D89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD
          • Part of subcall function 00405D2C: CharNextW.USER32(?,?,00425F30,?,00405DA0,00425F30,00425F30,?,?,75572EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405D3A
          • Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D3F
          • Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D57
        • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,75572EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405DE2
        • GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75572EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00405DF2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: CharNext$AttributesFilelstrcpynlstrlen
        • String ID: 0_B
        • API String ID: 3248276644-2128305573
        • Opcode ID: 9ab52294f1c51de88c4a4db8473d9fc5f5165192c0b0c0d383058277ec03ae92
        • Instruction ID: 7d5bbe1e5c8c3abe72dbe24b1e5e7d34393fbb328f3a5d3c645332532cfc401b
        • Opcode Fuzzy Hash: 9ab52294f1c51de88c4a4db8473d9fc5f5165192c0b0c0d383058277ec03ae92
        • Instruction Fuzzy Hash: 61F0D125114E6156E62232364D0DBAF1954CE8236474A853BFC51B22D1DB3C8953CDAE
        Function 00405388 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
        Download Yara Rule
        APIs
        • IsWindowVisible.USER32(?), ref: 004053B7
        • CallWindowProcW.USER32(?,?,?,?), ref: 00405408
          • Part of subcall function 00404391: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Window$CallMessageProcSendVisible
        • String ID:
        • API String ID: 3748168415-3916222277
        • Opcode ID: 7f0b268359981ce96b8471a5d3c832aa899a6e6df9d4a1bd192212e4a6da3699
        • Instruction ID: e7a51b5005e981c4ca122d20ba3fe12824fd99f760bfe42b36e815d14bf77052
        • Opcode Fuzzy Hash: 7f0b268359981ce96b8471a5d3c832aa899a6e6df9d4a1bd192212e4a6da3699
        • Instruction Fuzzy Hash: 5C01717120060DABDF209F11DD84AAB3735EB84395F204037FE457A1D1C7BA8D92AF69
        Function 00405995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
        Download Yara Rule
        APIs
        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059BE
        • CloseHandle.KERNEL32(?), ref: 004059CB
        Strings
        • Error launching installer, xrefs: 004059A8
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: CloseCreateHandleProcess
        • String ID: Error launching installer
        • API String ID: 3712363035-66219284
        • Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
        • Instruction ID: 7702c274cdf70951028335e9b96fa9876c0cc9a795fc840707e03dbfe60e7272
        • Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
        • Instruction Fuzzy Hash: B4E046F0A00209BFEB009BA4ED09F7BBAACFB04208F418431BD00F6190D774A8208A78
        Function 00403A29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75572EE0,00403A00,75573420,004037FF,00000006,?,00000006,00000008,0000000A), ref: 00403A43
        • GlobalFree.KERNEL32(?), ref: 00403A4A
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A3B
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: Free$GlobalLibrary
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 1100898210-4083868402
        • Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
        • Instruction ID: 78aecf43d79df039942bc1d46619d1d902388d1bf991e2316d5006033f35a71e
        • Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
        • Instruction Fuzzy Hash: D9E08C32A000205BC6229F45ED04B5E7B6C6F48B22F0A023AE8C07B26087745C82CF88
        Function 00406EEF Relevance: 5.2, APIs: 4, Instructions: 236COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 86ce5b7836e8efc76d9880a3b815598044ae852516a7a266a4593ffa0bd4c046
        • Instruction ID: 1a1db7b112f5c349f32c040b215ce8adb2231ea54f988815808aa67dfaaa6b76
        • Opcode Fuzzy Hash: 86ce5b7836e8efc76d9880a3b815598044ae852516a7a266a4593ffa0bd4c046
        • Instruction Fuzzy Hash: 6AA15271E04228CBDF28CFA8C8446ADBBB1FF44305F14816ED856BB281D7786A86DF45
        Function 004070F0 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f289ec4eae441b973c5cf469eb2209b78d92787f90c2f70d8ea77383fdb072af
        • Instruction ID: 81ced8d75bd8cd674d530aa485ef516b0f39a629971cfce93107e9c84bdcedbb
        • Opcode Fuzzy Hash: f289ec4eae441b973c5cf469eb2209b78d92787f90c2f70d8ea77383fdb072af
        • Instruction Fuzzy Hash: 4E912170E04228CBDF28CFA8C8547ADBBB1FB44305F14816ED856BB281D778A986DF45
        Function 00406E06 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 36b8550c79165f3bd8438b4b7b77fc639822643401bcc62ffa2a7152ccecd571
        • Instruction ID: 6e186065c07e551db02da0b657444ed8a40fac9cbefa0218a87430385e41b7b0
        • Opcode Fuzzy Hash: 36b8550c79165f3bd8438b4b7b77fc639822643401bcc62ffa2a7152ccecd571
        • Instruction Fuzzy Hash: F7814571E04228CFDF24CFA8C8447ADBBB1FB45305F24816AD856BB281C778A996DF45
        Function 0040690B Relevance: 5.2, APIs: 4, Instructions: 198COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: fd90919654d861d793b9259fd4ddd35531221e69384e43b7f209bc021a7cca94
        • Instruction ID: 1a645af2666a8cd9619cdf871bd9e2c738fb6a6c353dc56c4864b2e7a25bf22b
        • Opcode Fuzzy Hash: fd90919654d861d793b9259fd4ddd35531221e69384e43b7f209bc021a7cca94
        • Instruction Fuzzy Hash: 71816771E04228DBEF28CFA8C8447ADBBB1FB44301F14816AD956BB2C1C7786986DF45
        Function 00406D59 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7afd307a57d874939e6d1f07c4a81c11abd2b71d61e18d684fba0f23c35f734a
        • Instruction ID: b0583babc1dad824d13d86abae56a1a356e3ceb45be48e511182641c275db258
        • Opcode Fuzzy Hash: 7afd307a57d874939e6d1f07c4a81c11abd2b71d61e18d684fba0f23c35f734a
        • Instruction Fuzzy Hash: 8C712471E04228CFDF28CFA8C9447ADBBB1FB44305F15806AD856BB281D7386996DF45
        Function 00406E77 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c52b64c4cba7ecf1fb5e1bb59396999cb3f4df188a1ab73f316032be63138ba7
        • Instruction ID: 968097f9e37e498ed83c4652799cdf8e1ebeb5c7fee57b8dc09d96684c556b9e
        • Opcode Fuzzy Hash: c52b64c4cba7ecf1fb5e1bb59396999cb3f4df188a1ab73f316032be63138ba7
        • Instruction Fuzzy Hash: 27712471E04228CFDF28CFA8C854BADBBB1FB44305F15806AD856BB281C7786996DF45
        Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c741c7bc90f3712fe41ea972859e43f39dd565e03f7b0e7aa23f6ef9dcbd7f18
        • Instruction ID: 737cb098acab11621bc79b115fd6dc57f162d32c21417d2b0fd17844244e9397
        • Opcode Fuzzy Hash: c741c7bc90f3712fe41ea972859e43f39dd565e03f7b0e7aa23f6ef9dcbd7f18
        • Instruction Fuzzy Hash: 5A714571E04228CFEF28CF98C8447ADBBB1FB44305F14806AD956BB281C778A996DF45
        Function 00405E07 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E17
        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E2F
        • CharNextA.USER32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E40
        • lstrlenA.KERNEL32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E49
        Memory Dump Source
        • Source File: 00000000.00000002.1416137763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1416108436.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416168892.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416200780.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1416898556.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Shiits.jbxd
        Similarity
        • API ID: lstrlen$CharNextlstrcmpi
        • String ID:
        • API String ID: 190613189-0
        • Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
        • Instruction ID: dc3323509655add47458b7bfdc28b409d7665b879035d0867add309d4545c2bc
        • Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
        • Instruction Fuzzy Hash: 89F06236104518EFC7029BA5DD40D9FBBA8EF06354B2540BAE980F7211D674DF01AB99